IETF Logo Mail Archive

Re: [Cfrg] Switching the zero-check from MUST to MAY in the curves draft.

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Mon, 16 November 2015 23:12 UTC

Return-Path: <prvs=8762ba2769=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF9FD1A8A3C for <cfrg@ietfa.amsl.com>; Mon, 16 Nov 2015 15:12:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.783
X-Spam-Level:
X-Spam-Status: No, score=-4.783 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kkm9RA9QmFyD for <cfrg@ietfa.amsl.com>; Mon, 16 Nov 2015 15:12:30 -0800 (PST)
Received: from mx1.ll.mit.edu (MX1.LL.MIT.EDU [129.55.12.45]) by ietfa.amsl.com (Postfix) with ESMTP id B917F1A8A41 for <cfrg@irtf.org>; Mon, 16 Nov 2015 15:12:30 -0800 (PST)
Received: from LLE2K10-HUB02.mitll.ad.local (LLE2K10-HUB02.mitll.ad.local) by mx1.ll.mit.edu (unknown) with ESMTP id tAGNCTsu006524; Mon, 16 Nov 2015 18:12:29 -0500
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Adam Langley <agl@imperialviolet.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] Switching the zero-check from MUST to MAY in the curves draft.
Thread-Index: AQHRIMRCmwKa0SGTvEuqAqV7Lf3WUw==
Date: Mon, 16 Nov 2015 23:12:27 +0000
Message-ID: <D26FCB5D.2261F%uri@ll.mit.edu>
References: <CAMfhd9XgxrFyRxEqd=4NSX29t=ymQeyq3pT6VjpezUgrm6TyBg@mail.gmail.com>
In-Reply-To: <CAMfhd9XgxrFyRxEqd=4NSX29t=ymQeyq3pT6VjpezUgrm6TyBg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.5.7.151005
x-originating-ip: [172.25.177.187]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3530542334_68145824"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.15.21, 1.0.33, 0.0.0000 definitions=2015-11-16_15:2015-11-16,2015-11-16,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1508030000 definitions=main-1511160351
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/Vl4Cj_Mri32oGlRxBwzU-rXqD5M>
Subject: Re: [Cfrg] Switching the zero-check from MUST to MAY in the curves draft.
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Nov 2015 23:12:32 -0000

On one hand, an RFC describes a protocol, not an implementation. On the
other hand, having an implementation that does not check for zero in DH
sounds strange, to say the least.

If you don’t want to use the IETF term “MUST” (or “SHOULD”), perhaps you
can just say that “not checking for zero can lead to catastrophic security
failures, and it is responsibility of the application developer to make
sure it doesn’t happen”…
-- 
Regards,
Uri Blumenthal





On 11/16/15, 18:03 , "Cfrg on behalf of Adam Langley"
<cfrg-bounces@irtf.org on behalf of agl@imperialviolet.org> wrote:

>At the moment, the curves draft says that implementations MUST check
>for the all-zero output and abort if it's found, at least in
>Diffie-Hellman. The all-zero output results when the input point has
>small order and this sort of thing has, in the past, broken at least
>Tor and TLS channel bindings.
>
>While reactions on the list were ambivalent to the suggestion, I had
>hoped that implementations would take this requirement as a simple
>defence-in-depth measure in keeping with the general robustness theme
>of this work.
>
>I was mistaken. It's since become clear that some disagree
>sufficiently strongly about this that we aren't going to see a
>realignment of implementations around this behaviour. While I still
>think that it's a sensible requirement, RFCs that are prescriptive
>rather than descriptive are terrible and so I currently hope to switch
>from MUST to MAY once the draft has completed the editor's queue.
>Instead, some wording would be added to the Security Considerations
>section.
>
>This change contains the accumulation of tweaks that I currently have
>saved up, including this one:
>https://github.com/agl/cfrgcurve/commit/c7749d4bb5ceabdb30f211d4aaa6df2b68
>d7c5e1
>
>This email is notice that I currently plan on making this change. Note
>that the question here isn't whether the zero check is a good idea or
>not. Rather it's that, given that a non-trivial number of
>implementations aren't going to implement it, what's the best thing to
>write?
>
>
>Cheers
>
>AGL
>
>-- 
>Adam Langley agl@imperialviolet.org https://www.imperialviolet.org
>
>_______________________________________________
>Cfrg mailing list
>Cfrg@irtf.org
>https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email