[gnutls-devel] GnuTLS | DH and ECDH keys tests (!990)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Fri May 17 23:22:55 CEST 2019

Stephan Mueller commented on a discussion on lib/nettle/pk.c: https://gitlab.com/gnutls/gnutls/merge_requests/990#note_171709007

>  			goto dh_cleanup;
>  		}
> +		/* if we have Q check that y ^ q mod p == 1 */
> +		if (q != NULL) {

Hi Nikos,

> Nikos Mavrogiannopoulos commented on a discussion on lib/nettle/pk.c:
> https://gitlab.com/gnutls/gnutls/merge_requests/990#note_171694887
> >  			goto dh_cleanup;
> >  	
> >  		}
> >
> > +		/* if we have Q check that y ^ q mod p == 1 */
> > +		if (q != NULL) {
> If we disable DHE in TLS1.2 there is no practical value from the new test
> using Q because this catches incorrect public keys, but only in the
> non-safe groups (SP800-56A acknowledges that). I'd expect the ACVP/CAVS
> tests to be different depending on whether `SP800-56A case 1` or
> case (2) is claimed. Let's see what Stephan thinks on that.

The following is NOT yet official, but should guide your considerations.

We just had a discussion with the responsible persons within NIST defining the
crypto requirements. The following conclusion came out of the discussion that
yet needs to be poured into a FIPS IG.

- If we have Sophie-Germain primes, we must have a check of the remote key.
For TLS, you will always be able to get the Q from the communicated P ( Q = (P
- 1) / 2) ) or via a lookup-table.

- If you get a random prime via TLS, you can dispense with the remote key

- We have to expect that the ACVP testing will be updated to allow testing of
DH with Sophie-Germain primes.

- For the existing ACVP testing providing a random prime, the key check must
be performed.

That said, the check above should be updated to check that P references a
Sophie-Germain prime and obtain Q if this is the case. Only if the Q value is
not found after that P lookup, the q != NULL is good.

Though, this solution is yet to be turned into an official statement. I expect
an official statement in the not too far future.

Until that happens, please leave the check in the code above for now.


Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/990#note_171709007
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190517/220c1029/attachment.html>

More information about the Gnutls-devel mailing list