IETF Logo Mail Archive

Re: [TLS] Additional Elliptic Curves (Curve25519 etc) for TLS ECDH key agreement

Manuel Pégourié-Gonnard <mpg@polarssl.org> Sun, 12 January 2014 14:47 UTC

Return-Path: <mpg@polarssl.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A6A11ADED7 for <tls@ietfa.amsl.com>; Sun, 12 Jan 2014 06:47:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.394
X-Spam-Level:
X-Spam-Status: No, score=0.394 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hyU_uoFwKkb1 for <tls@ietfa.amsl.com>; Sun, 12 Jan 2014 06:47:55 -0800 (PST)
Received: from vps2.brainspark.nl (vps2.brainspark.nl [141.138.204.106]) by ietfa.amsl.com (Postfix) with ESMTP id CA3F41AD8E1 for <tls@ietf.org>; Sun, 12 Jan 2014 06:47:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=polarssl.org; s=exim; h=Subject:Content-Transfer-Encoding:Content-Type:In-Reply-To:References:To:MIME-Version:From:Date:Message-ID; bh=S2RP6NmTFtSowtUc2STL+khWqP/JlsCePqtKUy2Iaj8=; b=UE+kw9zKcqsdTOS2vfKQSD96SEMsp34nb33a6m7Q0bZTt+9cEKPd7zE0L9z21QkxAdCUlBrpyOdbpgGB9MOQ/0EPsdGkTACv2lcKfx9qbcv/AVjd+AXsLDxhVG6rWIuj8kn97QUwiMOMAuXekne2GqCWeM+2S/46X5G/l8mQKnA=;
Received: from thue.elzevir.fr ([88.165.216.11] helo=[192.168.0.124]) by vps2.brainspark.nl with esmtpsa (TLS1.0:DHE_RSA_CAMELLIA_256_CBC_SHA1:256) (Exim 4.80) (envelope-from <mpg@polarssl.org>) id 1W2MDC-0002xJ-RI; Sun, 12 Jan 2014 15:40:27 +0100
Message-ID: <52D2AB07.7010806@polarssl.org>
Date: Sun, 12 Jan 2014 15:47:35 +0100
From: Manuel Pégourié-Gonnard <mpg@polarssl.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.1.1
MIME-Version: 1.0
To: Dr Stephen Henson <lists@drh-consultancy.co.uk>, Simon Josefsson <simon@josefsson.org>, tls@ietf.org
References: <87eh4e7a2y.fsf@latte.josefsson.org> <52D17F30.1090008@drh-consultancy.co.uk>
In-Reply-To: <52D17F30.1090008@drh-consultancy.co.uk>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-SA-Exim-Connect-IP: 88.165.216.11
X-SA-Exim-Mail-From: mpg@polarssl.org
X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000)
X-SA-Exim-Scanned: Yes (on vps2.brainspark.nl)
Subject: Re: [TLS] Additional Elliptic Curves (Curve25519 etc) for TLS ECDH key agreement
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Jan 2014 14:47:56 -0000

On 11/01/2014 18:28, Dr Stephen Henson wrote:
> On 11/01/2014 16:32, Simon Josefsson wrote:
>>
>> 2) Does description of private/public key representation and computation
>>    of shared secret belong in draft-josefsson-tls-curve25519?  It has to
>>    be somewhere, I believ, but possibly this could go into
>>    draft-ladd-safecurves, or some other generic document, unless there
>>    are TLS-specific aspects.  Insight into this would be appreciated.
>>
> 
> A comment on the following paragraph:
> 
>    This document only describes usage of additional curves for ephemeral
>    key exchange (ECDHE), not for use with long-term keys embedded in
>    PKIX certificates (ECDH_ECDSA and ECDH_ECDSA).  This is because
>    Curve25519 is not directly suitable for authentication with ECDSA,
>    and thus not applicable for signing of e.g.  PKIX certificates.  See
>    draft-josefsson-eddsa-ed25519 for a parallel effort.
> 
> Although the curves are not directly suitable for authentication this doesn't
> actually matter because the certificate doesn't have to be signed using the same
> curve or indeed the same algorithm. So it would (for example) permit a
> certificate containing a curve25519 key signed by a CA using a Brainpool curve
> (or even RSA with the relaxed CA signing rules of TLS 1.2). However to do that
> would require a standard for the use of curve25519 in certificates which
> currently doesn't exist.
> 
Agreed. Actually, a previous (unpublished) version of the draft had a more
precise wording about that, but I unfortunately deleted it in the editing
process. Thanks for noticing.

> Having said that the static ECDH ciphersuites are rarely used and don't offer
> forward secrecy.
> 
Right.

> IMHO a discussion of private/public key format should be in a separate document
> which would include an appropriate ASN1.1 format (e.g. PKCS#8 for private keys
> and SubjectPublicKeyInfo for public keys). That would enable the use of
> curve25519 (and other curves) in a wider range of applications, not just TLS.
> 
I don't disagree that such a document would be a useful addition, but since
ECDHE in TLS isn't using ASN.1 to represent the keys, and only needs to
represent public keys, I felt like the easiest way forward was to specify only
what's needed to do ECDHE in TLS, that is how to represent public keys, without
ASN.1.

Manuel.

v2.23.0 | Report a Bug | By Email