IETF Logo Mail Archive

Re: [Cfrg] Point validation in TLS 1.3

"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Wed, 30 November 2016 11:27 UTC

Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B513D12967B for <cfrg@ietfa.amsl.com>; Wed, 30 Nov 2016 03:27:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rhul.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UKNVPzcNVWCe for <cfrg@ietfa.amsl.com>; Wed, 30 Nov 2016 03:27:13 -0800 (PST)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on0067.outbound.protection.outlook.com [104.47.1.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EE4C129650 for <cfrg@irtf.org>; Wed, 30 Nov 2016 03:27:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhul.onmicrosoft.com; s=selector1-rhul-ac-uk; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=12oI5TqtCAp/HxGkjh5/RHpv+pGOPA9BL/e3U6Hz8Ys=; b=ne0eFOkcZBvSw2smFKHgw9GBbxyGG/+dKfo607WAjAub4QV9cf4DboKRJYOtQKDLF9miZdy/7ieMMK+OFE/aqcCqB5+8OwlpFFuiIRJLTRH3lftYt4qF8/egRLznjqRPs1esSPBCTFbSvmqhjbEIoVzuYltQXMIO8UgBcQUIzuA=
Received: from HE1PR0302MB2746.eurprd03.prod.outlook.com (10.171.95.139) by HE1PR0302MB2745.eurprd03.prod.outlook.com (10.171.95.138) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.747.13; Wed, 30 Nov 2016 11:27:07 +0000
Received: from HE1PR0302MB2746.eurprd03.prod.outlook.com ([10.171.95.139]) by HE1PR0302MB2746.eurprd03.prod.outlook.com ([10.171.95.139]) with mapi id 15.01.0747.015; Wed, 30 Nov 2016 11:27:07 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: Eric Rescorla <ekr@rtfm.com>, cfrg <cfrg@irtf.org>
Thread-Topic: [Cfrg] Point validation in TLS 1.3
Thread-Index: AQHSSpOFqO2MoKrGok6jXbDda/qr36DxZEgA
Date: Wed, 30 Nov 2016 11:27:07 +0000
Message-ID: <D46467DD.7B728%kenny.paterson@rhul.ac.uk>
References: <CABcZeBMswwn1wJkokf9OzYX8f1PH7gJv2a6RoDDao1V=zqcbVg@mail.gmail.com>
In-Reply-To: <CABcZeBMswwn1wJkokf9OzYX8f1PH7gJv2a6RoDDao1V=zqcbVg@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.0.161029
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Kenny.Paterson@rhul.ac.uk;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [134.219.227.30]
x-microsoft-exchange-diagnostics: 1; HE1PR0302MB2745; 7:YW0WlEFraAspeNlcPsIyD0qbkW0AeiV6kC2W4T7Nv2eMIjKMNk/hVotTzGHsJdipRWnrktLsKle2kwz1oGVQRIV2+1Pfwgb8xjk0b0JXr/nAPND5OSVXNkyAfhDqRy5h4sJqH6Vs9tdq+vLior2kz8MNPLDr+4i41X4d3rI1MkmOELByUsqO1C4rYA9OkS59OGpgmLY+F0ykR2dE1WKx/st13+0h2RfC+zPMfBjuNXUDyf1bix49swOIafXMWdQKeDL4qkP5Gozi3JuCRO5YJYdvbzPegQtX6A7uXbcdwHGIWOmP7w1BdgwKS5aGO7DSxVFqc48rOC+oPdmONSh9KgLKyMZ0tnUa75tbhBCS2Cm6kpbfZjvwdP9hjBQghUkwBkCy2pQLt1M3qjJ7xd4tMYrSYO22igCGXmDPRizqmWPgf1UFTu7oWJF6olgmIZaUFLCd5kYU3dJjqyeTCpRu3A==
x-forefront-antispam-report: SFV:SKI; SCL:-1SFV:NSPM; SFS:(10009020)(6009001)(7916002)(24454002)(199003)(189002)(51874003)(36756003)(66066001)(81166006)(106116001)(68736007)(105586002)(5660300001)(83506001)(7736002)(74482002)(6486002)(2906002)(92566002)(3660700001)(77096006)(39450400002)(106356001)(7846002)(2900100001)(97736004)(6506003)(5001770100001)(4001350100001)(107886002)(2950100002)(189998001)(6512003)(86362001)(122556002)(81156014)(42882006)(3846002)(102836003)(3280700002)(305945005)(38730400001)(50986999)(76176999)(229853002)(8676002)(54356999)(101416001)(6116002)(8936002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0302MB2745; H:HE1PR0302MB2746.eurprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
x-ms-office365-filtering-correlation-id: edfb2c3a-9076-452f-efbb-08d41913d174
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001); SRVR:HE1PR0302MB2745;
x-microsoft-antispam-prvs: <HE1PR0302MB2745B90E88B29BFF4A64F202BC8C0@HE1PR0302MB2745.eurprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(166708455590820);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6041248)(20161123564025)(20161123562025)(20161123560025)(20161123555025)(6072148); SRVR:HE1PR0302MB2745; BCL:0; PCL:0; RULEID:; SRVR:HE1PR0302MB2745;
x-forefront-prvs: 0142F22657
received-spf: None (protection.outlook.com: rhul.ac.uk does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <13C1A531425A1344B07E068F72D4175C@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Nov 2016 11:27:07.4286 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0302MB2745
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/oiHt2cBZM-xRuAWEm63QeB7SJpI>
Subject: Re: [Cfrg] Point validation in TLS 1.3
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Nov 2016 11:27:15 -0000

Hi Eric,

Thanks for giving CFRG the chance to comment on this.

From a technical perspective, this looks like an accurate translation of
existing best practice to me.

Any other comments from the group?

Cheers

Kenny 

On 29/11/2016 22:52, "Cfrg on behalf of Eric Rescorla"
<cfrg-bounces@irtf.org on behalf of ekr@rtfm.com> wrote:

>Hi CFRG folks,
>
>
>Matt Green has submitted a pull request to require validation for ECDHE
>(TLS 1.3 already requires it for FFDHE). We wanted to make sure the CFRG
>was
>
>aware of this and see if there were objections.
>
>
>PR is here:
>https://github.com/tlswg/tls13-spec/pull/763
>
>
>
>Text:
>For the curves secp256r1, secp384r1 and secp521r1, the appropriate
>validation procedures are defined in Section 4.3.7 of {{X962}} and
>alternatively in Section 5.6.2.6 of {{KEYAGREEMENT}}.  This process
>consists of three steps: (1) verify that Y is not the point at
>infinity (O), (2) verify that for Y = (x, y) both integers are in the
>correct interval, (3) ensure that (x, y) is a correct solution to the
>elliptic curve equation.  For these curves, implementers do not need
>to verify membership in the correct subgroup.
>
>
>For x25519 and x448, the contents of the public value are the byte
>string inputs and outputs of the corresponding functions defined in
>{{RFC7748}}, 32 bytes for x25519 and 56 bytes for x448. Peers SHOULD
>use the approach specified in {{RFC7748}} to calculate the
>Diffie-Hellman shared secret, and MUST check whether the computed
>Diffie-Hellman shared secret is the all-zero value and abort if so, as
>described in Section 6 of {{RFC7748}}. If implementers use an
>alternative implementation of these elliptic curves, they should
>perform the additional checks specified in Section 7 of {{RFC7748}}.
>
>
>
>Thanks in advance for your input,
>-Ekr
>
>
>
>
>
>
>
>

v2.23.0 | Report a Bug | By Email