Re: [TLS] Should we require compressed points
Manuel Pégourié-Gonnard <mpg@polarssl.org> Sat, 01 November 2014 20:59 UTC
Return-Path: <mpg@polarssl.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 556E71A1A53 for <tls@ietfa.amsl.com>; Sat, 1 Nov 2014 13:59:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.397
X-Spam-Level:
X-Spam-Status: No, score=0.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_MISMATCH_COM=0.553, HOST_EQ_NL=1.545, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3dnRce7ovv2y for <tls@ietfa.amsl.com>; Sat, 1 Nov 2014 13:59:23 -0700 (PDT)
Received: from vps2.offspark.com (vps2.brainspark.nl [141.138.204.106]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C725C1A1A33 for <tls@ietf.org>; Sat, 1 Nov 2014 13:59:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=polarssl.org; s=exim; h=Subject:Content-Transfer-Encoding:Content-Type:In-Reply-To:References:To:MIME-Version:From:Date:Message-ID; bh=fIs62YzaxBqKNwwUEuZx6WgzyPJIfbh2e071N8q67HA=; b=C0c6nJH66ooj2RFSQY4EEHoD7BZijGL2owOpK57CIm+ydedBUEdku4k14P5gZxsBqsBCLVMnfprW4yn1urOcwXJkC7sDp/b1E5auH4a8kMzwfpwbhAk8gu4pKvBu19BWf43/d5rh+6mUKmsKUO9VxEkUjrPhpHtSejDA6o1HGKY=;
Received: from mna75-11-88-161-199-191.fbx.proxad.net ([88.161.199.191] helo=[192.168.0.12]) by vps2.offspark.com with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <mpg@polarssl.org>) id 1XkflT-0006oh-Ox; Sat, 01 Nov 2014 21:59:16 +0100
Message-ID: <545549A8.60008@polarssl.org>
Date: Sat, 01 Nov 2014 21:59:20 +0100
From: Manuel Pégourié-Gonnard <mpg@polarssl.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Michael StJohns <msj@nthpermutation.com>, tls@ietf.org
References: <9A043F3CF02CD34C8E74AC1594475C739B9D6102@uxcn10-5.UoA.auckland.ac.nz> <CABcZeBOWR4BVy0e3TY3FVB8wqOwrUgD6OfHLTJS_iXUZv30CsA@mail.gmail.com> <544F635D.2000309@polarssl.org> <20141028145223.GQ19158@mournblade.imrryr.org> <544FC339.8010605@polarssl.org> <CABcZeBPctqdSia7tJ5F9s42wAYq5mWL06qjCPUxdWFVL-BSKHw@mail.gmail.com> <20141031183146.GA12592@LK-Perkele-VII> <54551692.2070905@polarssl.org> <54552558.2030209@nthpermutation.com>
In-Reply-To: <54552558.2030209@nthpermutation.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-SA-Exim-Connect-IP: 88.161.199.191
X-SA-Exim-Mail-From: mpg@polarssl.org
X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000)
X-SA-Exim-Scanned: Yes (on vps2.offspark.com)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/gLNhO-zWGzM6HSdce7WUVBHRxhs
Subject: Re: [TLS] Should we require compressed points
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Nov 2014 20:59:25 -0000
On 01/11/2014 19:24, Michael StJohns wrote: > On 11/1/2014 1:21 PM, Manuel Pégourié-Gonnard wrote: >> On 31/10/2014 19:31, Ilari Liusvaara wrote: >>> Note that 8.1.1 does not quite match that beheviour, since it specifes >>> leading zero octets to be stripped (whereas DHE "element" encoding >>> doesn't seem to specify if zeroes are stripped or not) >>> >> I think it makes sense to accept non-canonical representation of DHE elements as >> long as it's not ambiguous (be liberal in what you accept), while for the PMS >> it's necessary to be strict in order to ensure interop. But I wouldn't be oppose >> to something like "DHE elemens MUST be encoded without leading zeroes, but >> implementations MAY accept leading zeroes in their encoding". > > Sorry - this won't work. > > This (8.1.2) is about taking the derived shared secret and representing > it as a byte string for input into a key derivation function (the TLS > PRF for 1.2 basically). > Sorry for not being clear: I was referring to the part about representing DHE elements on the wire, not as part of the PMS. Here we agree the representation has to be unique (I was trying to say that actually, but I must have missed a few words). Let me try and rephrase: - for the PMS the RFC needs to specify if the representation is fixed-length or without leading zeroes. - for the on-the-wire representation it doesn't matter AFAICS. - so I'm not shocked by the fact that the requirement about encoding on-the-wire and for the PMS are different for ff-dh. - but I wouldn't mind either if the on-the-wire requirements were aligned to the stricter requirements that are necessary for the PMS, for the sake of uniformity/simplicity, as long as implementations are allowed to be liberal about on-the-wire representation (unless there is a security risk in doing so, which I don't think there is). Manuel.
- [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Hubert Kario
- Re: [TLS] Should we require compressed points Martin Thomson
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Yoav Nir
- Re: [TLS] Should we require compressed points Ilari Liusvaara
- Re: [TLS] Should we require compressed points Dan Harkins
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Watson Ladd
- Re: [TLS] Should we require compressed points Rene Struik
- Re: [TLS] Should we require compressed points Andrei Popov
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Martin Thomson
- Re: [TLS] Should we require compressed points Watson Ladd
- Re: [TLS] Should we require compressed points Andrei Popov
- Re: [TLS] Should we require compressed points Rene Struik
- Re: [TLS] Should we require compressed points Jeffrey Walton
- Re: [TLS] Should we require compressed points Peter Gutmann
- Re: [TLS] Should we require compressed points Peter Gutmann
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Martin Thomson
- Re: [TLS] Should we require compressed points Watson Ladd
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Manuel Pégourié-Gonnard
- Re: [TLS] Should we require compressed points Bodo Moeller
- Re: [TLS] Should we require compressed points Viktor Dukhovni
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Ilari Liusvaara
- Re: [TLS] Should we require compressed points Manuel Pégourié-Gonnard
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Ilari Liusvaara
- Re: [TLS] Should we require compressed points Manuel Pégourié-Gonnard
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Manuel Pégourié-Gonnard
- Re: [TLS] Should we require compressed points Michael StJohns