Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Preserve leading zeros in Diffie-Hellman secrets. #462

Merged
merged 1 commit into from May 20, 2016

Conversation

davidben
Copy link
Contributor

@davidben davidben commented May 19, 2016

Every other use of Diffie-Hellman preserves leading zeros. See PKCS #3 section
8.3, RFC 2631 section 2.1.2, and SP 800-56A section C.1. I assume X9.42 says
something similar to RFC 2631, but I do not have a copy of it. This discrepancy
has caused sporadic interoperability issues in TLS 1.2's DHE construction, so
clearly it's confusing.

Moreover, having variable-length secrets is generally dubious. It exposes an
unnecessary side channel.

Since TLS 1.2's server-fiat DHE and TLS 1.3's negotiated DHE are already very
different animals (1.3 DHE is more like 1.2 ECDHE than anything else), change
it to the more reasonable scheme going forward. This is not compatible with 1.2
and does risk a different set of sporadic interop issues if implementations do
not realize this changed, but we already have those with 1.2 implementations
today.

Every other use of Diffie-Hellman preserves leading zeros. See PKCS tlswg#3 section
8.3, RFC 2631 section 2.1.2, and SP 800-56A section C.1. I assume X9.42 says
something similar to RFC 2631, but I do not have a copy of it. This discrepancy
has caused sporadic interoperability issues in TLS 1.2's DHE construction, so
clearly it's confusing.

Moreover, having variable-length secrets is generally dubious. It exposes an
unnecessary side channel.

Since TLS 1.2's server-fiat DHE and TLS 1.3's negotiated DHE are already very
different animals (1.3 DHE is more like 1.2 ECDHE than anything else), change
it to the more reasonable scheme going forward. This is not compatible with 1.2
and does risk a different set of sporadic interop issues if implementations do
not realize this changed, but we already have those with 1.2 implementations
today.
@ekr ekr merged commit 2e7c11c into tlswg:master May 20, 2016
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants