IETF Logo Mail Archive

Re: [TLS] Should we require compressed points

Michael StJohns <msj@nthpermutation.com> Sat, 01 November 2014 18:23 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 605361A0049 for <tls@ietfa.amsl.com>; Sat, 1 Nov 2014 11:23:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XYvsl4ZOSB4h for <tls@ietfa.amsl.com>; Sat, 1 Nov 2014 11:23:49 -0700 (PDT)
Received: from mail-qg0-f43.google.com (mail-qg0-f43.google.com [209.85.192.43]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDA621A0030 for <tls@ietf.org>; Sat, 1 Nov 2014 11:23:48 -0700 (PDT)
Received: by mail-qg0-f43.google.com with SMTP id f51so7052073qge.16 for <tls@ietf.org>; Sat, 01 Nov 2014 11:23:47 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=uPdKabZFuyfFgDk96zXE7msmsjOC/0G4xXtAd1+Emo0=; b=X9cz1RcZcIOdDBbCbsqYtqObknNglKhD6zUcJr/v6zZx1b3NOzt1RSR8Ptr+Q5lmv0 LrglTTTAg/tKzbp/guTo0Ml83JlWL3B2cyAlkrm9e2VjQUp3rLcKiRiZF7sHKNazC7it M5Ni/895NyUKfAz9zKUFnqjmHdBrPJDQYGTLNRHOWSwMTPAkACQlbSw9l/BA6Z0xSVHx 0cmSnmylWFLNI9NV58d9CEUwX8E5/1qtBNGisp8uKMzLuGdHrEscPVcyb8aDxsZtR5gQ 4jN+i4TGu9lhDSRqwnPw9fqEHTLRLnAzL4C3txXzS3nPpTiTF9SY1O83RshVTldQG62W ObZA==
X-Gm-Message-State: ALoCoQmdtbQakTcfa04/fOvjzt7QdJF/hGTZ+ELvtn9EVqTcD3sd15WTFl2pQyvP/kQnvE/wnvPU
X-Received: by 10.224.28.193 with SMTP id n1mr19524228qac.93.1414866227652; Sat, 01 Nov 2014 11:23:47 -0700 (PDT)
Received: from ?IPv6:2601:a:2a00:e7:84b1:781c:6435:fe31? ([2601:a:2a00:e7:84b1:781c:6435:fe31]) by mx.google.com with ESMTPSA id g14sm12603170qar.46.2014.11.01.11.23.46 for <tls@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 01 Nov 2014 11:23:47 -0700 (PDT)
Message-ID: <54552558.2030209@nthpermutation.com>
Date: Sat, 01 Nov 2014 14:24:24 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: tls@ietf.org
References: <9A043F3CF02CD34C8E74AC1594475C739B9D6102@uxcn10-5.UoA.auckland.ac.nz> <CABcZeBOWR4BVy0e3TY3FVB8wqOwrUgD6OfHLTJS_iXUZv30CsA@mail.gmail.com> <544F635D.2000309@polarssl.org> <20141028145223.GQ19158@mournblade.imrryr.org> <544FC339.8010605@polarssl.org> <CABcZeBPctqdSia7tJ5F9s42wAYq5mWL06qjCPUxdWFVL-BSKHw@mail.gmail.com> <20141031183146.GA12592@LK-Perkele-VII> <54551692.2070905@polarssl.org>
In-Reply-To: <54551692.2070905@polarssl.org>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/pmug6nT0bIJMPopsQNNPyBiAHHA
Subject: Re: [TLS] Should we require compressed points
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Nov 2014 18:23:51 -0000

Below - inline.

On 11/1/2014 1:21 PM, Manuel Pégourié-Gonnard wrote:
> On 31/10/2014 19:31, Ilari Liusvaara wrote:
>> On Fri, Oct 31, 2014 at 10:34:52AM -0700, Eric Rescorla wrote:
>>> This discussion seems to be settling, so I've prepared a pull request
>>> that implements Bodo's suggestion:
>>>
>>> https://github.com/tlswg/tls13-spec/pull/86
>>   
>> I think 8.1.2 (ECDHE premaster secret calculation) should be modified
>> as well, to specify using the fixed wire encoding of selected group for
>> premaster secret.
>>
> Just to be clear: this would change the way the PMS is computed for the existing
> curves, right? I'm not opposed to it, I just want to make sure we're on the same
> line.
>
>> This is to avoid problems with more "odd" encodings.
>>
> I think this is indeed a very desirable outcome, that is achieved by your proposal.
>
>> Note that 8.1.1 does not quite match that beheviour, since it specifes
>> leading zero octets to be stripped (whereas DHE "element" encoding
>> doesn't seem to specify if zeroes are stripped or not)
>>
> I think it makes sense to accept non-canonical representation of DHE elements as
> long as it's not ambiguous (be liberal in what you accept), while for the PMS
> it's necessary to be strict in order to ensure interop. But I wouldn't be oppose
> to something like "DHE elemens MUST be encoded without leading zeroes, but
> implementations MAY accept leading zeroes in their encoding".

Sorry - this won't work.

This (8.1.2) is about taking the derived shared secret and representing 
it as a byte string for input into a key derivation function (the TLS 
PRF for 1.2 basically).

For example, the bignum value '1' can be represented as 01, as 00 00 00 
01 or with any number of leading bytes.   But KDF ({01}) gives you a 
different result than KDF ({00 00 00 01}) etc.

In X9.42, X9.62 and in the NIST version of DH/ECDH, the bignum result of 
the ECDH operation is translated to a byte string via an "Integer to 
Octet String" conversion.   In all of these, the length of the octet 
string is fixed to match the order of one of the parameters, is big 
endian, and is not variable in length (e.g. the leading 00 bytes are not 
truncated).  TLS - for I'm sure what must have been good reasons at the 
time - decided to do it differently for DH (by truncating leading 0 bytes).

However, TLS ECDH matches the guidances in X9.62 and in SP800-56A which 
preserves leading zeros and has a fixed shared secret length based on 
the curve parameters.  (RFC4492, section 5.10).

The point of the above is that the conversion from the bignum shared 
secret to the octet string used as the premaster secret prior to being 
input into the key derivation function needs to be of a well-known 
length for any given parameter set so MUST is a "MUST" for DH.

Ideally, I'd really like to be able to use standard libraries rather 
than TLS specific ones, so I'd rather have the following going forward:

"If TLS1.3 or later is negotiated, DHE octet strings representing 
derived shared secrets MUST be encoded according X9.42 7.6.3 and NIST 
SP800-56A C.1 and leading 0 octets to the required length (= CEIL(t/8) 
where t = log2(p) where p is the large prime field order) MUST be 
preserved; otherwise for TLS1.2 and before, those octet strings MUST be 
encoded without leading 0 octets."

Note that I'm not adamant about the above - I expect that plain DH will 
begin to go away due to the relative benefits of ECDH, so negotiating an 
ECDH  shared secret allows for the use of normal libraries.  But 
whatever the choice it needs to be a MUST.

Mike





>
> Manuel.
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email