Re: [TLS] Negotiated Finite Field Diffie-Hellman shared secret calculation
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 22 February 2019 04:49 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFF051292F1 for <tls@ietfa.amsl.com>; Thu, 21 Feb 2019 20:49:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=V88fAh0C; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=1N7o9H7q
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bnAJrrgCXN4o for <tls@ietfa.amsl.com>; Thu, 21 Feb 2019 20:49:03 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 051961286D8 for <tls@ietf.org>; Thu, 21 Feb 2019 20:49:03 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1550810942; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=MIeu8ghERgIvVgshO3kAXcUS2NjOueXT+A8C3BT8SFs=; b=V88fAh0CCI2HD9GRDpUw6LKoQ84O2C/8AC/7TsMtz+76xP8IJd2pM7jV SzlG301fYftZ2RlTSd4DqaMPJlX3AA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1550810942; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=MIeu8ghERgIvVgshO3kAXcUS2NjOueXT+A8C3BT8SFs=; b=1N7o9H7qz7VhVSa3gEe5cUwspanbrrTPkVWPDRv8adh92iapI4Q9p1GO G8vcXiB0miCJe6TXqAfLTGI3R4g7O1vUSBInx4gDngc8/ggpqUHT7lnpAQ TYjcrQa3mvH2m3EiAtVeVsRwj5TG4aIdVSbQlj+2LnrDlfijJxTkOMdevR +BIjkOcEka7U5WlsnDogXlRdzuk6j5OL3m1SaA0U2ZlNRr1cMHd48MiJi/ lhyHSQ9oncAiGnKEe2OkrPge812JCIUNNxTL5WqKs8lweoNi0IZCmNdpjA o+54McWA06H49m9floWw+T7kfvCmrfT49lPpefq701CRL6yMd1bwHw==
Received: from fifthhorseman.net (ool-6c3a0662.static.optonline.net [108.58.6.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 7365BF99F; Thu, 21 Feb 2019 23:49:00 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 8C63220553; Thu, 21 Feb 2019 21:17:03 -0500 (EST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, Martin Thomson <mt@lowentropy.net>, "tls@ietf.org" <tls@ietf.org>
In-Reply-To: <1550708208818.4475@cs.auckland.ac.nz>
References: <6fff39d3-649d-867a-db71-b0faa18185a5@brainhub.org> <CAF8qwaCMhfsndABga55gpauX6=WhknNXija=nUU2xr93wYLaQA@mail.gmail.com> <797b3723-3257-1b08-6f78-5752922fb7d3@brainhub.org> <CAF8qwaBYBG7HTm2rj1msAQFVTYYs=jB2PQcVyNYsr1KknZEuHw@mail.gmail.com> <a823869e-3db7-4c30-a281-52dd7dbcf641@www.fastmail.com> <1550708208818.4475@cs.auckland.ac.nz>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEXEK/AhYJKwYBBAHaRw8BAQdAr/gSROcn+6m8ijTN0DV9AahoHGafy52RRkhCZVwxhEe0K0Rh bmllbCBLYWhuIEdpbGxtb3IgPGRrZ0BmaWZ0aGhvcnNlbWFuLm5ldD6ImQQTFggAQQIbAQUJA8Jn AAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBMS8Lds4zOlkhevpwvIGkReQOOXGBQJcQsbzAhkB AAoJEPIGkReQOOXG4fkBAO1joRxqAZY57PjdzGieXLpluk9RkWa3ufkt3YUVEpH/AP9c+pgIxtyW +FwMQRjlqljuj8amdN4zuEqaCy4hhz/1DbgzBFxCv4sWCSsGAQQB2kcPAQEHQERSZxSPmgtdw6nN u7uxY7bzb9TnPrGAOp9kClBLRwGfiPUEGBYIACYWIQTEvC3bOMzpZIXr6cLyBpEXkDjlxgUCXEK/ iwIbAgUJAeEzgACBCRDyBpEXkDjlxnYgBBkWCAAdFiEEyQ5tNiAKG5IqFQnndhgZZSmuX/gFAlxC v4sACgkQdhgZZSmuX/iVWgD/fCU4ONzgy8w8UCHGmrmIZfDvdhg512NIBfx+Mz9ls5kA/Rq97vz4 z48MFuBdCuu0W/fVqVjnY7LN5n+CQJwGC0MIA7QA/RyY7Sz2gFIOcrns0RpoHr+3WI+won3xCD8+ sVXSHZvCAP98HCjDnw/b0lGuCR7coTXKLIM44/LFWgXAdZjm1wjODbg4BFxCv50SCisGAQQBl1UB BQEBB0BG4iXnHX/fs35NWKMWQTQoRI7oiAUt0wJHFFJbomxXbAMBCAeIfgQYFggAJhYhBMS8Lds4 zOlkhevpwvIGkReQOOXGBQJcQr+dAhsMBQkB4TOAAAoJEPIGkReQOOXGe/cBAPlek5d9xzcXUn/D kY6jKmxe26CTws3ZkbK6Aa5Ey/qKAP0VuPQSCRxA7RKfcB/XrEphfUFkraL06Xn/xGwJ+D0hCw==
Date: Thu, 21 Feb 2019 21:17:02 -0500
Message-ID: <87mumor2ht.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/i1a8eDYCCK2THtZ8iIUKZyoYkpc>
Subject: Re: [TLS] Negotiated Finite Field Diffie-Hellman shared secret calculation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Feb 2019 04:49:05 -0000
On Thu 2019-02-21 00:16:54 +0000, Peter Gutmann wrote: > (A side-note about the 3526 values, they've been independently verified > outside of their publication in the RFC, has anyone done this for the 7919 > ones? Not saying they're suspicious, but it'd be good to get independent > verification that the data values match what's described in the RFC). i'd welcome any additional double-checks. iirc, at the time of publication, Tero Kivinen checked them independently, but i'd welcome any additional checks people want to do. I also published primality proofs (via primo) of the groups here: https://dkg.fifthhorseman.net/ffdhe-primality-proofs/ > That's a weird thing about 7919, throughout the draft process lots of people > pointed out, again and again, that it wasn't going to work if published in > that form. So it got published anyway... i agree that it would have been functionally stronger to define ciphersuite values that identify the use of named FFDHE groups. This would allow clients to signal to servers that they will *only* accept DHE if the server uses the named groups, and would avoid getting DHE handshakes from non-compliant servers. However, the mechanism is still useful as-is for clients that want to signal their preference for a known group to a cooperating server. This is still useful in a world where some clients were failing to accept server-offered DHE shares > 1024-bits (sigh, Java). IIRC, the sense at the time was also that codepoints were scarce resources, and replicating all the _DHE_RSA_ ciphersuites alone would consume another 25 codepoints (replicating all of the _DHE_ ciphersuites would consume 70 additional ones), and then it would also require haggling over how the handshake messages would differ from the standard in those variants, which might then increase implementation complexity. Too bad! At any rate, it turned out to be useful preparation for TLS 1.3, though i presume today the named DHE groups will really only come in handy in case ECDHE turns out to have some kind of serious cryptanalytic setback. --dkg, the guilty party
- [TLS] Negotiated Finite Field Diffie-Hellman shar… Andrey Jivsov
- Re: [TLS] Negotiated Finite Field Diffie-Hellman … David Benjamin
- Re: [TLS] Negotiated Finite Field Diffie-Hellman … Andrey Jivsov
- Re: [TLS] Negotiated Finite Field Diffie-Hellman … David Benjamin
- Re: [TLS] Negotiated Finite Field Diffie-Hellman … Martin Thomson
- Re: [TLS] Negotiated Finite Field Diffie-Hellman … Peter Gutmann
- Re: [TLS] Negotiated Finite Field Diffie-Hellman … Daniel Kahn Gillmor