IETF Logo Mail Archive

Re: [TLS] Negotiated Finite Field Diffie-Hellman shared secret calculation

Andrey Jivsov <crypto@brainhub.org> Wed, 20 February 2019 18:48 UTC

Return-Path: <crypto@brainhub.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94C2B130E7A for <tls@ietfa.amsl.com>; Wed, 20 Feb 2019 10:48:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcastmailservice.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GYc0I50r_uIo for <tls@ietfa.amsl.com>; Wed, 20 Feb 2019 10:48:44 -0800 (PST)
Received: from resqmta-po-09v.sys.comcast.net (resqmta-po-09v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:168]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B96CA130E77 for <tls@ietf.org>; Wed, 20 Feb 2019 10:48:44 -0800 (PST)
Received: from resomta-po-15v.sys.comcast.net ([96.114.154.239]) by resqmta-po-09v.sys.comcast.net with ESMTP id wSvygMFL0uXuhwWvDglFDf; Wed, 20 Feb 2019 18:48:43 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcastmailservice.net; s=20180828_2048; t=1550688523; bh=ydSTA24JUUe3b2rKZ9UgWXhXEFq3fPxfuqvtF1NuVFs=; h=Received:Received:Subject:To:From:Message-ID:Date:MIME-Version: Content-Type; b=hCopxnCZ8hD0GfOFYll9NxUf6yEY0XaYojvqLGZaguBecvurBllMsbjvsIrWMJbZc HihabbcPARxZZU8gg7YPKeXGDqvxsnIM9qmGqDYDwHFaI1WnW7LI+ZaGvWeUdaWAFV MqzF4NZLEsWl0SfR3tKib+P0uMYv+qOXmBBNLGcJkrovFzIyOZ7vtJ/oN0xtCmH6g5 Y32kwqDOGjbaMUtlajPmNrHVtIj19hJOZBN+M5mzUGXcUa+0i0UVvH8ZydRtle2c2p q9pZoH2sspQGqImC+cLNvb9oq358xmeCxgGDuhKtMcvcHvSvn/P5uL5RS96g5MIaTS RMZQlViDhM3Xw==
Received: from [IPv6:::1] ([73.222.32.57]) by resomta-po-15v.sys.comcast.net with ESMTPSA id wWvCgp82OPENhwWvCgRlBw; Wed, 20 Feb 2019 18:48:43 +0000
X-Xfinity-VAAS: gggruggvucftvghtrhhoucdtuddrgedutddrtdeigdduudekucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuvehomhgtrghsthdqtfgvshhipdfqfgfvpdfpqffurfetoffkrfenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepufhfvffhkffffgggjggtgfesthekredttdefjeenucfhrhhomheptehnughrvgihucflihhvshhovhcuoegtrhihphhtohessghrrghinhhhuhgsrdhorhhgqeenucffohhmrghinhepihgvthhfrdhorhhgnecukfhppeejfedrvddvvddrfedvrdehjeenucfrrghrrghmpehhvghloheplgfkrfhvieemmeemudgnpdhinhgvthepjeefrddvvddvrdefvddrheejpdhmrghilhhfrhhomheptghrhihpthhosegsrhgrihhnhhhusgdrohhrghdprhgtphhtthhopegurghvihgusggvnhestghhrhhomhhiuhhmrdhorhhgpdhrtghpthhtohepthhlshesihgvthhfrdhorhhgnecuvehluhhsthgvrhfuihiivgeptd
X-Xfinity-VMeta: sc=??;st=legit
References: <6fff39d3-649d-867a-db71-b0faa18185a5@brainhub.org> <CAF8qwaCMhfsndABga55gpauX6=WhknNXija=nUU2xr93wYLaQA@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
From: Andrey Jivsov <crypto@brainhub.org>
Openpgp: preference=signencrypt
Autocrypt: addr=crypto@brainhub.org; prefer-encrypt=mutual; keydata= mQENBFbFIDkBCAC8U4isfYajmIZOZW/aX9IuLhfGiAkteTTTEUyjSwyC4MvJl+wfWLeoY4FG F5kyQNmVRidkXIq9R1YA6fWXTGMZLGRZ9u3TaBhngdkck9g8x+uloRV7FROQ5Qu8CrlmURB+ Sp1yK3thaKayFmGfglCFuygeCCHfrHkdjOM64bi93NC2vANOUtwZ8bwbCk3RP/twG9yjzevc ZXoYvnzbib0ct9lgOVO+na28F+LvAsLjxQjSEN6Z+BiuF8Uniq27uKeDPWu6/gvVkl3iZJJA 7SFvr8r/AHEl2EoDGzRT/zL/VtRM1neU2G3RpS6Vm1EDez3rRAPmFmDHcLkXoKKYuJ/dABEB AAG0I0FuZHJleSBKaXZzb3YgPGNyeXB0b0BicmFpbmh1Yi5vcmc+iQE4BBMBAgAiBQJWxSA5 AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRC4BFp9tvLDS4AUCAC6c6zQsm9/gGDW IQy67jMCzKLci9R1GJS5r13vgUHCWdZeZivd0iMuYR/feAV52eqUPWKUZAr6J61QXKfoxyr2 5nK8pk/LJU3nWCPfVsxEHXUnYPYHKpHzlEgbrtyOh/M5eIWGskZDxRBbyxJHV1+Ci5kG/o0s t+DKM4zWOwD+RcO2ktjjXKE/YjAqfoped3JKpzAKyz2OKXsR6QZy0f+lJmRsEU7B6vPBQBnH TRg+4DwkM8MZTKbbygrKPjfaZ0TOBHNzEvjOcyH9OC0jPu0cUOfNoU2ksBPC6aqoSTTFTpV+ 4zAPQtPtUgEir5I73rG8wdAnF828t/GBwraVbQ94uQENBFbFIDkBCADlZHIVKgQsTVQJu6p/ K0iGQA+YpaMaGqp3+BCrScW2rsgauF8ZLJE5tYM6a42bJ1kIq7+PtXm4tq4E7YOcMoVdln6x eta+3La4yKZn3tn6it8YYVK63rG1zQL9epnNPFEfmWH5QWgsLpo2EwQ+Eaue3EvpC9QKImbW vtCHcpZToyYiFLmKusi/njVRUPkr99TCFdMnVrJI7EjPR6vycrlJnIz0ovoOsUm0j9ZRSdax ikUKd1F/h+RMSXpCzx8y6RjR8B8v3zrX9lScygmn1nww54IJtz2ocTIDfLRaqSdViYi/U/sU EYQQoW2Fx5wr9HZo88kJVTB+2sD6ly0ZqfAjABEBAAGJAR8EGAECAAkFAlbFIDkCGwwACgkQ uARafbbyw0vcxwf8DGQVz0FU4/ZJk7PPsHnBtR0oL9PMLfPByQGDTpYFkXMoBh75Yp8EQp6J /ZMRBTwCpbt+amJeahR3IJSWUWomVcHzoVZql4PkphSipp4a6xR0Ah6qtpltviv3ZaAEysvI /JvUc/8wiw9sQwG9GyCQxeH+4npspgXQ2hYjaJOfl4F4P0FzZ3c9xTv0tiBfrdqBzNXu4QY/ jRHxEZzUxPYBvCpEBj1b8j2ZlYEsLEO3Rp8br3WpOhGlhuDOkW3MKtL7tpc749SN8WqiR4Yc JrBwKKi/bfAf4OkMF6+4ZB2fsxyrRWmNc6d2io4+sWsnyFF2NfVbwB6Hcwj46vEmu0SYvA==
Message-ID: <797b3723-3257-1b08-6f78-5752922fb7d3@brainhub.org>
Date: Wed, 20 Feb 2019 10:48:42 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.1
MIME-Version: 1.0
In-Reply-To: <CAF8qwaCMhfsndABga55gpauX6=WhknNXija=nUU2xr93wYLaQA@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/hwXvt4G6mAusLOaqPnvx25CDixo>
Subject: Re: [TLS] Negotiated Finite Field Diffie-Hellman shared secret calculation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2019 18:48:48 -0000

Why isn't the

"The server indicates
the choice of group to the client by sending the group's parameters
as usual in the ServerKeyExchange"
https://tools.ietf.org/html/rfc7919#section-4

an evidence that the server supports RFC 7919?

On 2/20/19 10:29 AM, David Benjamin wrote:
> (We haven't actually implemented RFC 7919 and have no plans to, so I'm
> just going by the document.)
> 
> RFC 7919 doesn't say anything, so I think the only reasonable
> interpretation is to continue with the legacy option for TLS 1.2 and
> below. It's also the only interoperable option given how the document is
> set up. RFC 7919 repurposed the existing DHE scheme with no directly
> visible server differences, so the client cannot tell if it is talking
> to a post-7919 server, or a pre-7919 server that happened to use a
> well-known parameter. That means 7919 cannot change how DHE works. (This
> isn't the only consequence of that decision.
> See https://mailarchive.ietf.org/arch/msg/tls/bAOJD281iGc2HuEVq0uUlpYL2Mo.
> DHE in TLS 1.2 is a mess and RFC 7919 failed to repair it.)
> 
> Note all this only applies to TLS 1.2. TLS 1.3 is free to use the more
> sound method and does:
> https://tools.ietf.org/html/rfc8446#section-7.4.1
> 
> On Tue, Feb 19, 2019 at 6:10 PM Andrey Jivsov <crypto@brainhub.org
> <mailto:crypto@brainhub.org>> wrote:
> 
>     Greetings.
> 
>     it's unclear to me how is the shared secret g^xy calculated for groups
>     in https://tools.ietf.org/html/rfc7919 .
> 
>     If you recall, the TLS 1.1 uses this method the
>     https://tools.ietf.org/html/rfc4346#section-8.1.2 , causing some
>     interoperability problems that are hard to fix.
> 
>     The RFC 7919 doesn't specify what to do here.
> 
>     So, the question is, assuming that ffdhe2048 is negotiated,
> 
>     - is g^xy padded to 256 bytes (more sound method) or
>     - the leading zero bytes of g^xy must be stripped (legacy method, used
>     for historic reasons)?
> 
>     Thank you.
> 
>     _______________________________________________
>     TLS mailing list
>     TLS@ietf.org <mailto:TLS@ietf.org>
>     https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email