IETF Logo Mail Archive

Re: [TLS] Should we require compressed points

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Tue, 21 October 2014 16:01 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D8B21A88CF for <tls@ietfa.amsl.com>; Tue, 21 Oct 2014 09:01:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g6Pkyd00lMaI for <tls@ietfa.amsl.com>; Tue, 21 Oct 2014 09:01:52 -0700 (PDT)
Received: from emh02.mail.saunalahti.fi (emh02.mail.saunalahti.fi [62.142.5.108]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B1B01A88C4 for <tls@ietf.org>; Tue, 21 Oct 2014 09:01:51 -0700 (PDT)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh02.mail.saunalahti.fi (Postfix) with ESMTP id EA4188185D; Tue, 21 Oct 2014 19:01:48 +0300 (EEST)
Date: Tue, 21 Oct 2014 19:01:48 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Eric Rescorla <ekr@rtfm.com>
Message-ID: <20141021160148.GA27810@LK-Perkele-VII>
References: <CABcZeBMqdwWTFxGAqaC9PqhzbgZM5yOf2TTq7pVCjyw_X+3Zkg@mail.gmail.com> <2108842737.16216761.1413903671102.JavaMail.zimbra@redhat.com> <CABcZeBPEPs2cJDoty9tkgLJyFQNeeF6vwfnCfqRULLhuB6u3qg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CABcZeBPEPs2cJDoty9tkgLJyFQNeeF6vwfnCfqRULLhuB6u3qg@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/bQ46cNsbN9MrKXs5e5VHXBomTcw
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Should we require compressed points
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Oct 2014 16:01:54 -0000

On Tue, Oct 21, 2014 at 05:03:27PM +0200, Eric Rescorla wrote:
> On Tue, Oct 21, 2014 at 5:01 PM, Hubert Kario <hkario@redhat.com> wrote:
> >
> > How does that impact possibility of adding more "exotic" curves like
> > curve25519/Ed25519
> > in some later point in time?
> >
> 
> Hubert, thanks for your email.
> 
> I don't think it should impact it at all because you still have to
> advertise the curves you
> support. My assumption is that advertising curve X would be the same as
> advertising
> that you could support its defined point format(s).

I would just lock the point format per curve for non-X9.63-compatible
stuff, at least for DH. That is, use curve-defined wire encoding,
regardless of what point formats extension says.

Also, there is another issue with non-X9.63-compatible stuff:
Encoding of the premaster secret. Proposal: Use usual wire encoding.

Disadvantage of this is that TLS 1.2- compatiblity would require
contradicting RFC 4492 (but specs contradicting base specs is not
unheard of) in order to ignore point formats and pms encoding.


Now with this, one could just stuff raw 32-byte curve25519 public
key into *KeyShare packet (with no prefix) and use the raw shared
secret as premaster secret (also 32 bytes).

And similarly for some XYZ curve that is twice the speed of
curve25519, but has really odd 48-byte point format.


-Ilari

v2.23.0 | Report a Bug | By Email