IETF Logo Mail Archive

Re: [TLS] Negotiated Finite Field Diffie-Hellman shared secret calculation

"Martin Thomson" <mt@lowentropy.net> Wed, 20 February 2019 21:24 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 707EF128CF3 for <tls@ietfa.amsl.com>; Wed, 20 Feb 2019 13:24:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=fMayLsdQ; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=nrrNtc4b
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k73sXyjVHghI for <tls@ietfa.amsl.com>; Wed, 20 Feb 2019 13:24:09 -0800 (PST)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AEE2812D4E7 for <tls@ietf.org>; Wed, 20 Feb 2019 13:24:07 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id BC8B622BE4 for <tls@ietf.org>; Wed, 20 Feb 2019 16:24:06 -0500 (EST)
Received: from imap2 ([10.202.2.52]) by compute1.internal (MEProxy); Wed, 20 Feb 2019 16:24:06 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=message-id:in-reply-to:references:date:from:to:subject :content-type; s=fm1; bh=7UevuSrCITcyjCWmJxXJTbCZ+n+G6BPx46sKWyT 6wDY=; b=fMayLsdQPwusgjKSrO5unHE0kMpcGsowjeE0HsFx8iKjmsgBlNZEo36 iuOQqHB/sc4ZALTYy73W58S0HT3ksD/It4EzbC+Ae7H/PtJj3zQj24szgJ6ujrBe uwGGBA6vnpQTXDxHGuOUKDgRV88cKqEFNAB75jdq+9CC45IUvc8m2yjx9EGNqgBY +mRYp39PXN6gE/Jlgrl284M414EaJ+jPsxO6tRot+2/mRXmyFrZoEGjPuzqLs51Z Jk9DfWvVtx6YGMfFJxjJJzGbI37NcotgztNen/4CS+OAEFRQZUXCj/gq+hBNVjhl gCQNfHrzHxYkUgwWt7rfCJk8CIjRRKQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:references:subject:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=7UevuSrCITcyjCWmJ xXJTbCZ+n+G6BPx46sKWyT6wDY=; b=nrrNtc4bVAgEvvijbXhhRqkovuTZEBWhF SbbGMSLSpb3b7v6KO8E4eXsuRUFpVtm8aFTxww1Qn8ZxoE9nrDurgqZY0k9wNeXc WDYi33LOqHdQ3HEjiuPnJn0X7OajVLih6hVMhNTZW1jyJ3HwCkYijueIhOhRyGKc icCrtNCdif6bHsZ10ZVctF/0pPHRbmJuaomzv4h1+9H3Aiq1NHY873RBL6e76w2I jexQFrWanBsJgoWjugOtVLX8x24iHYU2XetZAX3Rb6cI3kUZIRq5I2URqlHoIohD +RgIW9DPRjstE+bPiTVqJjo9R8ONYqlc0PVAHqNP4LZHiLxWPLTgw==
X-ME-Sender: <xms:dsVtXLxOYMo3VlIk5frUxdCRxtD4DKFLtTeFiNChEhquLiiq0D79qg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedutddrtdeigddugeekucdltddurdegtdelrddttd dmucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfquhht necuuegrihhlohhuthemuceftddtnecunecujfgurhepofgfkfgjfhffhffvufgtsehttd ertderreejnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhho figvnhhtrhhophihrdhnvghtqeenucffohhmrghinhepihgvthhfrdhorhhgnecurfgrrh grmhepmhgrihhlfhhrohhmpehmtheslhhofigvnhhtrhhophihrdhnvghtnecuvehluhhs thgvrhfuihiivgeptd
X-ME-Proxy: <xmx:dsVtXKJStvNMIIbRwSr7usop5St6Jy2nDwxVxlY3qvQAGGMa81UrQw> <xmx:dsVtXLncyWrZJ2rfBf1CShMprHJJGB2Pg1yJ_Pa7FqtnmFTELeSdPA> <xmx:dsVtXF6CrCjDKhwiKRopPHwQhdQSTL0f07HCC11hTuGHMnbAZMkjGw> <xmx:dsVtXPTRcGcBVoSsg52ImFPdiKJBqsZtIe0s7JIsk4qq_lvD7SXXuw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 596E67C22A; Wed, 20 Feb 2019 16:24:06 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.5-895-g0d23ba6-fmstable-20190213v1
X-Me-Personality: 92534000
Message-Id: <a823869e-3db7-4c30-a281-52dd7dbcf641@www.fastmail.com>
In-Reply-To: <CAF8qwaBYBG7HTm2rj1msAQFVTYYs=jB2PQcVyNYsr1KknZEuHw@mail.gmail.com>
References: <6fff39d3-649d-867a-db71-b0faa18185a5@brainhub.org> <CAF8qwaCMhfsndABga55gpauX6=WhknNXija=nUU2xr93wYLaQA@mail.gmail.com> <797b3723-3257-1b08-6f78-5752922fb7d3@brainhub.org> <CAF8qwaBYBG7HTm2rj1msAQFVTYYs=jB2PQcVyNYsr1KknZEuHw@mail.gmail.com>
Date: Wed, 20 Feb 2019 16:24:06 -0500
From: Martin Thomson <mt@lowentropy.net>
To: tls@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/hgkkGP2dEPBL2T-KlYxZsrTyUko>
Subject: Re: [TLS] Negotiated Finite Field Diffie-Hellman shared secret calculation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2019 21:24:11 -0000

What David said.

We implement 7919, which includes an option to only accept server shares from the 7919 groups.  With that option a simple comparison is used to determine if the group is one from the spec, rejecting all else, but we otherwise just treat the share as normal.  I'm not aware of anyone seriously using it though, so the usual concerns about it's use in TLS 1.2 remain.

--Martin

On Wed, Feb 20, 2019, at 11:08, David Benjamin wrote:
> It is some evidence, but the server may have been configured with that 
> group anyway. Regardless, the specification doesn't say anything, so I 
> think the only reasonable interpretation is the existing TLS 1..2 
> mechanism, sadly.
> 
> On Wed, Feb 20, 2019 at 12:48 PM Andrey Jivsov <crypto@brainhub.org> wrote:
> > Why isn't the
> >  
> >  "The server indicates
> >  the choice of group to the client by sending the group's parameters
> >  as usual in the ServerKeyExchange"
> >  https://tools.ietf.org/html/rfc7919#section-4
> >  
> >  an evidence that the server supports RFC 7919?
> >  
> >  On 2/20/19 10:29 AM, David Benjamin wrote:
> >  > (We haven't actually implemented RFC 7919 and have no plans to, so I'm
> >  > just going by the document.)
> >  > 
> >  > RFC 7919 doesn't say anything, so I think the only reasonable
> >  > interpretation is to continue with the legacy option for TLS 1.2 and
> >  > below. It's also the only interoperable option given how the document is
> >  > set up. RFC 7919 repurposed the existing DHE scheme with no directly
> >  > visible server differences, so the client cannot tell if it is talking
> >  > to a post-7919 server, or a pre-7919 server that happened to use a
> >  > well-known parameter. That means 7919 cannot change how DHE works. (This
> >  > isn't the only consequence of that decision.
> >  > See https://mailarchive.ietf.org/arch/msg/tls/bAOJD281iGc2HuEVq0uUlpYL2Mo.
> >  > DHE in TLS 1.2 is a mess and RFC 7919 failed to repair it.)
> >  > 
> >  > Note all this only applies to TLS 1.2. TLS 1.3 is free to use the more
> >  > sound method and does:
> >  > https://tools.ietf.org/html/rfc8446#section-7.4.1
> >  > 
> >  > On Tue, Feb 19, 2019 at 6:10 PM Andrey Jivsov <crypto@brainhub.org
> >  > <mailto:crypto@brainhub.org>> wrote:
> >  > 
> >  > Greetings.
> >  > 
> >  > it's unclear to me how is the shared secret g^xy calculated for groups
> >  > in https://tools.ietf.org/html/rfc7919 .
> >  > 
> >  > If you recall, the TLS 1.1 uses this method the
> >  > https://tools.ietf.org/html/rfc4346#section-8.1.2 , causing some
> >  > interoperability problems that are hard to fix.
> >  > 
> >  > The RFC 7919 doesn't specify what to do here.
> >  > 
> >  > So, the question is, assuming that ffdhe2048 is negotiated,
> >  > 
> >  > - is g^xy padded to 256 bytes (more sound method) or
> >  > - the leading zero bytes of g^xy must be stripped (legacy method, used
> >  > for historic reasons)?
> >  > 
> >  > Thank you.
> >  > 
> >  > _______________________________________________
> >  > TLS mailing list
> >  > TLS@ietf.org <mailto:TLS@ietf.org>
> >  > https://www.ietf.org/mailman/listinfo/tls
> >  > 
> >  
> >  
>  
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email