IETF Logo Mail Archive

Re: [Cfrg] Switching the zero-check from MUST to MAY in the curves draft.

Phillip Hallam-Baker <phill@hallambaker.com> Tue, 17 November 2015 15:53 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F27181ACE0D for <cfrg@ietfa.amsl.com>; Tue, 17 Nov 2015 07:53:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KOZHa5YIBJdg for <cfrg@ietfa.amsl.com>; Tue, 17 Nov 2015 07:53:34 -0800 (PST)
Received: from mail-lb0-x232.google.com (mail-lb0-x232.google.com [IPv6:2a00:1450:4010:c04::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8FBB71ACD15 for <cfrg@irtf.org>; Tue, 17 Nov 2015 07:53:33 -0800 (PST)
Received: by lbbcs9 with SMTP id cs9so8174456lbb.1 for <cfrg@irtf.org>; Tue, 17 Nov 2015 07:53:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=wF0iwXYbu7koDLKd78YRUVOEJk/ZhUWDPYJ0wX2Y5Fg=; b=KMdimGHqtJDR1H+GPpxR8ny0SG9KxLXmchXq/nyXTvvG29+vDfwBov/b8Ehtt94PZz nIKQgH46tsK8CsnhfFYnJiGXuH/JReWeAgKzXI6X5R+mD2cL/1Z4ypqbLABQxa2sSVLn BF43iyKQMtqF8IcUZYXOoZxz5vrHo8mDLwljK1OXWGJxX4/vkuB/+SRvCb1kI2EgS5Pj YNrbb4QAIEet5nQ7vyRg80bq8/oSq8XVP62weDRXwwVlOG8peLYdOnQczh4F7jfwoh7N f9iDbzmMJP3kvvo1YxSWNLZxsRMvZsJQeXiPyek09Qtdr+fCz23ptsapYlBnsk7hSvC3 J+/g==
MIME-Version: 1.0
X-Received: by 10.112.129.161 with SMTP id nx1mr20149743lbb.112.1447775611695; Tue, 17 Nov 2015 07:53:31 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.1.227 with HTTP; Tue, 17 Nov 2015 07:53:31 -0800 (PST)
In-Reply-To: <CACsn0c=PnnkNV3m4duxM-ewL9LoCuudzkEbuSSvW-eeB6_88QA@mail.gmail.com>
References: <19090157-473E-4F19-BECE-0CB9955233C9@shiftleft.org> <20151117141554.DB40B60356@jupiter.mumble.net> <CACsn0c=PnnkNV3m4duxM-ewL9LoCuudzkEbuSSvW-eeB6_88QA@mail.gmail.com>
Date: Tue, 17 Nov 2015 10:53:31 -0500
X-Google-Sender-Auth: FdAUNu4120NFd326y9sfkJEyUTs
Message-ID: <CAMm+LwiW2Kd=-ow5-7_Jyoq5OKK7BN9xsbpx85ZS5Eky8LMqSA@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/09wFHpP6oa0vm4ZitKayzuOMbm0>
Cc: Adam Langley <agl@imperialviolet.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Switching the zero-check from MUST to MAY in the curves draft.
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2015 15:53:35 -0000

On Tue, Nov 17, 2015 at 9:31 AM, Watson Ladd <watsonbladd@gmail.com> wrote:
> On Tue, Nov 17, 2015 at 9:16 AM, Taylor R Campbell
> <campbell+cfrg@mumble.net> wrote:
>>    Date: Mon, 16 Nov 2015 18:29:42 -0800
>>    From: Mike Hamburg <mike@shiftleft.org>
>>
>>    > On Nov 16, 2015, at 18:01, Phillip Hallam-Baker <phill@hallambaker.com> wrote:
>>    >
>>    > Is there a mechanism that would allow an attacker to force use of
>>    > all zeros?
>>
>>    Yes, an attacker can easily force it by sending specific values of
>>    g^x, most of which cannot be produced by a legitimate
>>    implementation.  There are something like 5 such values for
>>    curve448 and 14 such values for curve25519.
>>
>> A malicious peer can do that, but so what?  A malicious peer can also
>> use a secret key k known to an eavesdropper, and send k*B where B is
>> the standard base point.  Then the eavesdropper seeing the good guy's
>> public key h*B over the wire can readily predict k*h*B and find the
>> session key.  A malicious peer could also email the session transcript
>> to the eavesdropper.
>>
>> What is the serious attack that is prevented by a zero check?  It
>> seems to me an answer to that question is more important than the
>> choice of verb.
>
> Some protocols require contributory behavior from DH exchanges.
> Examples include TLS. Most protocol designers understood how to avoid
> this, but TLS was not designed by a cryptographer. This went unnoticed
> until very recently, when it was exploited in the Triple-Handshake
> attack.

SSL 1.0 and SSL 2.0 were not. But SSL 3.0 was designed by Paul Kocher
working for Taher El-Gamal.

The problem was that he only had two weeks to do the work and Netscape
did not put the proposal out for public review. You might think that
you would want to do that after your first attempt was broken fifteen
minutes into the first (and only) presentation outside the company.
Thats not the way Netscape went about things.

v2.23.0 | Report a Bug | By Email