Re: [TLS] Should we require compressed points
Michael StJohns <msj@nthpermutation.com> Sat, 01 November 2014 22:03 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54A751A1B19 for <tls@ietfa.amsl.com>; Sat, 1 Nov 2014 15:03:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.3
X-Spam-Level:
X-Spam-Status: No, score=-2.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LpM12fCrNVpw for <tls@ietfa.amsl.com>; Sat, 1 Nov 2014 15:03:23 -0700 (PDT)
Received: from mail-qa0-f45.google.com (mail-qa0-f45.google.com [209.85.216.45]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 222DE1A1B1F for <tls@ietf.org>; Sat, 1 Nov 2014 15:03:22 -0700 (PDT)
Received: by mail-qa0-f45.google.com with SMTP id dc16so6702800qab.4 for <tls@ietf.org>; Sat, 01 Nov 2014 15:03:22 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=0KEb7rVp/Cd4Vp+FH+TW4GkIrb6RixlwBh9kIIec2XY=; b=ZEOtrC6skdrLQFPcsYQ4pRpHa0AS9Z41uDXu1Z4bMgbAvIVgK6a7Kc1/LFKF3VXNP3 FNYr3mDlsiNucFL0fCRZGc9lkCCN6Akh3kjGKsVPkh3L+qTEgXZPArToZPql9THb61lo zlya73f9j2fQx4uubdvcihNXPIYB8sdGJvIu3KGEUB+Y0PkSWJLKUd/nxmzR1zOFj9Ms Mw57nnBkGQJege0jf67Nly7+oR3BgnOt1Bxo+EmuUAeHhegnsWqVXnMC/93OSHb7JbV2 4yi05AYNuj18BwymzU2xo6hgQn94QSF/9Uc+yGoX2penCKwcF0vz/1N5Z+c/ULQBFAXG YZQQ==
X-Gm-Message-State: ALoCoQmZT8dZ76t6m4XoeTF/M7KCOiIjVtnfs8+h5Wm5qHjHQCTylo7UB6z4miK+QoCKklOIWBpc
X-Received: by 10.224.74.135 with SMTP id u7mr31100404qaj.41.1414879402161; Sat, 01 Nov 2014 15:03:22 -0700 (PDT)
Received: from ?IPv6:2601:a:2a00:e7:84b1:781c:6435:fe31? ([2601:a:2a00:e7:84b1:781c:6435:fe31]) by mx.google.com with ESMTPSA id g93sm4798148qgg.48.2014.11.01.15.03.21 for <multiple recipients> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 01 Nov 2014 15:03:21 -0700 (PDT)
Message-ID: <545558CE.2040306@nthpermutation.com>
Date: Sat, 01 Nov 2014 18:03:58 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Manuel Pégourié-Gonnard <mpg@polarssl.org>, tls@ietf.org
References: <9A043F3CF02CD34C8E74AC1594475C739B9D6102@uxcn10-5.UoA.auckland.ac.nz> <CABcZeBOWR4BVy0e3TY3FVB8wqOwrUgD6OfHLTJS_iXUZv30CsA@mail.gmail.com> <544F635D.2000309@polarssl.org> <20141028145223.GQ19158@mournblade.imrryr.org> <544FC339.8010605@polarssl.org> <CABcZeBPctqdSia7tJ5F9s42wAYq5mWL06qjCPUxdWFVL-BSKHw@mail.gmail.com> <20141031183146.GA12592@LK-Perkele-VII> <54551692.2070905@polarssl.org> <54552558.2030209@nthpermutation.com> <545549A8.60008@polarssl.org>
In-Reply-To: <545549A8.60008@polarssl.org>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/W7re0O4Bii_4zV26Kd47Kk55eqA
Subject: Re: [TLS] Should we require compressed points
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Nov 2014 22:03:25 -0000
On 11/1/2014 4:59 PM, Manuel Pégourié-Gonnard wrote: > On 01/11/2014 19:24, Michael StJohns wrote: >> On 11/1/2014 1:21 PM, Manuel Pégourié-Gonnard wrote: >>> On 31/10/2014 19:31, Ilari Liusvaara wrote: >>>> Note that 8.1.1 does not quite match that beheviour, since it specifes >>>> leading zero octets to be stripped (whereas DHE "element" encoding >>>> doesn't seem to specify if zeroes are stripped or not) >>>> >>> I think it makes sense to accept non-canonical representation of DHE elements as >>> long as it's not ambiguous (be liberal in what you accept), while for the PMS >>> it's necessary to be strict in order to ensure interop. But I wouldn't be oppose >>> to something like "DHE elemens MUST be encoded without leading zeroes, but >>> implementations MAY accept leading zeroes in their encoding". >> Sorry - this won't work. >> >> This (8.1.2) is about taking the derived shared secret and representing >> it as a byte string for input into a key derivation function (the TLS >> PRF for 1.2 basically). >> > Sorry for not being clear: I was referring to the part about representing DHE > elements on the wire, not as part of the PMS. Here we agree the representation > has to be unique (I was trying to say that actually, but I must have missed a > few words). > > Let me try and rephrase: > - for the PMS the RFC needs to specify if the representation is fixed-length or > without leading zeroes. > - for the on-the-wire representation it doesn't matter AFAICS. There are well defined formats for bignums as bignums (e.g. the DH public params): > Note that in some cases (e.g., DH parameters) it is necessary to > represent integers as opaque vectors. In such cases, they are > represented as unsigned integers (i.e., leading zero octets are not > required even if the most significant bit is set). The text is actually subject to some small quibbling - it should be "represented as unsigned big-endian integers" to avoid doubt. So the unique representation for DH stuff is the on-the-wire standard representation of a positive bignum. I don't think there really needs to be any further restriction of the on-the-wire format. > - so I'm not shocked by the fact that the requirement about encoding on-the-wire > and for the PMS are different for ff-dh. > - but I wouldn't mind either if the on-the-wire requirements were aligned to the > stricter requirements that are necessary for the PMS, for the sake of > uniformity/simplicity, as long as implementations are allowed to be liberal > about on-the-wire representation (unless there is a security risk in doing so, > which I don't think there is). The PMS is an octet string key, the DH params are bignums. I wish the TLS "DH shared secret-to-octet string PMS" function would align with the standards and with other common uses, but that boat sailed years ago. I don't think there's any good reason to further restrict the representation (among other things, some bignum libs return the magnitude array without leading zeros, while others return a leading zero array if the high bit of the value is set). The current encoding just lets you drop that value into the wire format. Mike > > Manuel. > >
- [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Hubert Kario
- Re: [TLS] Should we require compressed points Martin Thomson
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Yoav Nir
- Re: [TLS] Should we require compressed points Ilari Liusvaara
- Re: [TLS] Should we require compressed points Dan Harkins
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Watson Ladd
- Re: [TLS] Should we require compressed points Rene Struik
- Re: [TLS] Should we require compressed points Andrei Popov
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Martin Thomson
- Re: [TLS] Should we require compressed points Watson Ladd
- Re: [TLS] Should we require compressed points Andrei Popov
- Re: [TLS] Should we require compressed points Rene Struik
- Re: [TLS] Should we require compressed points Jeffrey Walton
- Re: [TLS] Should we require compressed points Peter Gutmann
- Re: [TLS] Should we require compressed points Peter Gutmann
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Martin Thomson
- Re: [TLS] Should we require compressed points Watson Ladd
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Manuel Pégourié-Gonnard
- Re: [TLS] Should we require compressed points Bodo Moeller
- Re: [TLS] Should we require compressed points Viktor Dukhovni
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Ilari Liusvaara
- Re: [TLS] Should we require compressed points Manuel Pégourié-Gonnard
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Ilari Liusvaara
- Re: [TLS] Should we require compressed points Manuel Pégourié-Gonnard
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Manuel Pégourié-Gonnard
- Re: [TLS] Should we require compressed points Michael StJohns