Re: [TLS] Curve25519 in TLS and Additional Curves in TLS
Andrey Jivsov <crypto@brainhub.org> Thu, 03 April 2014 17:36 UTC
Return-Path: <crypto@brainhub.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 189C61A024E for <tls@ietfa.amsl.com>; Thu, 3 Apr 2014 10:36:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.3
X-Spam-Level:
X-Spam-Status: No, score=-1.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, J_CHICKENPOX_75=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U-8e4Yyv3YVC for <tls@ietfa.amsl.com>; Thu, 3 Apr 2014 10:36:26 -0700 (PDT)
Received: from qmta01.emeryville.ca.mail.comcast.net (qmta01.emeryville.ca.mail.comcast.net [IPv6:2001:558:fe2d:43:76:96:30:16]) by ietfa.amsl.com (Postfix) with ESMTP id 3D4BE1A0245 for <tls@ietf.org>; Thu, 3 Apr 2014 10:36:26 -0700 (PDT)
Received: from omta03.emeryville.ca.mail.comcast.net ([76.96.30.27]) by qmta01.emeryville.ca.mail.comcast.net with comcast id lQsf1n0040b6N64A1VcNYm; Thu, 03 Apr 2014 17:36:22 +0000
Received: from [127.0.0.1] ([71.202.164.227]) by omta03.emeryville.ca.mail.comcast.net with comcast id lVcD1n00J4uhcbK8PVcLwa; Thu, 03 Apr 2014 17:36:21 +0000
Message-ID: <533D9BEA.9030907@brainhub.org>
Date: Thu, 03 Apr 2014 10:35:38 -0700
From: Andrey Jivsov <crypto@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: "tls@ietf.org" <tls@ietf.org>
References: <87ob3456s1.fsf@latte.josefsson.org> <20140402164340.GA14790@roeckx.be> <533C554A.7080607@akr.io> <533CF9C5.7030107@brainhub.org> <533D2207.807@polarssl.org> <CACsn0cmevdjDv0TgS3mczcxpeSz=1cbc3Wp_d--VeXqvPgitww@mail.gmail.com>
In-Reply-To: <CACsn0cmevdjDv0TgS3mczcxpeSz=1cbc3Wp_d--VeXqvPgitww@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------060504050604010202080701"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1396546582; bh=OKIFvdF1TA6+xec4kwkOeVVk3GAywn32BLUmAA4tTZU=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=muVn33FOPa9aq18Xr0Zp8iQYoKeaTxLeabT4US+tgOENwI7TTLGpXe9s/TXg2Xjvx x4N0Fbp8LfGDJ2w6fLuG/ZTlrSkVTVYkNlJh1QKU7va6DuvzDiFXF5f8onKtdUYCUF wzQxW6Sjn1mNTGeJMd4SPQjQWXsiaWhCIA9mM3BRPSlywdXd4NsdCYapSuffW+dlAd nScDDati5W0ek0Ck23+Ab7zfj+3GkyXi2u+Rgw7BANg7D46ypD88EbDZYbQNT4eYiz C+bwmYa53lXPJ6cq/5hg0r7niF1F9wVdokqqfErt2MPufGJdR7FR+rL83BaRBWRHK3 j91y+Z22zVPSg==
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/dCduf5JuM_2EbCc6rMq-kktFUNI
Cc: Manuel Pégourié -Gonnard <mpg@polarssl.org>
Subject: Re: [TLS] Curve25519 in TLS and Additional Curves in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Apr 2014 17:36:30 -0000
On 04/03/2014 09:52 AM, Watson Ladd wrote: > On Thu, Apr 3, 2014 at 1:55 AM, Manuel Pégourié-Gonnard > <mpg@polarssl.org> wrote: >> On 03/04/2014 08:03, Andrey Jivsov wrote: >>> The ECPoint is defined as follows, >>> >>> struct { >>> opaque point <1..2^8-1>; >>> } ECPoint; >>> >>> Is the format on the wire per section 2.3 >>> 33 32 xx xx xx ... xx >>> or, suggested, >>> 65 64 xx xx xx ... xx yy yy yy ... yy ? >>> >>> Or I am reading it incorrectly and the extra byte mentioned in the draft >>> is actully a part of standard TLS encoding of the length byte? >>> >> The intention of the current draft is that the wire format be >> >> 32 xx xx ... xx >> >> So the "additional length byte" is indeed just the one from the TLS encoding. >> >> In the next iteration of the draft, it might change to >> >> 33 tt xx xx .. xx >> >> Where tt would be an "encoding type" which would allow for future extensions >> like transmitting y too, or a bit of y, or (parts of) other representation (eg >> Edwards coordinates). > I don't think this is a good idea. At the time when one side sees the > point it is too late to negotiate. So points with different encodings > should be indicated as different in the Client Hello message to enable > negotiation of which one to send. Furthermore, I don't see benefit to > the potential extensions yet for pure DH. I second this. > Also, do we really need a length prefix on a string that is always 32 > bytes long? I get that the TLS encoding provides that, but length > prefix formats are a can of worms: what should happen when 33 0 or 32 > 32 xx .. are encountered? > I assume you are commenting on the case with tt present. Certainly, there will need to be consistency checks with such a tt. My reply regarding the current draft with clarification from Manuel follows: RFC 5246 is listed as a normative reference. As such, it defines the the encoding for the opaque something <1..2^8-1> The reader is expected to know that "something" is encoded with an additional byte for the length. Thus, I find the item (2) in sec. 2.3 confusing (IMHO more confusing than helpful). > Note that ECPoint.point differs from the definition of public keys in > [Curve25519 <http://tools.ietf.org/html/draft-josefsson-tls-curve25519-04#ref-Curve25519>] in two ways: (1) the byte-ordering is big-endian, wich > is more uniform with how big integers are represented in TLS, and (2) > there is an additional length byte (so ECpoint.point is actually 33 > bytes), again for uniformity (and extensibility). Would the following be clearer: > Unlike the definition of public keys specified in [Curve25519], > ECPoint.point uses big-endian byte ordering. As defined in [RFC5246], > the ECPoint.point is serialized with one-byte block size. The payload must be 32 > bytes, even when one or more leading bytes are zeros. ...
- [TLS] Curve25519 in TLS and Additional Curves in … Simon Josefsson
- Re: [TLS] Curve25519 in TLS and Additional Curves… Rob Stradling
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Rob Stradling
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andy Lutomirski
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andy Lutomirski
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… James Cloos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Bill Frantz
- Re: [TLS] Curve25519 in TLS and Additional Curves… Kurt Roeckx
- Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andrey Jivsov
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andrey Jivsov
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Simon Josefsson
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Daniel Kahn Gillmor
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andrey Jivsov
- Re: [TLS] Curve25519 in TLS and Additional Curves… Yoav Nir
- Re: [TLS] Curve25519 in TLS and Additional Curves… Fabrice
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard