<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">

<title>

GitLab

</title>

<style>img {

max-width: 100%; height: auto;

}

</style>

</head>

<body>

<div class="content">

<p style="color: #777777;">

<a href="https://gitlab.com/smuellerDD">Stephan Mueller</a>

commented on a discussion

on <a href="https://gitlab.com/gnutls/gnutls/merge_requests/990#note_171709007">lib/nettle/pk.c</a>:

</p>

<table>

<tr class="line_holder" id="">

<td class="diff-line-num old_line" data-linenumber="268" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

268

</td>

<td class="diff-line-num new_line" data-linenumber="269" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

269

</td>

<td class="line_content" style="padding-left: 0.5em; padding-right: 0.5em;">

<pre style="margin: 0;"> <span id="LC269" class="line" lang="c">                    <span class="k" style="font-weight: 600;">goto</span> <span class="n" style="color: #333;">dh_cleanup</span><span class="p">;</span></span>

</pre>

</td>

</tr>

<tr class="line_holder" id="">

<td class="diff-line-num old_line" data-linenumber="269" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

269

</td>

<td class="diff-line-num new_line" data-linenumber="270" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

270

</td>

<td class="line_content" style="padding-left: 0.5em; padding-right: 0.5em;">

<pre style="margin: 0;"> <span id="LC270" class="line" lang="c">            <span class="p">}</span></span>

</pre>

</td>

</tr>

<tr class="line_holder" id="">

<td class="diff-line-num old_line" data-linenumber="270" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

270

</td>

<td class="diff-line-num new_line" data-linenumber="271" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

271

</td>

<td class="line_content" style="padding-left: 0.5em; padding-right: 0.5em;">

<pre style="margin: 0;"> <span id="LC271" class="line" lang="c"></span>

</pre>

</td>

</tr>

<tr class="line_holder new" id="">

<td class="diff-line-num new old_line" data-linenumber="271" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #c7f0d2; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#ddfbe6">

</td>

<td class="diff-line-num new new_line" data-linenumber="272" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #c7f0d2; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#ddfbe6">

272

</td>

<td class="line_content new" style="padding-left: 0.5em; padding-right: 0.5em;" bgcolor="#ecfdf0">

<pre style="margin: 0;">+<span id="LC272" class="line" lang="c">            <span class="cm" style="color: #998; font-style: italic;">/* if we have Q check that y ^ q mod p == 1 */</span></span>

</pre>

</td>

</tr>

<tr class="line_holder new" id="">

<td class="diff-line-num new old_line" data-linenumber="271" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #c7f0d2; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#ddfbe6">

</td>

<td class="diff-line-num new new_line" data-linenumber="273" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #c7f0d2; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#ddfbe6">

273

</td>

<td class="line_content new" style="padding-left: 0.5em; padding-right: 0.5em;" bgcolor="#ecfdf0">

<pre style="margin: 0;">+<span id="LC273" class="line" lang="c">            <span class="k" style="font-weight: 600;">if</span> <span class="p">(</span><span class="n" style="color: #333;">q</span> <span class="o" style="font-weight: 600;">!=</span> <span class="nb" style="color: #0086b3;">NULL</span><span class="p">)</span> <span class="p">{</span></span>

</pre>

</td>

</tr>

</table>

<div style="">

<p dir="auto">Hi Nikos,</p>

<blockquote dir="auto" style="color: #7f8fa4; border-left-width: 3px; border-left-color: #eaeaea; border-left-style: solid; margin: 0; padding: 0 0 0 15px;">

<p>Nikos Mavrogiannopoulos commented on a discussion on lib/nettle/pk.c:

<a href="https://gitlab.com/gnutls/gnutls/merge_requests/990#note_171694887" data-original="https://gitlab.com/gnutls/gnutls/merge_requests/990#note_171694887" data-link="false" data-link-reference="true" data-project="179611" data-merge-request="28830049" data-project-path="gnutls/gnutls" data-iid="990" data-mr-title="DH and ECDH keys tests" data-reference-type="merge_request" data-container="body" data-placement="bottom" title="" class="gfm gfm-merge_request">!990 (comment 171694887)</a></p>

<blockquote style="color: #7f8fa4; border-left-width: 3px; border-left-color: #eaeaea; border-left-style: solid; margin: 0; padding: 0 0 0 15px;">

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true" style="background-color: #fff; font-family: monospace; font-size: 90%; -premailer-cellpadding: 0; -premailer-cellspacing: 0; -premailer-width: 100%; margin: 0;"><code><span id="LC1" class="line" lang="plaintext">            goto dh_cleanup;</span>

<span id="LC2" class="line" lang="plaintext"></span>

<span id="LC3" class="line" lang="plaintext">       }</span></code></pre>

<ul>

<li>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true" style="background-color: #fff; font-family: monospace; font-size: 90%; -premailer-cellpadding: 0; -premailer-cellspacing: 0; -premailer-width: 100%; margin: 0;"><code><span id="LC1" class="line" lang="plaintext">  /* if we have Q check that y ^ q mod p == 1 */</span></code></pre>

</li>

<li>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true" style="background-color: #fff; font-family: monospace; font-size: 90%; -premailer-cellpadding: 0; -premailer-cellspacing: 0; -premailer-width: 100%; margin: 0;"><code><span id="LC1" class="line" lang="plaintext">  if (q != NULL) {</span></code></pre>

</li>

</ul>

</blockquote>

<p>If we disable DHE in TLS1.2 there is no practical value from the new test

using Q because this catches incorrect public keys, but only in the

non-safe groups (SP800-56A acknowledges that). I'd expect the ACVP/CAVS

tests to be different depending on whether <code>SP800-56A 5.6.2.2.2 case 1</code> or

case (2) is claimed. Let's see what Stephan thinks on that.</p>

</blockquote>

<p dir="auto">The following is NOT yet official, but should guide your considerations.</p>

<p dir="auto">We just had a discussion with the responsible persons within NIST defining the

crypto requirements. The following conclusion came out of the discussion that

yet needs to be poured into a FIPS IG.</p>

<ul dir="auto">

<li>

<p>If we have Sophie-Germain primes, we must have a check of the remote key.

For TLS, you will always be able to get the Q from the communicated P ( Q = (P</p>

</li>

<li>

<ol>

<li>/ 2) ) or via a lookup-table.</li>

</ol>

</li>

<li>

<p>If you get a random prime via TLS, you can dispense with the remote key

check.</p>

</li>

<li>

<p>We have to expect that the ACVP testing will be updated to allow testing of

DH with Sophie-Germain primes.</p>

</li>

<li>

<p>For the existing ACVP testing providing a random prime, the key check must

be performed.</p>

</li>

</ul>

<p dir="auto">That said, the check above should be updated to check that P references a

Sophie-Germain prime and obtain Q if this is the case. Only if the Q value is

not found after that P lookup, the q != NULL is good.</p>

<p dir="auto">Though, this solution is yet to be turned into an official statement. I expect

an official statement in the not too far future.</p>

<p dir="auto">Until that happens, please leave the check in the code above for now.</p>

<p dir="auto">Ciao

Stephan</p>

</div>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #777;">

—

<br>

Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/merge_requests/990#note_171709007">view it on GitLab</a>.

<br>

You're receiving this email because of your account on gitlab.com.

If you'd like to receive fewer emails, you can

<a href="https://gitlab.com/sent_notifications/9300672f23ea71d65f57a1ed044d079d/unsubscribe">unsubscribe</a>

from this thread or

adjust your notification settings.

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Merge request","url":"https://gitlab.com/gnutls/gnutls/merge_requests/990#note_171709007"}}</script>

</p>

</div>

</body>

</html>