Hi Yaron,
>
> OK, I see your point (no pun intended). Regarding ECDH secret reuse, can you
> please review
> http://tools.ietf.org/html/rfc5996#section-2.12. That section was supposed to
> cover the relevant security
> considerations. In fact I think your attack is alluded to in the paper we
>
Johannes Merkle writes:
> > OK, I see your point (no pun intended). Regarding ECDH secret
> > reuse, can you please review
> > http://tools.ietf.org/html/rfc5996#section-2.12. That section was
> > supposed to cover the relevant security considerations. In fact I
> > think your attack is alluded to
As for http://tools.ietf.org/html/rfc5996#section-2.12, it's fine as far as it
goes, however (IMHO) it rather punts on what self-checks are actually needed.
It does refer to the Menezes and Ustaoglu paper, which is quite good, however,
it would be better if you spell out exactly what tests the
Sigh, immediately after sending this, I remembered that even characteristic EC
curves tend to have cofactors h>1, hence there is further checking required for
them. Scratch what I said that the what I said for odd characteristic EC
curves applies to even as well -- that checking is necessary, b
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the IP Security Maintenance and Extensions
Working Group of the IETF.
Title : A TCP transport for the Internet Key Exchange
Author(s) : Yoav Nir
F
Hi
I've just posted version -01 of the draft, which I think addresses the issues
discussed at the F2F in Atlanta:
- Added a port specification to the notification (and so, port agility for
when the IKE peer is behind NAT)
- Added the notification to the Initiator as well, so that it can adver
