Re: [TLS] Diffie-Hellman: value of Z - the shared secret - without leading zero octets
David Benjamin <davidben@chromium.org> Thu, 19 May 2016 19:23 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84C5112DBF5 for <tls@ietfa.amsl.com>; Thu, 19 May 2016 12:23:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.125
X-Spam-Level:
X-Spam-Status: No, score=-4.125 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AYx-ucWhMkm2 for <tls@ietfa.amsl.com>; Thu, 19 May 2016 12:22:58 -0700 (PDT)
Received: from mail-ig0-x234.google.com (mail-ig0-x234.google.com [IPv6:2607:f8b0:4001:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A1F712DBEC for <tls@ietf.org>; Thu, 19 May 2016 12:22:58 -0700 (PDT)
Received: by mail-ig0-x234.google.com with SMTP id s8so49942925ign.0 for <tls@ietf.org>; Thu, 19 May 2016 12:22:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WynOd7vX1JIJulQq8HQYICSmMvfaK6ybXK4XLONDtco=; b=n+drDRqoaKYzTu8UOe8iaLbsDm5ko1xgE2rR9hWfc3f7Xs83tarEGmYA0qk8IX4gtd 1OV69SHk3WUlxZ1urj5AgDDSiAo9zwf649170/wJQcEETFdFe/jasscJoHy53Kpr6mj/ d+gvUJdq5r42oLAs7+u4enWl8ZE/9jlRnHfKI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WynOd7vX1JIJulQq8HQYICSmMvfaK6ybXK4XLONDtco=; b=Ya06tHpIi8UEW3jZ51rS0gMzSzOWjLXbS5DnrZN9uFqQFlWmqoOhemwyCXcycc74Tt 2AlwIMbkIM8ntsTsgMsdg6XD3mvRB290cVhVvBf9sKIlwO/bQ1MRF6xEbBjZ5tza1frv a6dD8B+NdXlbfrw4x8Udy7wo6iZ40Ab0+ThqF+HjaHPTxLgm/ctp0dAhV+S2bw0QwtTH Fj6IMaRmkPBIv8Tqtozf4KCBERXPGXdTi1CrDWAk8XPxiysFnPNEKLFDcpIRiliGhC5e 3aJk4wfksVUUNz0UcaULiY584M8JkqmBDrKY6hlsKnmFCRrdJXjaE2Ak18b8cAT9BODF Y3mA==
X-Gm-Message-State: AOPr4FWRARLGSJRf4Ia/SUzBArtMTqNwZSC6tkCOBprMlBuQ6tXAY+56Jl6lQz9ctvrA2PzI+7gLd+BVUSsFoI3K
X-Received: by 10.50.170.40 with SMTP id aj8mr4377448igc.83.1463685777772; Thu, 19 May 2016 12:22:57 -0700 (PDT)
MIME-Version: 1.0
References: <CADwHJ+9XCpEDtX6vE+TQXKwz1MEhXHkj5Xbua6vAY_03Q=6LDA@mail.gmail.com> <A58F7462-B9A0-4FFA-AAEB-7C6AA6BCA1C2@vigilsec.com> <CAF8qwaBFY+8HEgMcH4cQg2-3F1qOGzqkeqtqnuFpjYp09+hviA@mail.gmail.com>
In-Reply-To: <CAF8qwaBFY+8HEgMcH4cQg2-3F1qOGzqkeqtqnuFpjYp09+hviA@mail.gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Thu, 19 May 2016 19:22:47 +0000
Message-ID: <CAF8qwaAVfXGAktExjV3pH9GmhuupzRJyujG90kLhVjzWvx9WNg@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>, Maarten Bodewes <maarten.bodewes@gmail.com>
Content-Type: multipart/alternative; boundary="e89a8f23440bd93cdd053336e622"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/tRTFOKmrDQ7ecWJooxP5vNNwd2U>
Cc: IETF TLS <tls@ietf.org>
Subject: Re: [TLS] Diffie-Hellman: value of Z - the shared secret - without leading zero octets
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 May 2016 19:23:00 -0000
If the WG agrees with this change, I've put together a PR here: https://github.com/tlswg/tls13-spec/pull/462 On Tue, May 17, 2016 at 4:14 PM David Benjamin <davidben@chromium.org> wrote: > Reviving this thread, I also think it would also be a good idea if 1.3 did > not stripping zeros from Z. Having this logic is rather dubious w.r.t. > treating secret data in constant-time. And as Bill Cox mentioned > elsewhere in this thread, this odd behavior has caused interoperability > issues in the past. > > I don't think we have to be worried about inconsistency with 1.2 as, by > the time this happens, we will already know we're speaking 1.3. TLS 1.3 DHE > is already a very different beast from TLS 1.2 DHE. At this point, the only > thing they meaningfully share is they happen to use the same code points. > > David > > On Thu, Apr 7, 2016 at 10:37 AM Russ Housley <housley@vigilsec.com> wrote: > >> I would prefer to always use the full, known-length byte string for Z. >> In my experience, it is better to know the lengths of byte strings instead >> of stripping leading zeroes. The difference in the speed of the HKDF >> computation by omitting the leading zeros is not significant. Alignment >> with NIST SP 800-56A is nice, but it is not the reason for my preference. >> >> Russ >> >> >> On Mar 28, 2016, at 11:56 AM, Maarten Bodewes <maarten.bodewes@gmail.com> >> wrote: >> >> > Hi all, >> > >> > I see that the leading zero is stripped off of the value of Z (the >> shared secret) before it is used as input to HKDF. This seems to be >> compatible with TLS 1.2. Then again, it is not compatible with e.g. >> NISP800-56A which uses the value of Z with the same size of the prime in >> octets. Furthermore, it is also different with regards to handling the >> coordinate X as used in ECDH. >> > >> > Was this a conscious decision to keep compatibility with TLS? Has the >> use of the value of Z including zero octets been considered? >> > >> > Regards, >> > Maarten >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> >
- Re: [TLS] Diffie-Hellman: value of Z - the shared… Maarten Bodewes
- [TLS] Diffie-Hellman: value of Z - the shared sec… Maarten Bodewes
- Re: [TLS] Diffie-Hellman: value of Z - the shared… Bill Cox
- Re: [TLS] Diffie-Hellman: value of Z - the shared… Peter Gutmann
- Re: [TLS] Diffie-Hellman: value of Z - the shared… Russ Housley
- Re: [TLS] Diffie-Hellman: value of Z - the shared… David Benjamin
- Re: [TLS] Diffie-Hellman: value of Z - the shared… David Benjamin
- Re: [TLS] Diffie-Hellman: value of Z - the shared… Russ Housley