IETF Logo Mail Archive

Re: [Cfrg] Switching the zero-check from MUST to MAY in the curves draft.

Deirdre Connolly <durumcrustulum@gmail.com> Mon, 16 November 2015 23:46 UTC

Return-Path: <neried7@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D860F1A905B for <cfrg@ietfa.amsl.com>; Mon, 16 Nov 2015 15:46:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2NX73NC99U0a for <cfrg@ietfa.amsl.com>; Mon, 16 Nov 2015 15:46:57 -0800 (PST)
Received: from mail-yk0-x233.google.com (mail-yk0-x233.google.com [IPv6:2607:f8b0:4002:c07::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18ABA1A905A for <cfrg@irtf.org>; Mon, 16 Nov 2015 15:46:57 -0800 (PST)
Received: by ykdr82 with SMTP id r82so267231464ykd.3 for <cfrg@irtf.org>; Mon, 16 Nov 2015 15:46:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :content-type; bh=NMPyOqkQshGVsQvyf8YBq6wfegK7ege2CVbyiyl6oag=; b=LUyOofDNMFNGwB20uLEyWkZjSQXFA2uqg35RF8JV6+n32rPrHkKGLsrzkIAwZcFFWJ fMZ+wAU79lpZkXw5g3UKGXJrm9/3p35lq2p2QK77HzCUlqUUCO1ZDaoZUoWjd8yXii/M qvg0QOTKMnDZXNIQKExNzHOaNC/S8K+Z5rb1uTAWn5Oji9glFsSu/9jP5SZqejbBcSwf /D8jGigazD8ovDB2Uouh9bkrWEUibhBlhaV7NPNgC2Vpkkh2LBSjGIE0plmOduuamE+L ayqDQQirfMtqiLC4ejIzuldnxd9xWUsapi8MyhC0ZbOWZIlk+bbgJe8POu+gBmVh5DUK Tgyg==
X-Received: by 10.129.124.130 with SMTP id x124mr37694584ywc.34.1447717616397; Mon, 16 Nov 2015 15:46:56 -0800 (PST)
MIME-Version: 1.0
References: <CAMfhd9XgxrFyRxEqd=4NSX29t=ymQeyq3pT6VjpezUgrm6TyBg@mail.gmail.com> <D26FCB5D.2261F%uri@ll.mit.edu>
In-Reply-To: <D26FCB5D.2261F%uri@ll.mit.edu>
From: Deirdre Connolly <durumcrustulum@gmail.com>
Date: Mon, 16 Nov 2015 23:46:46 +0000
Message-ID: <CAFR824wRO9mPGmkPhjA9bR5QTkrZ-OVRZsmoiPjBR2-kVrCHDw@mail.gmail.com>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, Adam Langley <agl@imperialviolet.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="001a1149311e42b3240524b1067e"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/k_2tXXpGciuvVJ-JaMv99Gx5CZo>
Subject: Re: [Cfrg] Switching the zero-check from MUST to MAY in the curves draft.
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Nov 2015 23:46:59 -0000

I think that your description fits 'SHOULD' more than 'MAY', given that the
expanded Security Considerations imply that "the full implications must be
understood and carefully weighed" before not checking for an all-zero
output.

On Mon, Nov 16, 2015 at 6:12 PM Blumenthal, Uri - 0553 - MITLL <
uri@ll.mit.edu> wrote:

> On one hand, an RFC describes a protocol, not an implementation. On the
> other hand, having an implementation that does not check for zero in DH
> sounds strange, to say the least.
>
> If you don’t want to use the IETF term “MUST” (or “SHOULD”), perhaps you
> can just say that “not checking for zero can lead to catastrophic security
> failures, and it is responsibility of the application developer to make
> sure it doesn’t happen”…
> --
> Regards,
> Uri Blumenthal
>
>
>
>
>
> On 11/16/15, 18:03 , "Cfrg on behalf of Adam Langley"
> <cfrg-bounces@irtf.org on behalf of agl@imperialviolet.org> wrote:
>
> >At the moment, the curves draft says that implementations MUST check
> >for the all-zero output and abort if it's found, at least in
> >Diffie-Hellman. The all-zero output results when the input point has
> >small order and this sort of thing has, in the past, broken at least
> >Tor and TLS channel bindings.
> >
> >While reactions on the list were ambivalent to the suggestion, I had
> >hoped that implementations would take this requirement as a simple
> >defence-in-depth measure in keeping with the general robustness theme
> >of this work.
> >
> >I was mistaken. It's since become clear that some disagree
> >sufficiently strongly about this that we aren't going to see a
> >realignment of implementations around this behaviour. While I still
> >think that it's a sensible requirement, RFCs that are prescriptive
> >rather than descriptive are terrible and so I currently hope to switch
> >from MUST to MAY once the draft has completed the editor's queue.
> >Instead, some wording would be added to the Security Considerations
> >section.
> >
> >This change contains the accumulation of tweaks that I currently have
> >saved up, including this one:
> >
> https://github.com/agl/cfrgcurve/commit/c7749d4bb5ceabdb30f211d4aaa6df2b68
> >d7c5e1
> >
> >This email is notice that I currently plan on making this change. Note
> >that the question here isn't whether the zero check is a good idea or
> >not. Rather it's that, given that a non-trivial number of
> >implementations aren't going to implement it, what's the best thing to
> >write?
> >
> >
> >Cheers
> >
> >AGL
> >
> >--
> >Adam Langley agl@imperialviolet.org https://www.imperialviolet.org
> >
> >_______________________________________________
> >Cfrg mailing list
> >Cfrg@irtf.org
> >https://www.irtf.org/mailman/listinfo/cfrg
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email