On 04/08/2021, 14:43, "Scott Fluhrer (sfluhrer)" <sfluh...@cisco.com> wrote:
>
> I am glad that someone in the working group is looking at this. However, as
> I reviewed this before the wg meeting, I was completely puzzled by this text
> (from section 6.1):
>
> 3DH
>
> C computes K = H(g^y ^ PrivU || PubU ^ x || PubS ^ PrivU || IdU || IdS )
> S computes K = H(g^x ^ PrivS || PubS ^ y || PubU ^ PrivS || IdU || IdS )
>
There are three errors in this the two you pointed out and the third term. The
correct K calculations for 3DH are:
C computes K = H(g^y ^ PrivU || PubS ^ x || g^y ^ x || IdU || IdS)
S computes K = H(PubU ^ y || g^x ^ PrivS || g^x ^ y || IdU || IdS)
Where C has x, g^y, PubS, PrivU and S has y, g^x, PubU, PrivS. Which are
calculated like:
g^x = g ^ x (yes I know it's bad to name it like
g^y = g ^ y this, but that's how they did it)
PubS = g ^ PrivS
PubU = g ^ PrivU
Although the terms can be in any order and I don't speak for them, but those
are the correct terms with matching counterparts.
> Obviously these needs to be the same for an honest client-server pair. I
> can't see where the above variables are defined in the doc; I would assume
> that the meanings are:
>
>
> * x, y are the private values from the ephemeral DH operation, and are
> randomly selected for each exchange.
> * PrivU, PubU, PrivS, PubS are static values from the Opaque record.
>
That's how I read it.
> However, if that's the case, I can't see how that could work; for one, g^y ^
> PrivU and g^x ^ PrivS would be different values, and so differing values
> would be stirred into the Master Secret. In addition, I can't see how PubU ^
> x (where PubU and x would appear to be client specific) could be expected to
> be the same as PubS ^ y (as both those values would be server specific).
>
> What am I missing?
>
Those are actual problems. As a side note 3DH looks like this where each
straight line is a DH calculation (hopefully those two lines look like they
make an "X"). i_* being their identity public-private key pairs (PrivU, PubU,
PrivS, PubS) and e_* being their ephemeral public-private key pairs (x, g^x, y,
g^y).
i_c i_s
\ /
\ /
/ \
/ \
e_c ----- e_s
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
