RE: How long is ZZ? from Ryan Sleevi on 2014-03-01 (public-webcrypto@w3.org from March 2014)

From: Ryan Sleevi <sleevi@google.com>
Date: Sat, 1 Mar 2014 14:13:26 -0800
To: Jim Schaad <ietf@augustcellars.com>
Cc: public-webcrypto@w3.org
Message-ID: <CACvaWvZYe+7Kmhje-99XAarDVmwhG=bYWdJ9J2ATc8Rov-wb0Q@mail.gmail.com>

Looks like the link in the ED is broken.

ftp://ftp.rsasecurity.com/pub/pkcs/ascii/pkcs-3.asc

Section 8.3

The integer secret key z shall be converted to an octet string SK, the
secret key, of length k. The secret key SK shall satisfy k z = SUM
2^(8(k-i)) SK'i . i = 1 where SK1, ..., SKk are the octets of SK from first
to last. In other words, the first octet of SK has the most significance in
the integer and the last octet of SK has the least significance.

So its dependent on what K is set to, which is defined in Section 4.

"K - length of prime in octets"
On Mar 1, 2014 2:07 PM, "Jim Schaad" <ietf@augustcellars.com> wrote:

> The normative reference for what?
>
>
>
> Jim
>
>
>
>
>
> From: Ryan Sleevi [mailto:sleevi@google.com]
>
> Sent: Saturday, March 01, 2014 1:25 PM
>
> To: Jim Schaad
>
> Cc: public-webcrypto@w3.org
>
> Subject: Re: How long is ZZ?
>
>
>
> The normative reference is RFC 2631.
>
> How does that not answer the question?
>
> On Mar 1, 2014 1:13 PM, "Jim Schaad" <ietf@augustcellars.com> wrote:
>
> I ran across this problem within the last couple of years.  There is,
> unfortunately two different answers to the question.
>
>
>
> TLS (RFC 5246)
>
>
>
> A conventional Diffie-Hellman computation is performed.  The
>
>    negotiated key (Z) is used as the pre_master_secret, and is converted
>
>    into the master_secret, as specified above.  Leading bytes of Z that
>
>    contain all zero bits are stripped before it is used as the
>
>    pre_master_secret.
>
>
>
> CMS (RFC 2631)
>
>
>
> H is the message digest function SHA-1 [FIPS-180] ZZ is the shared
>
>    secret value computed in Section 2.1.1. Leading zeros MUST be
>
>    preserved, so that ZZ occupies as many octets as p. For instance, if
>
>    p is 1024 bits, ZZ should be 128 bytes long.
>
>
>
>
>
> As you can see from the above text, some specifications say to remove
> leading zero bytes from ZZ while others say to keep them.
>
>
>
> We need to document which is to be implemented by the spec.   I would say
> to keep the leading zero bytes as I think this is more common, but I have
> absolutely no proof of that fact.
>
>
>
> Jim
>
>
>

Received on Saturday, 1 March 2014 22:13:53 UTC