Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

Watson Ladd <watsonbladd@gmail.com> Tue, 22 December 2015 21:51 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9B2C1A90CA for <tls@ietfa.amsl.com>; Tue, 22 Dec 2015 13:51:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bKsqxqzsDKAe for <tls@ietfa.amsl.com>; Tue, 22 Dec 2015 13:51:42 -0800 (PST)
Received: from mail-yk0-x236.google.com (mail-yk0-x236.google.com [IPv6:2607:f8b0:4002:c07::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CEEAC1A90BF for <tls@ietf.org>; Tue, 22 Dec 2015 13:51:41 -0800 (PST)
Received: by mail-yk0-x236.google.com with SMTP id 140so177467543ykp.0 for <tls@ietf.org>; Tue, 22 Dec 2015 13:51:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=1hB/c98pFwYFFeKc3kAGXtoqfflVHfPVdH/UUxJsrzA=; b=EcQaRX6ggsicGuGDpXJNJ3RNCIFPx8Cq53LWjTAKGaavpdTw2Ldx5Z5aKiWS+1gWLC M7Sn5/5eFcjOiRk5zN9+v4CqTgW0MqGQBVGi5iWCv6qhUcrx4MRPEYoji5jxcw/2UqFj BwQlDW+O9MDAbhWZp7MzCIo+Y0bl3C0XpdWzA7bQzydD6xeZLhF89pJ8kv9Ybt6tofFw LYFh9HVGQD3rW39WEpyPWw6kUQR2+8J4tbw4e5me9oPx+1xhm2g2OHOFKgjpvlV29OWU qqFI/GVbsLUQVYsB+mXJTFyL8P6WuH/EkCYqiaN11GXrfSy7yiIBh84VBEkQ8cJWhMfR TCEA==
MIME-Version: 1.0
X-Received: by 10.13.226.137 with SMTP id l131mr24005431ywe.239.1450821101117; Tue, 22 Dec 2015 13:51:41 -0800 (PST)
Received: by 10.129.148.131 with HTTP; Tue, 22 Dec 2015 13:51:40 -0800 (PST)
Received: by 10.129.148.131 with HTTP; Tue, 22 Dec 2015 13:51:40 -0800 (PST)
In-Reply-To: <CAFewVt4Midtq7X6px4=A4hGkspQuJdzZQ907U=SJox0SdgfAJg@mail.gmail.com>
References: <CAFewVt4Midtq7X6px4=A4hGkspQuJdzZQ907U=SJox0SdgfAJg@mail.gmail.com>
Date: Tue, 22 Dec 2015 16:51:40 -0500
Message-ID: <CACsn0cng1o-5hm=zuL6puOGJ8A2bjB=fFsaFsBCmmVofNSuumg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Brian Smith <brian@briansmith.org>
Content-Type: multipart/alternative; boundary=001a114fe2525d67b90527839c8b
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/0ndkfVLnIFbaDBasHRokuizC-wU>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Dec 2015 21:51:44 -0000

On Dec 22, 2015 4:15 PM, "Brian Smith" <brian@briansmith.org> wrote:
>
> The current draft [1] says:
>
>     Other than this recommended check, implementations do
>     not need to ensure that the public keys they receive
>     are legitimate: this is not necessary for security
>     with Curve25519.
>
> However, Thai Duong (of BEAST fame, among other things) wrote that TLS
1.2 and below do seem to benefit from public key validation in "Why not
validate Curve25519 public keys could be harmful" [2]. Watson Ladd had also
pointed out many times on this list that TLS is one protocol where
contributory behavior is required.
>
> DJB himself had also pointed out did point out that some protocols do
require public key validation with Curve25519 "to ensure 'contributory'
behavior" in [3]. Thus, the statement in draft-ietf-tls-curve25519-01 that
"this is not necessary for security with Curve25519" in the current draft
is clearly overly general and misleading.
>
> In particular, I noticed that the text in draft-ietf-tls-curve25519-01
section 2.3 focuses a lot on attacks that reveal the private key. However,
what about other attacks? In particular, I think that, at the very least,
the relevance or irrelevance to TLS of the key dictation attack that Thai
brought up, and the need or non-need for checking that the agreed value is
zero (basically the same thing), should be mentioned in the draft's
security considerations.

Textbook DH does not ensure contributory behavior. Applications don't
implement the required checks for poorly designed protocols. If we insert
checks, applications which fail to make those checks will be vulnerable,
while fixing protocols closes the hole.
>
> [1] https://tools.ietf.org/html/draft-ietf-tls-curve25519-01#section-2.3
> [2]
http://vnhacker.blogspot.com/2015/09/why-not-validating-curve25519-public.html
> [3] http://cr.yp.to/ecdh.html#validate
>
> Cheers,
> Brian
> --
> https://briansmith.org/
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>