RFC 4753 documents that the shared secret obtained from an ECP
Diffie-Hellman operation is the concatenation of the x and y coordinates
of the derived point.
Is that correct?
That is a little strange to me, which is why I want to double check. The
y coordinate is simply a dependent variable, so including it doesn't seem
to add much. Much of the literature also seems to indicate that the x
coordinate alone is generally considered to be the shared secret. Existing
standards such as RSA's PKCS#11 interface use only the x coordinate.
Moreover, in NIST publication 800-56A, "Recommendation for Pair-Wise Key
Establishment Schemes Using Discrete Logarithm Cryptography", on p. 41 the
x coordinate alone is again understood to be the shared secret. This
reference is particularly interesting, because it is incorporated into
FIPS 140-2 via annex D, as the list of "Approved Key Establishment
Techniques".
Assuming it is correct that IKE considers the shared secret to be the
concatenation of the x and y coordinates, does this imply that IKE's use
of DH groups 19, 20 and 21 cannot be made to be compliant with FIPS 140-2?
(Should I be asking this question somewhere else?)
Scott Moonen (smoo...@us.ibm.com)
z/OS Communications Server TCP/IP Development
http://scott.andstuff.org/
http://www.linkedin.com/in/smoonen
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
