Re: [TLS] Should we require compressed points
Michael StJohns <msj@nthpermutation.com> Sat, 01 November 2014 18:23 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 605361A0049 for <tls@ietfa.amsl.com>; Sat, 1 Nov 2014 11:23:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XYvsl4ZOSB4h for <tls@ietfa.amsl.com>; Sat, 1 Nov 2014 11:23:49 -0700 (PDT)
Received: from mail-qg0-f43.google.com (mail-qg0-f43.google.com [209.85.192.43]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDA621A0030 for <tls@ietf.org>; Sat, 1 Nov 2014 11:23:48 -0700 (PDT)
Received: by mail-qg0-f43.google.com with SMTP id f51so7052073qge.16 for <tls@ietf.org>; Sat, 01 Nov 2014 11:23:47 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=uPdKabZFuyfFgDk96zXE7msmsjOC/0G4xXtAd1+Emo0=; b=X9cz1RcZcIOdDBbCbsqYtqObknNglKhD6zUcJr/v6zZx1b3NOzt1RSR8Ptr+Q5lmv0 LrglTTTAg/tKzbp/guTo0Ml83JlWL3B2cyAlkrm9e2VjQUp3rLcKiRiZF7sHKNazC7it M5Ni/895NyUKfAz9zKUFnqjmHdBrPJDQYGTLNRHOWSwMTPAkACQlbSw9l/BA6Z0xSVHx 0cmSnmylWFLNI9NV58d9CEUwX8E5/1qtBNGisp8uKMzLuGdHrEscPVcyb8aDxsZtR5gQ 4jN+i4TGu9lhDSRqwnPw9fqEHTLRLnAzL4C3txXzS3nPpTiTF9SY1O83RshVTldQG62W ObZA==
X-Gm-Message-State: ALoCoQmdtbQakTcfa04/fOvjzt7QdJF/hGTZ+ELvtn9EVqTcD3sd15WTFl2pQyvP/kQnvE/wnvPU
X-Received: by 10.224.28.193 with SMTP id n1mr19524228qac.93.1414866227652; Sat, 01 Nov 2014 11:23:47 -0700 (PDT)
Received: from ?IPv6:2601:a:2a00:e7:84b1:781c:6435:fe31? ([2601:a:2a00:e7:84b1:781c:6435:fe31]) by mx.google.com with ESMTPSA id g14sm12603170qar.46.2014.11.01.11.23.46 for <tls@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 01 Nov 2014 11:23:47 -0700 (PDT)
Message-ID: <54552558.2030209@nthpermutation.com>
Date: Sat, 01 Nov 2014 14:24:24 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: tls@ietf.org
References: <9A043F3CF02CD34C8E74AC1594475C739B9D6102@uxcn10-5.UoA.auckland.ac.nz> <CABcZeBOWR4BVy0e3TY3FVB8wqOwrUgD6OfHLTJS_iXUZv30CsA@mail.gmail.com> <544F635D.2000309@polarssl.org> <20141028145223.GQ19158@mournblade.imrryr.org> <544FC339.8010605@polarssl.org> <CABcZeBPctqdSia7tJ5F9s42wAYq5mWL06qjCPUxdWFVL-BSKHw@mail.gmail.com> <20141031183146.GA12592@LK-Perkele-VII> <54551692.2070905@polarssl.org>
In-Reply-To: <54551692.2070905@polarssl.org>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/pmug6nT0bIJMPopsQNNPyBiAHHA
Subject: Re: [TLS] Should we require compressed points
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Nov 2014 18:23:51 -0000
Below - inline. On 11/1/2014 1:21 PM, Manuel Pégourié-Gonnard wrote: > On 31/10/2014 19:31, Ilari Liusvaara wrote: >> On Fri, Oct 31, 2014 at 10:34:52AM -0700, Eric Rescorla wrote: >>> This discussion seems to be settling, so I've prepared a pull request >>> that implements Bodo's suggestion: >>> >>> https://github.com/tlswg/tls13-spec/pull/86 >> >> I think 8.1.2 (ECDHE premaster secret calculation) should be modified >> as well, to specify using the fixed wire encoding of selected group for >> premaster secret. >> > Just to be clear: this would change the way the PMS is computed for the existing > curves, right? I'm not opposed to it, I just want to make sure we're on the same > line. > >> This is to avoid problems with more "odd" encodings. >> > I think this is indeed a very desirable outcome, that is achieved by your proposal. > >> Note that 8.1.1 does not quite match that beheviour, since it specifes >> leading zero octets to be stripped (whereas DHE "element" encoding >> doesn't seem to specify if zeroes are stripped or not) >> > I think it makes sense to accept non-canonical representation of DHE elements as > long as it's not ambiguous (be liberal in what you accept), while for the PMS > it's necessary to be strict in order to ensure interop. But I wouldn't be oppose > to something like "DHE elemens MUST be encoded without leading zeroes, but > implementations MAY accept leading zeroes in their encoding". Sorry - this won't work. This (8.1.2) is about taking the derived shared secret and representing it as a byte string for input into a key derivation function (the TLS PRF for 1.2 basically). For example, the bignum value '1' can be represented as 01, as 00 00 00 01 or with any number of leading bytes. But KDF ({01}) gives you a different result than KDF ({00 00 00 01}) etc. In X9.42, X9.62 and in the NIST version of DH/ECDH, the bignum result of the ECDH operation is translated to a byte string via an "Integer to Octet String" conversion. In all of these, the length of the octet string is fixed to match the order of one of the parameters, is big endian, and is not variable in length (e.g. the leading 00 bytes are not truncated). TLS - for I'm sure what must have been good reasons at the time - decided to do it differently for DH (by truncating leading 0 bytes). However, TLS ECDH matches the guidances in X9.62 and in SP800-56A which preserves leading zeros and has a fixed shared secret length based on the curve parameters. (RFC4492, section 5.10). The point of the above is that the conversion from the bignum shared secret to the octet string used as the premaster secret prior to being input into the key derivation function needs to be of a well-known length for any given parameter set so MUST is a "MUST" for DH. Ideally, I'd really like to be able to use standard libraries rather than TLS specific ones, so I'd rather have the following going forward: "If TLS1.3 or later is negotiated, DHE octet strings representing derived shared secrets MUST be encoded according X9.42 7.6.3 and NIST SP800-56A C.1 and leading 0 octets to the required length (= CEIL(t/8) where t = log2(p) where p is the large prime field order) MUST be preserved; otherwise for TLS1.2 and before, those octet strings MUST be encoded without leading 0 octets." Note that I'm not adamant about the above - I expect that plain DH will begin to go away due to the relative benefits of ECDH, so negotiating an ECDH shared secret allows for the use of normal libraries. But whatever the choice it needs to be a MUST. Mike > > Manuel. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Hubert Kario
- Re: [TLS] Should we require compressed points Martin Thomson
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Yoav Nir
- Re: [TLS] Should we require compressed points Ilari Liusvaara
- Re: [TLS] Should we require compressed points Dan Harkins
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Watson Ladd
- Re: [TLS] Should we require compressed points Rene Struik
- Re: [TLS] Should we require compressed points Andrei Popov
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Martin Thomson
- Re: [TLS] Should we require compressed points Watson Ladd
- Re: [TLS] Should we require compressed points Andrei Popov
- Re: [TLS] Should we require compressed points Rene Struik
- Re: [TLS] Should we require compressed points Jeffrey Walton
- Re: [TLS] Should we require compressed points Peter Gutmann
- Re: [TLS] Should we require compressed points Peter Gutmann
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Martin Thomson
- Re: [TLS] Should we require compressed points Watson Ladd
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Manuel Pégourié-Gonnard
- Re: [TLS] Should we require compressed points Bodo Moeller
- Re: [TLS] Should we require compressed points Viktor Dukhovni
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Ilari Liusvaara
- Re: [TLS] Should we require compressed points Manuel Pégourié-Gonnard
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Ilari Liusvaara
- Re: [TLS] Should we require compressed points Manuel Pégourié-Gonnard
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Manuel Pégourié-Gonnard
- Re: [TLS] Should we require compressed points Michael StJohns