W3C home > Mailing lists > Public > public-webcrypto@w3.org > March 2014

RE: How long is ZZ?

From: Jim Schaad <ietf@augustcellars.com>
Date: Sat, 1 Mar 2014 14:06:12 -0800
To: "'Ryan Sleevi'" <sleevi@google.com>
Cc: <public-webcrypto@w3.org>
Message-ID: <08e601cf359a$766bdd90$634398b0$@augustcellars.com>
The normative reference for what?





From: Ryan Sleevi [mailto:sleevi@google.com] 

Sent: Saturday, March 01, 2014 1:25 PM

To: Jim Schaad

Cc: public-webcrypto@w3.org

Subject: Re: How long is ZZ?


The normative reference is RFC 2631.

How does that not answer the question?

On Mar 1, 2014 1:13 PM, "Jim Schaad" <ietf@augustcellars.com> wrote:

I ran across this problem within the last couple of years.  There is, unfortunately two different answers to the question.


TLS (RFC 5246)


A conventional Diffie-Hellman computation is performed.  The

   negotiated key (Z) is used as the pre_master_secret, and is converted

   into the master_secret, as specified above.  Leading bytes of Z that

   contain all zero bits are stripped before it is used as the



CMS (RFC 2631)


H is the message digest function SHA-1 [FIPS-180] ZZ is the shared

   secret value computed in Section 2.1.1. Leading zeros MUST be

   preserved, so that ZZ occupies as many octets as p. For instance, if

   p is 1024 bits, ZZ should be 128 bytes long. 



As you can see from the above text, some specifications say to remove leading zero bytes from ZZ while others say to keep them.


We need to document which is to be implemented by the spec.   I would say to keep the leading zero bytes as I think this is more common, but I have absolutely no proof of that fact.



Received on Saturday, 1 March 2014 22:08:20 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:02:40 UTC