Re: [TLS] Diffie-Hellman: value of Z - the shared secret - without leading zero octets

2016-06-20 Thread Maarten Bodewes
Hi David, Great. Thanks for following up on this! I think I now understand why the implementation of DH seemed buggy in one of the crypto libraries that I was reviewing. Regards, Maarten Op 19 mei 2016 21:22 schreef "David Benjamin" : > If the WG agrees with this change, I've put together a PR

Re: [TLS] Diffie-Hellman: value of Z - the shared secret - without leading zero octets

2016-05-19 Thread Russ Housley
Thanks for doing the text. Russ On May 19, 2016, at 3:22 PM, David Benjamin wrote: > If the WG agrees with this change, I've put together a PR here: > https://github.com/tlswg/tls13-spec/pull/462 > > On Tue, May 17, 2016 at 4:14 PM David Benjamin wrote: > Reviving this thread, I also think i

Re: [TLS] Diffie-Hellman: value of Z - the shared secret - without leading zero octets

2016-05-19 Thread David Benjamin
If the WG agrees with this change, I've put together a PR here: https://github.com/tlswg/tls13-spec/pull/462 On Tue, May 17, 2016 at 4:14 PM David Benjamin wrote: > Reviving this thread, I also think it would also be a good idea if 1.3 did > not stripping zeros from Z. Having this logic is rathe

Re: [TLS] Diffie-Hellman: value of Z - the shared secret - without leading zero octets

2016-05-17 Thread David Benjamin
Reviving this thread, I also think it would also be a good idea if 1.3 did not stripping zeros from Z. Having this logic is rather dubious w.r.t. treating secret data in constant-time. And as Bill Cox mentioned elsewhere in this thread, this odd behavior has caused interoperability issues in the pa

Re: [TLS] Diffie-Hellman: value of Z - the shared secret - without leading zero octets

2016-04-07 Thread Russ Housley
I would prefer to always use the full, known-length byte string for Z. In my experience, it is better to know the lengths of byte strings instead of stripping leading zeroes. The difference in the speed of the HKDF computation by omitting the leading zeros is not significant. Alignment with N

Re: [TLS] Diffie-Hellman: value of Z - the shared secret - without leading zero octets

2016-03-29 Thread Peter Gutmann
Bill Cox writes: >I spent 2 weeks last year tracking down a flaky bug that only occurs once in >every 256 connection: the leading 0 byte was no longer being stripped in a >code change I ported from OpenSSL master, and only Maria DB ran random tests >enough to trigger this condition. My self-test

[TLS] Diffie-Hellman: value of Z - the shared secret - without leading zero octets

2016-03-28 Thread Maarten Bodewes
Hi all, I see that the leading zero is stripped off of the value of Z (the shared secret) before it is used as input to HKDF. This seems to be compatible with TLS 1.2. Then again, it is not compatible with e.g. NISP800-56A which uses the value of Z with the same size of the prime in octets. Furthe