Re: Diffie-Hellman question from Ryan Sleevi on 2014-02-24 (public-webcrypto@w3.org from February 2014)

From: Ryan Sleevi <sleevi@google.com>
Date: Mon, 24 Feb 2014 10:51:03 -0800
To: Mark Watson <watsonm@netflix.com>
Cc: Jim Schaad <ietf@augustcellars.com>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <CACvaWvYMbCjFmaM41QBWfFHNFiHZ2FoL-npUv5c8qFqS=6wqAw@mail.gmail.com>

On Mon, Feb 24, 2014 at 10:06 AM, Mark Watson <watsonm@netflix.com> wrote:

> So, if the libraries people are using to implement WebCrypto right now
> support only PKCS#3, shouldn't we stick with that for this first version ?
> Just as we have "RSASSA-PKCS1-v1_5" we could have "DH-PKCS3" and later
> introduce X9.42.
>
> That would mean that in this version we would not be able to support
> export except in raw format. I would then suggest that we support import
> only in that format too. It's not quite clear what import is for, though,
> except perhaps to enable use of the DH Phase II primitive with a private
> value generated some way other than deriveKey: we would need a
> DhImportParams dictionary to provide the prime and generator. Importing a
> DH public key is useless, because the only think a Key object representing
> a DH public key can be used for is to export the Public Value.
>
> ...Mark
>
>
>

I'm going to have to disagree with your conclusions. If we were to adopt
your proposal, I would see us not being able to implement DH, because
there's no hope of developing anything useful.

As Jim explained, you can 'downcast' from X9.42 to PKCS#3, but not
'upcast'. While the small subgroups is a concern, I don't believe it shares
the same concern when using pre-negotiated parameters.

Regarding the import / phase 2 issue, you're correct in highlighting
there's an issue, but again I'm not sure I'd agree to the same conclusions.
We need to solve the asymmetry here with import, and I suspect that
DhKeyDeriveParams is using the wrong type by taking "public" as a
BigInteger.

Namely, if you want to do a DH-Static negotiation, where the peer supplies
their expected parameters as a SubjectPublicKeyInfo, the ideal workflow
would be something akin to (with asynchronicity elided)

// Import, not knowing of the parameter space for which the key will be
negotiated
otherPubKey = importKey("spki", ...)
// Generate a key to the peers' parameter space
keyPair = generateKey({ name: "DH", prime: otherPubKey.prime,
generator: otherPubKey.generator }, ...);
// Grab our key in SPKI. Could just as well be 'raw' since the parameters
are duplicated with the peers
ourRawKey = exportKey("spki", keyPair.publicKey);
// Grab the 'raw' key. This is the 'weirdness' of the DhKeyDeriveParams
issue
otherRawKey = exportKey("raw", otherPubKey);
// Derive a shared secret
secret = deriveKey({name: "DH", public: otherRawKey }, keyPair.privateKey,
{ name: "AES-CBC", length: 128 }, false, ['encrypt']);

// Allows peer to compute |secret|
send(ourRawKey);

// Encrypts dataToProtect under |secret|
send(encrypt({name: 'AES-CBC', iv: ...}, dataToProtect));

Received on Monday, 24 February 2014 18:51:30 UTC