[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Remove SHOULD for elliptic curve groups in IKEv2

To: Andrey Jivsov <andrey@brainhub.org>
Subject: Re: Remove SHOULD for elliptic curve groups in IKEv2
From: "The Purple Streak (Hilarie Orman)" <ho@alum.mit.edu>
Date: Thu, 14 Mar 2002 17:39:55 -0700
CC: ipsec@lists.tislabs.com
References: <49B96FCC784BC54F9675A6B558C3464E5D0DDE@MAIL.NetOctave.com> <3C90E0EE.6020004@alum.mit.edu> <048501c1cb92$b748cd70$0200a8c0@remedy> <3C91287B.4070900@alum.mit.edu> <061301c1cbb6$de4b0770$0200a8c0@remedy>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:0.9.4) Gecko/20011128 Netscape6/6.2.1

The co-factor should not affect interoperability.  What is it about the
IKE state that caused a failure?

For the modp case, you do not need to do any cofactor checks with IKE.
Assuming you use a good random number generator, the probability of
choosing a value in the tiny subgroup is negligable.
It is less likely than choosing a DES weak key.  Furthermore, the
IKE generator will always be a square, thus protecting low order bits.

Hilarie

Andrey Jivsov wrote:

>>Your explanation of co-factors with ECC sheds no light on the matter
>>for me.
>>
> 
> Here is how I understand IKE implementing ECC DH should work.
> 
>     Initiator generates secret scalar x, calculates x*G and sends it to the
> responder in KE.
>     Responder generates secret scalar y, calculates y*G and sends it to the
> initiator in KE.
>     Both peers calculate x*y*G and use it in place of "g^xy" for SKEYID_xxx
> generation.
> 
>     '*' here is a scalar multiplication.
> 
> As it turns out, one well-known vendor interpreted "g^xy" as x*y*c*G. In
> this case cofactor multiplication changes the IKE state so that two
> implementations cannot interoperate. In addition, I mentioned before my
> concerns about patent(s) for cofactor multiplication.
> 
> 
>> I'll note as an aside that because IKE requires Sophie-Germain
>>primes, this is note an issue for modexp groups, either.
>>
> 
> This is a good analogy. I would like to see g^xy is interpreted the same way
> as it is interpreted for MODP groups, i.e. without cofactor multiplication
> in g^xy.
> 
> For MODP cofactor is always 2. This allows implementation to store constant
> value 2^(MOPD_prime-1)/2 for each MOPD_prime and then memcmp() received g^x
> with this value. If implementation checks for small g^x and g^xy, this
> covers the small subgroup attack for any MODP group.
> 
> For ECC Koblitz groups cofactor is 4, but similar checks can be performed.
> 
> 
> 
>

References:
- RE: Remove SHOULD for elliptic curve groups in IKEv2
  - From: Mark Winstead <Mark.Winstead@NetOctave.com>
- Re: Remove SHOULD for elliptic curve groups in IKEv2
  - From: "The Purple Streak (Hilarie Orman)" <ho@alum.mit.edu>
- Re: Remove SHOULD for elliptic curve groups in IKEv2
  - From: "Andrey Jivsov" <andrey@brainhub.org>
- Re: Remove SHOULD for elliptic curve groups in IKEv2
  - From: "The Purple Streak (Hilarie Orman)" <ho@alum.mit.edu>
- Re: Remove SHOULD for elliptic curve groups in IKEv2
  - From: "Andrey Jivsov" <andrey@brainhub.org>

Prev by Date: Re: Remove private-use values from IKEv2
Next by Date: Re: 10 years and no ubiquitous security
Prev by thread: Re: Remove SHOULD for elliptic curve groups in IKEv2
Next by thread: Re: Remove SHOULD for elliptic curve groups in IKEv2
Index(es):
- Date
- Thread