Re: [TLS] Negotiated Finite Field Diffie-Hellman shared secret calculation
Peter Gutmann <pgut001@cs.auckland.ac.nz> Thu, 21 February 2019 00:17 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D1B9130E66 for <tls@ietfa.amsl.com>; Wed, 20 Feb 2019 16:17:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0Vn2GQkZpyGt for <tls@ietfa.amsl.com>; Wed, 20 Feb 2019 16:16:59 -0800 (PST)
Received: from mx4-int.auckland.ac.nz (mx4-int.auckland.ac.nz [130.216.125.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62282130E2F for <tls@ietf.org>; Wed, 20 Feb 2019 16:16:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1550708218; x=1582244218; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=NV68xFuwOZqkdPpK3N7CStiitEIqTYnWGeQesxqYP00=; b=fp2glCjS9eTKkVkw+dDhj+zcVumpt/2rD9QIjSCgQL5w5OKjboO6PZzP R6CQAH/KyxkTRYVpK2I2VPSFxbS6YZp+4mOBuL4DlkiNHrl34oQjyhqom 1F2VofyvAF1kDt8tl7voG/lvXj/3GYoOl4+L446xU9jxTdjFlH44bAYWJ mkeYyLDAIJs1ox3kqdGy/sjthocFWAR+Xxrvz9XVPyfqMeEotKw4DZ9ad hka1Xux/oo645KtwrbpOJ+J1ndyn0JM8JXpEn0hhjpK6TO8JZUfCnX9P3 Wciz5KjnMpCqGSCrb8Phy2niBuu0bz+G7vxe4SXAi3B8NGX+o5Ir6XD9U w==;
X-IronPort-AV: E=Sophos;i="5.58,392,1544439600"; d="scan'208";a="49077650"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.2.4 - Outgoing - Outgoing
Received: from exchangemx.uoa.auckland.ac.nz (HELO uxcn13-ogg-c.UoA.auckland.ac.nz) ([10.6.2.4]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 21 Feb 2019 13:16:55 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-ogg-c.UoA.auckland.ac.nz (10.6.2.4) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 21 Feb 2019 13:16:55 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.5]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.5]) with mapi id 15.00.1395.000; Thu, 21 Feb 2019 13:16:55 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Martin Thomson <mt@lowentropy.net>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Negotiated Finite Field Diffie-Hellman shared secret calculation
Thread-Index: AQHUyWK0JZQEdd0ER0C6pUY5t2vhPaXpYo6X
Date: Thu, 21 Feb 2019 00:16:54 +0000
Message-ID: <1550708208818.4475@cs.auckland.ac.nz>
References: <6fff39d3-649d-867a-db71-b0faa18185a5@brainhub.org> <CAF8qwaCMhfsndABga55gpauX6=WhknNXija=nUU2xr93wYLaQA@mail.gmail.com> <797b3723-3257-1b08-6f78-5752922fb7d3@brainhub.org> <CAF8qwaBYBG7HTm2rj1msAQFVTYYs=jB2PQcVyNYsr1KknZEuHw@mail.gmail.com>, <a823869e-3db7-4c30-a281-52dd7dbcf641@www.fastmail.com>
In-Reply-To: <a823869e-3db7-4c30-a281-52dd7dbcf641@www.fastmail.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ngp4aUuBn_X-GFRzyCYRxF4P5KI>
Subject: Re: [TLS] Negotiated Finite Field Diffie-Hellman shared secret calculation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Feb 2019 00:17:00 -0000
Martin Thomson <mt@lowentropy.net> writes: >We implement 7919, which includes an option to only accept server shares from >the 7919 groups. With that option a simple comparison is used to determine if >the group is one from the spec, rejecting all else, but we otherwise just >treat the share as normal. My code fast-paths known-good primes, for example the RFC 3526 ones, and only does full checking on unknown ones (that is, it recognises things like the 3526 primes in the hello and uses its built-in values for them). I don't do 7919 for the same reason that most other implementations don't, although I've been thinking about adding the 7919 primes to the known-good set. (A side-note about the 3526 values, they've been independently verified outside of their publication in the RFC, has anyone done this for the 7919 ones? Not saying they're suspicious, but it'd be good to get independent verification that the data values match what's described in the RFC). >I'm not aware of anyone seriously using it though, That's a weird thing about 7919, throughout the draft process lots of people pointed out, again and again, that it wasn't going to work if published in that form. So it got published anyway... Peter.
- [TLS] Negotiated Finite Field Diffie-Hellman shar… Andrey Jivsov
- Re: [TLS] Negotiated Finite Field Diffie-Hellman … David Benjamin
- Re: [TLS] Negotiated Finite Field Diffie-Hellman … Andrey Jivsov
- Re: [TLS] Negotiated Finite Field Diffie-Hellman … David Benjamin
- Re: [TLS] Negotiated Finite Field Diffie-Hellman … Martin Thomson
- Re: [TLS] Negotiated Finite Field Diffie-Hellman … Peter Gutmann
- Re: [TLS] Negotiated Finite Field Diffie-Hellman … Daniel Kahn Gillmor