-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FFDH 2a: implement Diffie-Hellman key agreement for RFC 7919 groups #3261
Comments
Note: the implementation should probably not use the DHM module ( So, the implementation should probably just use |
I extended #6010 and added FFDH key agreement. I didn't use |
Good news! Regarding test vectors, I'm surprised and a bit disappointed that RFC 7919 doesn't have any. There are FFDH test vectors in other RFCs but they obviously won't work here as they are for different groups. I searched a bit and couldn't find any test vectors for those groups. I say we should generate some ourselves, should be easily done using Python as it has built-in multi-precision integers and modular exponentiation. Regarding leading zeroes, I was going to say there's a good chance (nearly 255 out of 256) that there are none for random test vectors. But then I thought, well, since we're generating our own test vectors we may as well make sure we do hit that corner case, to make sure things work as expected. This should easy to achieve:
I'd say ideally for each group we want two test vectors: one where the shared secret is full-length, plus one where it has a leading 0 byte. Regarding blinding, it doesn't change the result, so its presence or absence doesn't affect the selection of test vectors. |
Yes, I also couldn't find anything useful on the internet. Predefined test vectors are better than python script because it will do the same what our C implementation does. But if there is no other way I will continue with python. Thanks for clarification and hints. |
Yes, generating test vectors ourselves is far from ideal. When we get to integration in TLS 1.3, we can also add interop tests with other implementations for some extra validation - I've just added an item about that in #5979 (last checkbox). |
I got script for generating test vectors for FFDH and added tests for
Now I wanted to add test |
Hmm, good question. Any key derivation algorithm would make sense I think. Perhaps test with HKDF as that's a fairly standard one, that's neither outdated not specific-purpose? I'm afraid again we'll have to generate test vectors ourselves... I looked at RFC 8448 (example traces for TLS 1.3) but it doesn't have any FFDH example, and neither does the illustrated TLS 1.3 handshake. Again, validation will mostly be interop testing with OpenSSL and GnuTLS when we've used it in TLS 1.3, which is not ideal but will have to do. |
Mbed TLS supports finite-field Diffie-Hellman. The PSA Crypto API specifies key agreement with finite-field Diffie-Hellman for known groups, of which the specification defines one family: the groups from RFC 7919. The PSA API implementation in Mbed TLS only supports ECDH, not FFDH.
Prerequisite (arguably, should be done together): #5911
Goals of this task:
psa_key_agreement_raw_internal
.PSA_DH_GROUP_RFC7919
to the appropriateMBEDTLS_DHM_RFC7919_xxx
values.psa_key_derivation_key_agreement
andpsa_raw_key_agreement
.Non-goals:
The text was updated successfully, but these errors were encountered: