Re: [Cfrg] Switching the zero-check from MUST to MAY in the curves draft.
Watson Ladd <watsonbladd@gmail.com> Tue, 17 November 2015 14:31 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA3161B32E3 for <cfrg@ietfa.amsl.com>; Tue, 17 Nov 2015 06:31:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xHbyR8kjqkyB for <cfrg@ietfa.amsl.com>; Tue, 17 Nov 2015 06:31:06 -0800 (PST)
Received: from mail-wm0-x22e.google.com (mail-wm0-x22e.google.com [IPv6:2a00:1450:400c:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18EC11B32DC for <cfrg@irtf.org>; Tue, 17 Nov 2015 06:31:06 -0800 (PST)
Received: by wmvv187 with SMTP id v187so230372573wmv.1 for <cfrg@irtf.org>; Tue, 17 Nov 2015 06:31:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=YxTfiSYNU5+ebB7gB/kFKA5XbSyDL6O5N7FnvIcq40k=; b=s2oIAOQ/1r7d9RIo4SLpCzBUu/VcbtLWSjfm4Fbj94mwwAR70n1lbIgiLhW/hmCoBf kB5avTlgn6osBTKkP9Hmxmd+H+4tfG/LglWYAxeJG7DlSu171cqneU0R2VKDbOp2acup vHUEmzXeOtVVtLB4C0bszQNNfys0kCx5p7LXVbFTVA3EeD46BB0EOUsXf47nQQyjSeTA ldd2PKYZHZmDURmakjww4eucRdwnS1T0rbKUHOg1YwPZVznvZB6iykDSYtVnMvwYz9ET iDbwSaHPKLqaLs6/l9rDSIxeJfXpyxxa/dstfJvUb4BhB1FznpNyYJAlt2PwA2xA7FmU 6KXA==
MIME-Version: 1.0
X-Received: by 10.194.239.104 with SMTP id vr8mr41945123wjc.64.1447770664511; Tue, 17 Nov 2015 06:31:04 -0800 (PST)
Received: by 10.28.102.84 with HTTP; Tue, 17 Nov 2015 06:31:04 -0800 (PST)
In-Reply-To: <20151117141554.DB40B60356@jupiter.mumble.net>
References: <19090157-473E-4F19-BECE-0CB9955233C9@shiftleft.org> <20151117141554.DB40B60356@jupiter.mumble.net>
Date: Tue, 17 Nov 2015 09:31:04 -0500
Message-ID: <CACsn0c=PnnkNV3m4duxM-ewL9LoCuudzkEbuSSvW-eeB6_88QA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Taylor R Campbell <campbell+cfrg@mumble.net>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/d1ZnJ8XbD5KYtixW0LgqklDw6V8>
Cc: Adam Langley <agl@imperialviolet.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Switching the zero-check from MUST to MAY in the curves draft.
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2015 14:31:08 -0000
On Tue, Nov 17, 2015 at 9:16 AM, Taylor R Campbell <campbell+cfrg@mumble.net> wrote: > Date: Mon, 16 Nov 2015 18:29:42 -0800 > From: Mike Hamburg <mike@shiftleft.org> > > > On Nov 16, 2015, at 18:01, Phillip Hallam-Baker <phill@hallambaker.com> wrote: > > > > Is there a mechanism that would allow an attacker to force use of > > all zeros? > > Yes, an attacker can easily force it by sending specific values of > g^x, most of which cannot be produced by a legitimate > implementation. There are something like 5 such values for > curve448 and 14 such values for curve25519. > > A malicious peer can do that, but so what? A malicious peer can also > use a secret key k known to an eavesdropper, and send k*B where B is > the standard base point. Then the eavesdropper seeing the good guy's > public key h*B over the wire can readily predict k*h*B and find the > session key. A malicious peer could also email the session transcript > to the eavesdropper. > > What is the serious attack that is prevented by a zero check? It > seems to me an answer to that question is more important than the > choice of verb. Some protocols require contributory behavior from DH exchanges. Examples include TLS. Most protocol designers understood how to avoid this, but TLS was not designed by a cryptographer. This went unnoticed until very recently, when it was exploited in the Triple-Handshake attack. > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg -- "Man is born free, but everywhere he is in chains". --Rousseau.
- [Cfrg] Switching the zero-check from MUST to MAY … Adam Langley
- Re: [Cfrg] Switching the zero-check from MUST to … Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Switching the zero-check from MUST to … Deirdre Connolly
- Re: [Cfrg] Switching the zero-check from MUST to … Phillip Hallam-Baker
- Re: [Cfrg] Switching the zero-check from MUST to … Mike Hamburg
- Re: [Cfrg] Switching the zero-check from MUST to … Taylor R Campbell
- Re: [Cfrg] Switching the zero-check from MUST to … Watson Ladd
- Re: [Cfrg] Switching the zero-check from MUST to … Phillip Hallam-Baker
- Re: [Cfrg] Switching the zero-check from MUST to … Adam Langley
- Re: [Cfrg] Switching the zero-check from MUST to … Deirdre Connolly
- Re: [Cfrg] Switching the zero-check from MUST to … Rene Struik
- Re: [Cfrg] Switching the zero-check from MUST to … Rene Struik
- Re: [Cfrg] Switching the zero-check from MUST to … Greg Hudson
- Re: [Cfrg] Switching the zero-check from MUST to … Watson Ladd
- Re: [Cfrg] Switching the zero-check from MUST to … Rene Struik
- Re: [Cfrg] Switching the zero-check from MUST to … Watson Ladd