RFC Errata
Found 1 record.
Status: Reported (1)
RFC 8492, "Secure Password Ciphersuites for Transport Layer Security (TLS)", February 2019
Source of RFC: INDEPENDENT
Errata ID: 5727
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Alexander Freiherr von Buddenbrock
Date Reported: 2019-05-21
Section Appendix A says:
username: fred password: barney ---- prior to running TLS-PWD ---- server generates salt: 96 3c 77 cd c1 3a 2a 8d 75 cd dd d1 e0 44 99 29 84 37 11 c2 1d 47 ce 6e 63 83 cd da 37 e4 7d a3 and a base: 6e 7c 79 82 1b 9f 8e 80 21 e9 e7 e8 26 e9 ed 28 c4 a1 8a ef c8 75 0c 72 6f 74 c7 09 61 d7 00 75 ---- state derived during the TLS-PWD exchange ---- client and server agree to use brainpoolP256r1 client and server generate the PE: PE.x: 29 b2 38 55 81 9f 9c 3f c3 71 ba e2 84 f0 93 a3 a4 fd 34 72 d4 bd 2e 9d f7 15 2d 22 ab 37 aa e6 server private and mask: private: 21 d9 9d 34 1c 97 97 b3 ae 72 df d2 89 97 1f 1b 74 ce 9d e6 8a d4 b9 ab f5 48 88 d8 f6 c5 04 3c mask: 0d 96 ab 62 4d 08 2c 71 25 5b e3 64 8d cd 30 3f 6a b0 ca 61 a9 50 34 a5 53 e3 30 8d 1d 37 44 e5 client private and mask: private: 17 1d e8 ca a5 35 2d 36 ee 96 a3 99 79 b5 b7 2f a1 89 ae 7a 6a 09 c7 7f 7b 43 8a f1 6d f4 a8 8b mask: 4f 74 5b df c2 95 d3 b3 84 29 f7 eb 30 25 a4 88 83 72 8b 07 d8 86 05 c0 ee 20 23 16 a0 72 d1 bd both parties generate premaster secret and master secret premaster secret: 01 f7 a7 bd 37 9d 71 61 79 eb 80 c5 49 83 45 11 af 58 cb b6 dc 87 e0 18 1c 83 e7 01 e9 26 92 a4 master secret: 65 ce 15 50 ee ff 3d aa 2b f4 78 cb 84 29 88 a1 60 26 a4 be f2 2b 3f ab 23 96 e9 8a 7e 05 a1 0f 3d 8c ac 51 4d da 42 8d 94 be a9 23 89 18 4c ad ---- ssldump output of exchange ---- New TCP connection #1: Charlene Client <-> Sammy Server 1 1 0.0018 (0.0018) C>SV3.3(173) Handshake ClientHello Version 3.3 random[32]= 52 8f bf 52 17 5d e2 c8 69 84 5f db fa 83 44 f7 d7 32 71 2e bf a6 79 d8 64 3c d3 1a 88 0e 04 3d ciphersuites TLS_ECCPWD_WITH_AES_128_GCM_SHA256_PRIV TLS_ECCPWD_WITH_AES_256_GCM_SHA384_PRIV Unknown value 0xff compression methods NULL extensions TLS-PWD unprotected name[5]= 04 66 72 65 64 elliptic curve point format[4]= 03 00 01 02 elliptic curve list[58]= 00 38 00 0e 00 0d 00 1c 00 19 00 0b 00 0c 00 1b 00 18 00 09 00 0a 00 1a 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0f 00 10 00 11 Packet data[178]= 16 03 03 00 ad 01 00 00 a9 03 03 52 8f bf 52 17 5d e2 c8 69 84 5f db fa 83 44 f7 d7 32 71 2e bf a6 79 d8 64 3c d3 1a 88 0e 04 3d 00 00 06 ff b3 ff b4 00 ff 01 00 00 7a b8 aa 00 05 04 66 72 65 64 00 0b 00 04 03 00 01 02 00 0a 00 3a 00 38 00 0e 00 0d 00 1c 00 19 00 0b 00 0c 00 1b 00 18 00 09 00 0a 00 1a 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0f 00 10 00 11 00 0d 00 22 00 20 06 01 06 02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 03 01 03 02 03 03 02 01 02 02 02 03 01 01 00 0f 00 01 01 1 2 0.0043 (0.0024) S>CV3.3(94) Handshake ServerHello Version 3.3 random[32]= 52 8f bf 52 43 78 a1 b1 3b 8d 2c bd 24 70 90 72 13 69 f8 bf a3 ce eb 3c fc d8 5c bf cd d5 8e aa session_id[32]= ef ee 38 08 22 09 f2 c1 18 38 e2 30 33 61 e3 d6 e6 00 6d 18 0e 09 f0 73 d5 21 20 cf 9f bf 62 88 cipherSuite TLS_ECCPWD_WITH_AES_128_GCM_SHA256_PRIV compressionMethod NULL extensions renegotiate[1]= 00 elliptic curve point format[4]= 03 00 01 02 heartbeat[1]= 01 Packet data[99]= 16 03 03 00 5e 02 00 00 5a 03 03 52 8f bf 52 43 78 a1 b1 3b 8d 2c bd 24 70 90 72 13 69 f8 bf a3 ce eb 3c fc d8 5c bf cd d5 8e aa 20 ef ee 38 08 22 09 f2 c1 18 38 e2 30 33 61 e3 d6 e6 00 6d 18 0e 09 f0 73 d5 21 20 cf 9f bf 62 88 ff b3 00 00 12 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 0f 00 01 01 1 3 0.0043 (0.0000) S>CV3.3(141) Handshake ServerKeyExchange params salt[32]= 96 3c 77 cd c1 3a 2a 8d 75 cd dd d1 e0 44 99 29 84 37 11 c2 1d 47 ce 6e 63 83 cd da 37 e4 7d a3 EC parameters = 3 curve id = 26 element[65]= 04 22 bb d5 6b 48 1d 7f a9 0c 35 e8 d4 2f cd 06 61 8a 07 78 de 50 6b 1b c3 88 82 ab c7 31 32 ee f3 7f 02 e1 3b d5 44 ac c1 45 bd d8 06 45 0d 43 be 34 b9 28 83 48 d0 3d 6c d9 83 24 87 b1 29 db e1 scalar[32]= 2f 70 48 96 69 9f c4 24 d3 ce c3 37 17 64 4f 5a df 7f 68 48 34 24 ee 51 49 2b b9 66 13 fc 49 21 Packet data[146]= 16 03 03 00 8d 0c 00 00 89 00 20 96 3c 77 cd c1 3a 2a 8d 75 cd dd d1 e0 44 99 29 84 37 11 c2 1d 47 ce 6e 63 83 cd da 37 e4 7d a3 03 00 1a 41 04 22 bb d5 6b 48 1d 7f a9 0c 35 e8 d4 2f cd 06 61 8a 07 78 de 50 6b 1b c3 88 82 ab c7 31 32 ee f3 7f 02 e1 3b d5 44 ac c1 45 bd d8 06 45 0d 43 be 34 b9 28 83 48 d0 3d 6c d9 83 24 87 b1 29 db e1 00 20 2f 70 48 96 69 9f c4 24 d3 ce c3 37 17 64 4f 5a df 7f 68 48 34 24 ee 51 49 2b b9 66 13 fc 49 21 1 4 0.0043 (0.0000) S>CV3.3(4) Handshake ServerHelloDone Packet data[9]= 16 03 03 00 04 0e 00 00 00 1 5 0.0086 (0.0043) C>SV3.3(104) Handshake ClientKeyExchange element[65]= 04 a0 c6 9b 45 0b 85 ae e3 9f 64 6b 6e 64 d3 c1 08 39 5f 4b a1 19 2d bf eb f0 de c5 b1 89 13 1f 59 5d d4 ba cd bd d6 83 8d 92 19 fd 54 29 91 b2 c0 b0 e4 c4 46 bf e5 8f 3c 03 39 f7 56 e8 9e fd a0 scalar[32]= 66 92 44 aa 67 cb 00 ea 72 c0 9b 84 a9 db 5b b8 24 fc 39 82 42 8f cd 40 69 63 ae 08 0e 67 7a 48 Packet data[109]= 16 03 03 00 68 10 00 00 64 41 04 a0 c6 9b 45 0b 85 ae e3 9f 64 6b 6e 64 d3 c1 08 39 5f 4b a1 19 2d bf eb f0 de c5 b1 89 13 1f 59 5d d4 ba cd bd d6 83 8d 92 19 fd 54 29 91 b2 c0 b0 e4 c4 46 bf e5 8f 3c 03 39 f7 56 e8 9e fd a0 00 20 66 92 44 aa 67 cb 00 ea 72 c0 9b 84 a9 db 5b b8 24 fc 39 82 42 8f cd 40 69 63 ae 08 0e 67 7a 48 1 6 0.0086 (0.0000) C>SV3.3(1) ChangeCipherSpec Packet data[6]= 14 03 03 00 01 01 1 7 0.0086 (0.0000) C>SV3.3(40) Handshake Packet data[45]= 16 03 03 00 28 44 cd 3f 26 ed 64 9a 1b bb 07 c7 0c 6d 3e 28 af e6 32 b1 17 29 49 a1 14 8e cb 7a 0b 4b 70 f5 1f 39 c2 9c 7b 6c cc 57 20 1 8 0.0105 (0.0018) S>CV3.3(1) ChangeCipherSpec Packet data[6]= 14 03 03 00 01 01 1 9 0.0105 (0.0000) S>CV3.3(40) Handshake Packet data[45]= 16 03 03 00 28 fd da 3c 9e 48 0a e7 99 ba 41 8c 9f fd 47 c8 41 2c fd 22 10 77 3f 0f 78 54 5e 41 a2 21 94 90 12 72 23 18 24 21 c3 60 a4 1 10 0.0107 (0.0002) C>SV3.3(100) application_data Packet data....
It should say:
username: fred password: barney ---- prior to running TLS-PWD ---- server generates salt: 96 3c 77 cd c1 3a 2a 8d 75 cd dd d1 e0 44 99 29 84 37 11 c2 1d 47 ce 6e 63 83 cd da 37 e4 7d a3 and a base: 6e 7c 79 82 1b 9f 8e 80 21 e9 e7 e8 26 e9 ed 28 c4 a1 8a ef c8 75 0c 72 6f 74 c7 09 61 d7 00 75 ---- state derived during the TLS-PWD exchange ---- client and server agree to use brainpoolP256r1 client and server generate the PE: PE.x: 00 68 6b 0d 3f c4 98 94 dd 62 1e c0 4f 92 5e 02 9b 2b 15 28 ed ed ca 46 00 72 54 28 1e 9a 6e dc server private and mask: private: 21 d9 9d 34 1c 97 97 b3 ae 72 df d2 89 97 1f 1b 74 ce 9d e6 8a d4 b9 ab f5 48 88 d8 f6 c5 04 3c mask: 0d 96 ab 62 4d 08 2c 71 25 5b e3 64 8d cd 30 3f 6a b0 ca 61 a9 50 34 a5 53 e3 30 8d 1d 37 44 e5 client private and mask: private: 17 1d e8 ca a5 35 2d 36 ee 96 a3 99 79 b5 b7 2f a1 89 ae 7a 6a 09 c7 7f 7b 43 8a f1 6d f4 a8 8b mask: 4f 74 5b df c2 95 d3 b3 84 29 f7 eb 30 25 a4 88 83 72 8b 07 d8 86 05 c0 ee 20 23 16 a0 72 d1 bd both parties generate premaster secret and master secret premaster secret: a1 3e 9e a0 d3 56 ab 1d 97 55 a0 f7 33 9e f1 c1 21 b3 43 f5 2f f2 e6 7f aa 4c 35 71 3b ed af b1 master secret: f7 73 ba 1d dc a9 89 4c 8b 71 31 48 5a f9 5f dd 06 83 5e 18 13 26 dd b7 8f 36 03 ef 78 75 67 fb 01 e9 ad ba 7d e0 d6 0e 89 28 0b 43 74 8d 2f 53 ---- ssldump output of exchange ---- New TCP connection #1: Charlene Client <-> Sammy Server 1 1 0.0018 (0.0018) C>SV3.3(173) Handshake ClientHello Version 3.3 random[32]= 52 8f bf 52 17 5d e2 c8 69 84 5f db fa 83 44 f7 d7 32 71 2e bf a6 79 d8 64 3c d3 1a 88 0e 04 3d ciphersuites TLS_ECCPWD_WITH_AES_128_GCM_SHA256_PRIV TLS_ECCPWD_WITH_AES_256_GCM_SHA384_PRIV Unknown value 0xff compression methods NULL extensions TLS-PWD unprotected name[5]= 04 66 72 65 64 elliptic curve point format[4]= 03 00 01 02 elliptic curve list[58]= 00 38 00 0e 00 0d 00 1c 00 19 00 0b 00 0c 00 1b 00 18 00 09 00 0a 00 1a 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0f 00 10 00 11 Packet data[178]= 16 03 03 00 ad 01 00 00 a9 03 03 52 8f bf 52 17 5d e2 c8 69 84 5f db fa 83 44 f7 d7 32 71 2e bf a6 79 d8 64 3c d3 1a 88 0e 04 3d 00 00 06 ff b3 ff b4 00 ff 01 00 00 7a b8 aa 00 05 04 66 72 65 64 00 0b 00 04 03 00 01 02 00 0a 00 3a 00 38 00 0e 00 0d 00 1c 00 19 00 0b 00 0c 00 1b 00 18 00 09 00 0a 00 1a 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0f 00 10 00 11 00 0d 00 22 00 20 06 01 06 02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 03 01 03 02 03 03 02 01 02 02 02 03 01 01 00 0f 00 01 01 1 2 0.0043 (0.0024) S>CV3.3(94) Handshake ServerHello Version 3.3 random[32]= 52 8f bf 52 43 78 a1 b1 3b 8d 2c bd 24 70 90 72 13 69 f8 bf a3 ce eb 3c fc d8 5c bf cd d5 8e aa session_id[32]= ef ee 38 08 22 09 f2 c1 18 38 e2 30 33 61 e3 d6 e6 00 6d 18 0e 09 f0 73 d5 21 20 cf 9f bf 62 88 cipherSuite TLS_ECCPWD_WITH_AES_128_GCM_SHA256_PRIV compressionMethod NULL extensions renegotiate[1]= 00 elliptic curve point format[4]= 03 00 01 02 heartbeat[1]= 01 Packet data[99]= 16 03 03 00 5e 02 00 00 5a 03 03 52 8f bf 52 43 78 a1 b1 3b 8d 2c bd 24 70 90 72 13 69 f8 bf a3 ce eb 3c fc d8 5c bf cd d5 8e aa 20 ef ee 38 08 22 09 f2 c1 18 38 e2 30 33 61 e3 d6 e6 00 6d 18 0e 09 f0 73 d5 21 20 cf 9f bf 62 88 ff b3 00 00 12 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 0f 00 01 01 1 3 0.0043 (0.0000) S>CV3.3(141) Handshake ServerKeyExchange params salt[32]= 96 3c 77 cd c1 3a 2a 8d 75 cd dd d1 e0 44 99 29 84 37 11 c2 1d 47 ce 6e 63 83 cd da 37 e4 7d a3 EC parameters = 3 curve id = 26 element[65]= 04 7b de a7 7c 03 8e dc d5 66 16 99 81 c5 87 07 fa db a8 a8 d8 3e c9 0c 37 e3 c0 66 6a 5a 67 99 11 40 d6 85 1a 6c 81 a5 01 75 64 d5 26 b1 57 db cd 97 a6 42 7c b0 e4 7e e5 ca a4 39 66 33 e0 51 31 scalar[32]= 2f 70 48 96 69 9f c4 24 d3 ce c3 37 17 64 4f 5a df 7f 68 48 34 24 ee 51 49 2b b9 66 13 fc 49 21 Packet data[146]= 16 03 03 00 8d 0c 00 00 89 00 20 96 3c 77 cd c1 3a 2a 8d 75 cd dd d1 e0 44 99 29 84 37 11 c2 1d 47 ce 6e 63 83 cd da 37 e4 7d a3 03 00 1a 41 04 7b de a7 7c 03 8e dc d5 66 16 99 81 c5 87 07 fa db a8 a8 d8 3e c9 0c 37 e3 c0 66 6a 5a 67 99 11 40 d6 85 1a 6c 81 a5 01 75 64 d5 26 b1 57 db cd 97 a6 42 7c b0 e4 7e e5 ca a4 39 66 33 e0 51 31 00 20 2f 70 48 96 69 9f c4 24 d3 ce c3 37 17 64 4f 5a df 7f 68 48 34 24 ee 51 49 2b b9 66 13 fc 49 21 1 4 0.0043 (0.0000) S>CV3.3(4) Handshake ServerHelloDone Packet data[9]= 16 03 03 00 04 0e 00 00 00 1 5 0.0086 (0.0043) C>SV3.3(104) Handshake ClientKeyExchange element[65]= 04 89 07 f2 0c a8 ff 2b ad bf a6 3e de c5 93 4d f1 ec ff 10 75 3f 7a a4 f7 50 ba 8a 2d bd 92 63 33 3d af f9 43 a2 1c d0 79 d7 75 07 b9 27 82 ee 77 98 91 98 b9 0a d7 78 de 38 46 c3 19 c7 bc d2 45 scalar[32]= 66 92 44 aa 67 cb 00 ea 72 c0 9b 84 a9 db 5b b8 24 fc 39 82 42 8f cd 40 69 63 ae 08 0e 67 7a 48 Packet data[109]= 16 03 03 00 68 10 00 00 64 41 04 89 07 f2 0c a8 ff 2b ad bf a6 3e de c5 93 4d f1 ec ff 10 75 3f 7a a4 f7 50 ba 8a 2d bd 92 63 33 3d af f9 43 a2 1c d0 79 d7 75 07 b9 27 82 ee 77 98 91 98 b9 0a d7 78 de 38 46 c3 19 c7 bc d2 45 00 20 66 92 44 aa 67 cb 00 ea 72 c0 9b 84 a9 db 5b b8 24 fc 39 82 42 8f cd 40 69 63 ae 08 0e 67 7a 48 1 6 0.0086 (0.0000) C>SV3.3(1) ChangeCipherSpec Packet data[6]= 14 03 03 00 01 01 1 7 0.0086 (0.0000) C>SV3.3(40) Handshake Packet data[45]= 16 03 03 00 28 00 00 00 00 00 00 00 00 3f c4 e5 87 f1 1c a6 1e ee f0 8f af ee c9 47 c4 9c 0e 24 4a 93 56 ab 15 3f f3 4f 0d 43 4a 16 e5 1 8 0.0105 (0.0018) S>CV3.3(1) ChangeCipherSpec Packet data[6]= 14 03 03 00 01 01 1 9 0.0105 (0.0000) S>CV3.3(40) Handshake Packet data[45]= 16 03 03 00 28 00 00 00 00 00 00 00 00 f6 73 c4 4f f1 62 61 cf d6 a0 e6 46 b0 7f 98 1a 6d 81 37 24 86 99 42 ec 42 0d a3 76 30 53 c1 92 1 10 0.0107 (0.0002) C>SV3.3(100) application_data Packet data....
Notes:
We believe we have found an error regarding the Password Element used in
the example in the appendix.
Curve used in the example: brainpoolP256r1
PE.x used in the example:
29 b2 38 55 81 9f 9c 3f c3 71 ba e2 84 f0 93 a3
a4 fd 34 72 d4 bd 2e 9d f7 15 2d 22 ab 37 aa e6
It appears that this is not a valid point on the given curve. Using
Magma (http://magma.maths.usyd.edu.au/calc/) and the values for
brainpool from https://tools.ietf.org/html/rfc5639#section-3.4 gives a
Legendre Symbol of -1, indicating that y^2 is not a quadratic residue
and therefore that PE.x is not a valid point on the curve. Code used:
a :=
56698187605326110043627228396178346077120614539475214109386828188763884139993;
b :=
17577232497321838841075697789794520262950426058923084567046852300633325438902;
x :=
18859714372486306827330584431184663996963158272766618598705097205657493809894;
p :=
76884956397045344220809746629001649093037950200943055203735601445031516197751;
y2 := (x*x*x + a*x + b) mod p;
ls := LegendreSymbol(y2, p);
print ls;
The PE.x in the example seems to be the PRF output in the third round in
the algorithm in 4.4.1 of the RFC.
In older revisions this value was used directly as the X-Coordinate.
However a) This has changed in newer revisions and
b) The output of the first round is already a valid point and should
therefore be used instead.
The client and server seem to use a different point than the given PE.x on the curve for
their key exchange. The actual value used can be calculated from the
given mask:
PE = (-element) * (mask^-1 mod q)
Actual PE.x:
A7 EE 9B 10 90 C5 DE AF AD FE A2 EC 93 50 1F B8
9E A4 CC 40 2D D5 CE 03 AF 59 FB 4C D1 9B 86 9B
Doing this for the client Element as well gives the same PE.
Using this PE and the given private values also results in the same
premaster secret in the example.
However, the PRF output of the first round (using the base in the
example) is:
AE 80 44 FE 9A 02 7F A3 26 0C B2 4D 26 FB EC FB
0C D3 1A 28 E0 08 79 98 47 6F 48 24 84 28 AA 1B
A1 4C 25 3C E3 00 CF E5
Resulting X-Coordinate ((pwd-tmp mod (p - 1)) + 1)):
00 68 6B 0D 3F C4 98 94 DD 62 1E C0 4F 92 5E 02
9B 2B 15 28 ED ED CA 46 00 72 54 28 1E 9A 6E DC
In decimal:
184490938790914521010164124495537968992184466437601025180409064591686528732
This gives us a Legendre Symbol of 1. This should be the correct PE to
use for the key exchange. The element of the server and client as well
as the premaster and master secret have been adjusted accordingly.