Re: Diffie-Hellman question from Ryan Sleevi on 2014-02-24 (public-webcrypto@w3.org from February 2014)

From: Ryan Sleevi <sleevi@google.com>
Date: Mon, 24 Feb 2014 11:45:07 -0800
To: Mark Watson <watsonm@netflix.com>
Cc: Jim Schaad <ietf@augustcellars.com>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <CACvaWvZYOpcxx2czO2DJK3KJmDzLS3nLx+buYe3WQM+-mxhHaA@mail.gmail.com>

On Mon, Feb 24, 2014 at 11:11 AM, Mark Watson <watsonm@netflix.com> wrote:

> Ryan,
>
> I'm not sure exactly what you're suggesting. The workflow you describe is
> the obvious one if SPKI import/export is supported and, yes, we could
> change the public property of DhKeyDeriveParams to be a Key and this would
> make this flow slightly less weird.
>
> Are you suggesting we simply support X9.42 instead of PKCS#3 ? You mention
> there is a lack of library support for X9.42. If, instead, we implement
> this workflow with PKCS#3 it seems not obvious that this would work when
> talking to a X9.42 endpoint which expects us to provide and pay attention
> to the q parameter.
>

> If we stick with PKCS#3 and raw import / export you can certainly build a
> DH key exchange - you just need to use your own format for communication of
> the p / g parameters.
>
> ...Mark
>
>
All of the libraries mentioned support X9.42 import. It's only an issue
when generating a key / domain parameters with q.

The questions on this:
- Is X9.42 import widely implemented? Yes
- Is X9.42 export widely implemented? No. PKCS#11 only.
- Is X9.42 generation widely implemented? No
- Is PKCS#3 import widely implemented? Mostly, yes (Apple not-withstanding)
- Is PKCS#3 export widely implemented? Yes.
- Is PKCS#3 generation widely implemented? Yes.

It appears that I missed the bit from PKCS#3 that defines the OID of
dhKeyAgreement (1.2.840.113549.1.3.1) , rather than using the RFC 3279
dhpublickey OID (1.2.840.10046.2.1). With dhKeyAgreement, it aligns with
what CAPI/CNG/OpenSSL/NSS support - namely, the following ASN.1 structure

DHParameter ::= SEQUENCE {
  prime INTEGER, -- p
  base INTEGER, -- g
  privateValueLength INTEGER OPTIONAL }

The small subgroup attack that Jim raised is not an issue for ephemeral
negotiations, AIUI. As such, I think there is still value in supporting
PKCS#3 only.

Note that OpenSSL doesn't support X9.42 until 1.0.2-Beta-1 (and it's still
experimental).

Seems like we can resolve all issues here as PKCS#3 only, no custom formats.

Received on Monday, 24 February 2014 19:45:33 UTC