[IPsec] I-D on Using the ECC Brainpool Curves for IKEv2 Key Exchange

2012-11-30 Thread Johannes Merkle
We have submitted a new revision of the Internet Draft on Using the ECC Brainpool Curves (defined in RFC 5639) for IKEv2 Key Exchange https://datatracker.ietf.org/doc/draft-merkle-ikev2-ke-brainpool/ Since there was considerable objection to the point compression method in the WG, we have

Re: [IPsec] I-D on Using the ECC Brainpool Curves for IKEv2 Key Exchange

2012-11-30 Thread Dan Harkins
Hi Johannes, On Fri, November 30, 2012 4:11 am, Johannes Merkle wrote: We have submitted a new revision of the Internet Draft on Using the ECC Brainpool Curves (defined in RFC 5639) for IKEv2 Key Exchange https://datatracker.ietf.org/doc/draft-merkle-ikev2-ke-brainpool/ Since there was

Re: [IPsec] I-D on Using the ECC Brainpool Curves for IKEv2 Key Exchange

2012-11-30 Thread Scott Fluhrer (sfluhrer)
There should *absolutely* be a requirement that any point you receive from the peer is actually a point on the curve. What can happen if you don't? Well, that depends on the implementation of the point addition/doubling; what happens with the normal implementation is that it acts as if it was

Re: [IPsec] I-D on Using the ECC Brainpool Curves for IKEv2 Key Exchange

2012-11-30 Thread Yaron Sheffer
The problem I have with this discussion is, this check (if really required) should have been in the base protocol, because the protocol has supported EC groups from day one. It doesn't belong in a specific curve definition. We could use the errata process to add it. It's not ideal, but

Re: [IPsec] I-D on Using the ECC Brainpool Curves for IKEv2 Key Exchange

2012-11-30 Thread Yoav Nir
Hi Johannes, Dan't question made me realise something I hadn't noticed before. In section 2.3, the draft says: For the encoding of the key exchange payload and the derivation of the shared secret, the methods specified in [RFC5903] are adopted. In an ECP key exchange in IKEv2, the

Re: [IPsec] I-D on Using the ECC Brainpool Curves for IKEv2 Key Exchange

2012-11-30 Thread Scott Fluhrer (sfluhrer)
With ECDH, there are two separate EC points that are output by the algorithm: - There's the public value xG (where x is our secret); this is passed in the KE payload - There's the shared secret value xyG (where x is our shared secret, and y is the peer's secret); this is used in the key

Re: [IPsec] I-D on Using the ECC Brainpool Curves for IKEv2 Key Exchange

2012-11-30 Thread Dan Harkins
On Fri, November 30, 2012 1:03 pm, Yaron Sheffer wrote: The problem I have with this discussion is, this check (if really required) should have been in the base protocol, because the protocol has supported EC groups from day one. It doesn't belong in a specific curve definition. We could use

Re: [IPsec] I-D on Using the ECC Brainpool Curves for IKEv2 Key Exchange

2012-11-30 Thread Yoav Nir
Right. I cut-and-pasted and didn't notice that it said shared secret. Never mind. On Dec 1, 2012, at 12:00 AM, Scott Fluhrer (sfluhrer) sfluh...@cisco.com wrote: With ECDH, there are two separate EC points that are output by the algorithm: - There's the public value xG (where x is our