Re: [IPsec] NUDGE: WG Last Call for draft-ietf-ipsecme-dh-checks

Tue, 09 Apr 2013 06:27:10 -0700 

>>>>> "sfluhrer" == sfluhrer  <Scott> writes:
    >> I read draft-ietf-ipsecme-dh-checks-01.
    >> I am not competent to understand if this addresses a real problem.
    >> I understood that (1 < r < p-1) is a test that many implementors did not
    >> do.    I think that most implementations generated r from a PRNG.

    sfluhrer> This last statement makes me suspect that you
    sfluhrer> misunderstood what we were doing. 

    sfluhrer> The tests we suggest in this draft are not run on either
    sfluhrer> the secret exponent nor the public value we generate.
    sfluhrer> Instead, it's run on the value r we receive from the
    sfluhrer> peer's KE payload.  How the peer selects that value isn't
    sfluhrer> our problem (we certainly hope the peer selects it in a
    sfluhrer> way such that a third party can't guess its secret
    sfluhrer> exponent; we can't actually test for that); our problem is
    sfluhrer> deciding whether to accept it or not. 

Yes, I think that I understood that these tests are for what we receive,
and then I must have read something that talked about generation... sec...

Aha.... so:

   o  It MUST check both that the peer's public value is in range (1 < r
      < p-1) and that r**q = 1 mod p (where q is the size of the

...
   o  It MUST NOT reuse DH private values (that is, the DH private value
      for each DH exchange MUST be generated from a fresh output of a

So, in section 2.2 we talk both about what we should do with something
received, and also place a mandate about generating.

Perhaps these things belong in seperate sections.
It seems that from the receiver of g^x's point of view, point two
repeats point one, since the receiver is not in a position to know if
the DH private value was reused.

    >> I have not implemented ECDSA, but the instructions seemed well
    >> formatted, but I don't at this point know what they mean.

    sfluhrer> Actually, we're talking about ECDH here, and not ECDSA.

my typo at 11:30pm.

-- 
]               Never tell me the odds!                 | ipv6 mesh networks [ 
]   Michael Richardson, Sandelman Software Works        | network architect  [ 
]     [email protected]  http://www.sandelman.ca/        |   ruby on rails    [

Attachment: pgps97jlyr9o3.pgp
Description: PGP signature

_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to