Re: [TLS] What would make TLS cryptographically better for TLS 1.3

[Robert Ransom <rransom.8774@gmail.com>]

On 11/1/13, Dan Harkins <dharkins@lounge.org> wrote:
>
>
> On Fri, November 1, 2013 4:13 pm, Nico Williams wrote:

>> Agreed.  A small nonce should suffice for key derivation if either party
>> reuses their supposedly-ephemeral DH keys.  By "small" I mean "not
>> nearly as large as 32 bytes, i.e., not enough to suffice for a
>> Dual_EC-type backdoored RNG attack".  The party reusing a key should
>> send some such small nonce, possibly a 64-bit nonce.  In any case, the
>> client ought not be reusing ephemeral DH keys, and any server that does
>> should be rotating them often (like SSHv1 used to).
>
>   It has nothing to do with key derivation, it's to prevent a small
> sub-group
> attack. Sending a nonce does not prevent this attack since it's just going
> to
> be another known for the attacker to use when running through the small
> sub-group looking the right secret.

Small-subgroup attacks are entirely orthogonal to whether a server can
be caused to reuse a session key.  (Reusing a session key destroys the
security properties of many bulk encryption methods, including all
stream ciphers, regardless of whether the server's DH secret key is
disclosed.)

>>> regardless of whether a nonce is sent or not.
>>
>> For some curves there's no need to validate the client's public key.
>
>   Which curves would those be?

Curve25519 ECDH implementations which follow the specification in Dr.
Bernstein's paper do not leak any information about the server's
secret key under any active attack.  They prevent small-subgroup
attacks by using the Montgomery ladder on a curve with a secure
quadratic twist, and by generating all secret keys to be divisible by
8 (the LCM of the orders of small subgroups).


Robert Ransom