Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?
Watson Ladd <watsonbladd@gmail.com> Tue, 22 December 2015 21:51 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9B2C1A90CA for <tls@ietfa.amsl.com>; Tue, 22 Dec 2015 13:51:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bKsqxqzsDKAe for <tls@ietfa.amsl.com>; Tue, 22 Dec 2015 13:51:42 -0800 (PST)
Received: from mail-yk0-x236.google.com (mail-yk0-x236.google.com [IPv6:2607:f8b0:4002:c07::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CEEAC1A90BF for <tls@ietf.org>; Tue, 22 Dec 2015 13:51:41 -0800 (PST)
Received: by mail-yk0-x236.google.com with SMTP id 140so177467543ykp.0 for <tls@ietf.org>; Tue, 22 Dec 2015 13:51:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=1hB/c98pFwYFFeKc3kAGXtoqfflVHfPVdH/UUxJsrzA=; b=EcQaRX6ggsicGuGDpXJNJ3RNCIFPx8Cq53LWjTAKGaavpdTw2Ldx5Z5aKiWS+1gWLC M7Sn5/5eFcjOiRk5zN9+v4CqTgW0MqGQBVGi5iWCv6qhUcrx4MRPEYoji5jxcw/2UqFj BwQlDW+O9MDAbhWZp7MzCIo+Y0bl3C0XpdWzA7bQzydD6xeZLhF89pJ8kv9Ybt6tofFw LYFh9HVGQD3rW39WEpyPWw6kUQR2+8J4tbw4e5me9oPx+1xhm2g2OHOFKgjpvlV29OWU qqFI/GVbsLUQVYsB+mXJTFyL8P6WuH/EkCYqiaN11GXrfSy7yiIBh84VBEkQ8cJWhMfR TCEA==
MIME-Version: 1.0
X-Received: by 10.13.226.137 with SMTP id l131mr24005431ywe.239.1450821101117; Tue, 22 Dec 2015 13:51:41 -0800 (PST)
Received: by 10.129.148.131 with HTTP; Tue, 22 Dec 2015 13:51:40 -0800 (PST)
Received: by 10.129.148.131 with HTTP; Tue, 22 Dec 2015 13:51:40 -0800 (PST)
In-Reply-To: <CAFewVt4Midtq7X6px4=A4hGkspQuJdzZQ907U=SJox0SdgfAJg@mail.gmail.com>
References: <CAFewVt4Midtq7X6px4=A4hGkspQuJdzZQ907U=SJox0SdgfAJg@mail.gmail.com>
Date: Tue, 22 Dec 2015 16:51:40 -0500
Message-ID: <CACsn0cng1o-5hm=zuL6puOGJ8A2bjB=fFsaFsBCmmVofNSuumg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Brian Smith <brian@briansmith.org>
Content-Type: multipart/alternative; boundary="001a114fe2525d67b90527839c8b"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/0ndkfVLnIFbaDBasHRokuizC-wU>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Dec 2015 21:51:44 -0000
On Dec 22, 2015 4:15 PM, "Brian Smith" <brian@briansmith.org> wrote: > > The current draft [1] says: > > Other than this recommended check, implementations do > not need to ensure that the public keys they receive > are legitimate: this is not necessary for security > with Curve25519. > > However, Thai Duong (of BEAST fame, among other things) wrote that TLS 1.2 and below do seem to benefit from public key validation in "Why not validate Curve25519 public keys could be harmful" [2]. Watson Ladd had also pointed out many times on this list that TLS is one protocol where contributory behavior is required. > > DJB himself had also pointed out did point out that some protocols do require public key validation with Curve25519 "to ensure 'contributory' behavior" in [3]. Thus, the statement in draft-ietf-tls-curve25519-01 that "this is not necessary for security with Curve25519" in the current draft is clearly overly general and misleading. > > In particular, I noticed that the text in draft-ietf-tls-curve25519-01 section 2.3 focuses a lot on attacks that reveal the private key. However, what about other attacks? In particular, I think that, at the very least, the relevance or irrelevance to TLS of the key dictation attack that Thai brought up, and the need or non-need for checking that the agreed value is zero (basically the same thing), should be mentioned in the draft's security considerations. Textbook DH does not ensure contributory behavior. Applications don't implement the required checks for poorly designed protocols. If we insert checks, applications which fail to make those checks will be vulnerable, while fixing protocols closes the hole. > > [1] https://tools.ietf.org/html/draft-ietf-tls-curve25519-01#section-2.3 > [2] http://vnhacker.blogspot.com/2015/09/why-not-validating-curve25519-public.html > [3] http://cr.yp.to/ecdh.html#validate > > Cheers, > Brian > -- > https://briansmith.org/ > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] draft-ietf-tls-curve25519-01: Is public key… Brian Smith
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Watson Ladd
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Martin Thomson
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Brian Smith
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Martin Thomson
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Brian Smith
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Viktor Dukhovni
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Martin Thomson
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Brian Smith
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Karthikeyan Bhargavan
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Kurt Roeckx
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Martin Thomson
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Brian Smith
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Brian Smith
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Watson Ladd
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Eric Rescorla
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Brian Smith
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Watson Ladd
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Adam Langley
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Brian Smith
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Alyssa Rowan
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Jeffrey Walton
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Eric Rescorla
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Adam Langley
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Eric Rescorla
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Martin Thomson
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Eric Rescorla
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Eric Rescorla
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Ilari Liusvaara
- [TLS] TCP Keep Alive Question: draft-ietf-tls-tls… nalini.elkins
- Re: [TLS] TCP Keep Alive Question: draft-ietf-tls… Watson Ladd
- Re: [TLS] TCP Keep Alive Question: draft-ietf-tls… nalini.elkins
- Re: [TLS] TCP Keep Alive Question: draft-ietf-tls… Roland Zink
- Re: [TLS] TCP Keep Alive Question: draft-ietf-tls… nalini.elkins
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Watson Ladd