RE: deaft-gree-sedsh-ecc-08: small correction

[Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>]

"Igoe, Kevin M." <kmigoe%nsa.gov@localhost> writes:

>As to checking for the point at infinity in ECDH, I'd rather have that issue
>addressed in a document that is clearly directed at ECDH rather than having
>it hidden in a document that only peripherally touches ECDH. I'll be putting
>out a "Suite B for Secure Shell" document in the near future and plan to cover
>such issues in there.

Shouldn't this check be automatic anyway for a (correct) implementation?  The
standard that defines ECC use (keygen, key checking, data formats, etc),
X9.62, already mandates this check (although for some reason the RFC
references it as informative rather than normative and gives the SECG doc as
the primary reference when pretty much everything else uses X9.62, and AFAIK
the SECG stuff was derived from the earlier X9.62 work), so if you implement
ECC correctly than you already do this check.  In any case the text says:

   All elliptic curve public keys MUST be validated after they are
   received.  An example of a validation algorithm can be found in
   Section 3.2.2 of [SEC1].  If a key fails validation, the key exchange
   MUST fail.

so it appears this is already covered.  The checks I have, from X9.62, are:

	/* Verify that the public key parameter sizes are valid:

		qx, qy >= MIN_PKCSIZE_ECC, qx, qy <= p - 1 */

	/* Verify that Q is not the point at infinity */

	/* Verify that qx, qy are elements in the field Fq, i.e. in the range
	   0...p - 1 */

	/* Verify that qy^2 is congruent to qx^3 + a*qx + b (mod p) */

	/* Verify that n * Q is the point at infinity */

If that's sufficient for checking Q then the existing doc already covers
things.

Peter.