Johannes Merkle writes: > > OK, I see your point (no pun intended). Regarding ECDH secret > > reuse, can you please review > > http://tools.ietf.org/html/rfc5996#section-2.12. That section was > > supposed to cover the relevant security considerations. In fact I > > think your attack is alluded to in the paper we reference from > > that section (see Sec. 5, first paragraph). > > > > I agree with you that this is a general issue that should be > addressed generally. Yet, as a precaution, I could also include such > a requirement in the current draft.
Looking at the ECDH problems there seems to be in specifications (i.e. what checks are needed, RFC5114 refering to wrong RFC (it should refer to 5903 not 4753) etc, it seems we need to do something for this. I do not think it is good idea to include this kind of things as errata. Also I do not think we should include generic ECDH processing rules in to the draft specifying some EC groups. I think it would be best to take the ECDH processing rules (mostly from 5903 but also add the checks if those are needed) and create new RFC that will update 5996. This document should not include any groups. Then the question is what to do to 5114. The 5114 points to the 4753 and there is the problem that 4753 was modified with errata. This means that 5114 is also affected by the same errata, meaning complient implementatation should follow the same errata, i.e. the same format that is defined in the 5903. We should have made that 5903 to include also the 2 other groups from the 5114, i.e. groups 25 and 26, and we really should have obsoleted ALL ECP groups (19-21, 25-26) and allocated new numbers for all of those. If that new document includes all ECDH processing rules, perhaps that can be made to update all previous ECDH RFCs, and it can say all ECDH curves use exactly same processing rules? -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
