W3C home > Mailing lists > Public > public-webcrypto@w3.org > March 2014

How long is ZZ?

From: Jim Schaad <ietf@augustcellars.com>
Date: Sat, 1 Mar 2014 13:11:25 -0800
To: <public-webcrypto@w3.org>
Message-ID: <08cf01cf3592$ce040120$6a0c0360$@augustcellars.com>
I ran across this problem within the last couple of years.  There is,
unfortunately two different answers to the question.


TLS (RFC 5246)


A conventional Diffie-Hellman computation is performed.  The

   negotiated key (Z) is used as the pre_master_secret, and is converted

   into the master_secret, as specified above.  Leading bytes of Z that

   contain all zero bits are stripped before it is used as the



CMS (RFC 2631)


H is the message digest function SHA-1 [FIPS-180
<http://tools.ietf.org/html/rfc2631#ref-FIPS-180> ] ZZ is the shared
   secret value computed in Section 2.1.1
<http://tools.ietf.org/html/rfc2631#section-2.1.1> . Leading zeros MUST be
   preserved, so that ZZ occupies as many octets as p. For instance, if
   p is 1024 bits, ZZ should be 128 bytes long. 



As you can see from the above text, some specifications say to remove
leading zero bytes from ZZ while others say to keep them.


We need to document which is to be implemented by the spec.   I would say to
keep the leading zero bytes as I think this is more common, but I have
absolutely no proof of that fact.



Received on Saturday, 1 March 2014 21:13:31 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:02:40 UTC