RE: deaft-gree-sedsh-ecc-08: small correction

To: "Peter Gutmann" <pgut001%cs.auckland.ac.nz@localhost>, <djm%mindrot.org@localhost>, <douglas%stebila.ca@localhost>
Subject: RE: deaft-gree-sedsh-ecc-08: small correction
From: "Igoe, Kevin M." <kmigoe%nsa.gov@localhost>
Date: Fri, 13 Aug 2010 10:55:13 -0400

Thanks Peter, I'm happy to find this issue has been already been
addressed.


> -----Original Message-----
> From: Peter Gutmann [mailto:pgut001%cs.auckland.ac.nz@localhost]
> Sent: Friday, August 13, 2010 10:37 AM
> To: djm%mindrot.org@localhost; douglas%stebila.ca@localhost; Igoe, Kevin M.
> Cc: ietf-ssh%NetBSD.org@localhost
> Subject: RE: deaft-gree-sedsh-ecc-08: small correction
> 
> "Igoe, Kevin M." <kmigoe%nsa.gov@localhost> writes:
> 
> >As to checking for the point at infinity in ECDH, I'd rather have
that
> issue
> >addressed in a document that is clearly directed at ECDH rather than
> having
> >it hidden in a document that only peripherally touches ECDH. I'll be
> putting
> >out a "Suite B for Secure Shell" document in the near future and plan
> to cover
> >such issues in there.
> 
> Shouldn't this check be automatic anyway for a (correct)
> implementation?  The
> standard that defines ECC use (keygen, key checking, data formats,
> etc),
> X9.62, already mandates this check (although for some reason the RFC
> references it as informative rather than normative and gives the SECG
> doc as
> the primary reference when pretty much everything else uses X9.62, and
> AFAIK
> the SECG stuff was derived from the earlier X9.62 work), so if you
> implement
> ECC correctly than you already do this check.  In any case the text
> says:
> 
>    All elliptic curve public keys MUST be validated after they are
>    received.  An example of a validation algorithm can be found in
>    Section 3.2.2 of [SEC1].  If a key fails validation, the key
> exchange
>    MUST fail.
> 
> so it appears this is already covered.  The checks I have, from X9.62,
> are:
> 
> 	/* Verify that the public key parameter sizes are valid:
> 
> 		qx, qy >= MIN_PKCSIZE_ECC, qx, qy <= p - 1 */
> 
> 	/* Verify that Q is not the point at infinity */
> 
> 	/* Verify that qx, qy are elements in the field Fq, i.e. in the
> range
> 	   0...p - 1 */
> 
> 	/* Verify that qy^2 is congruent to qx^3 + a*qx + b (mod p) */
> 
> 	/* Verify that n * Q is the point at infinity */
> 
> If that's sufficient for checking Q then the existing doc already
> covers
> things.
> 
> Peter.

References:
- RE: deaft-gree-sedsh-ecc-08: small correction
  - From: Igoe, Kevin M.
- RE: deaft-gree-sedsh-ecc-08: small correction
  - From: Peter Gutmann

Prev by Date: RE: deaft-gree-sedsh-ecc-08: small correction
Next by Date: RE: deaft-gree-sedsh-ecc-08: small correction
Previous by Thread: RE: deaft-gree-sedsh-ecc-08: small correction
Next by Thread: RE: deaft-gree-sedsh-ecc-08: small correction
Indexes:

Home | Main Index | Thread Index | Old Index