Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

Watson Ladd <watsonbladd@gmail.com> Thu, 31 December 2015 02:16 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 011A61A037B for <tls@ietfa.amsl.com>; Wed, 30 Dec 2015 18:16:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g0VJFxGgtV25 for <tls@ietfa.amsl.com>; Wed, 30 Dec 2015 18:16:13 -0800 (PST)
Received: from mail-yk0-x234.google.com (mail-yk0-x234.google.com [IPv6:2607:f8b0:4002:c07::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 669CD1A037A for <tls@ietf.org>; Wed, 30 Dec 2015 18:16:13 -0800 (PST)
Received: by mail-yk0-x234.google.com with SMTP id v14so77134451ykd.3 for <tls@ietf.org>; Wed, 30 Dec 2015 18:16:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=cZoDM+z0kS/vrK8L62VdSWu/00XkxGCh3v8xowaqExU=; b=QuGN9kPOd7AwbKtX7LY0WWuFKMsQhqFzsvYul4nXX4DwP8P44t/sPcxMYlESjPl6vs 5hrlNbvzzgIJnE9NAFOSZUj+NZDBbOy48QZfO3rHowJfsN+t3mFJldp5WkvfsDC8ctnQ ANsNAQGJXabR/P+zvrsy/tStA2admE3sQWjBS5aOq53PVyXh8g885zKG2XhNciSMUQev tMH6Ma1AHu0psQpnMLUfOr8pApyTHaXgftLaqNlbn+NESrOPKyQz5dccI/YavuVmpu9e 290dqOY1gOK5p+CjqYOCcFOxSyyR4bgJ5Y7U04eTRuuUkVIbSD2jL+J6GCW+5bd/sBPb A1Kg==
MIME-Version: 1.0
X-Received: by 10.13.226.137 with SMTP id l131mr57555666ywe.239.1451528172658; Wed, 30 Dec 2015 18:16:12 -0800 (PST)
Received: by 10.13.216.150 with HTTP; Wed, 30 Dec 2015 18:16:12 -0800 (PST)
In-Reply-To: <CAFewVt5GinBy=eE3OmTyZ3UHibuS0NM-TQOyF=Dqaut--WX-Jw@mail.gmail.com>
References: <CACsn0cng1o-5hm=zuL6puOGJ8A2bjB=fFsaFsBCmmVofNSuumg@mail.gmail.com> <CABkgnnXQS3Ek6jDjx0aSQmaf+=EjfGWa8MG1AO4QwhJbK50VQg@mail.gmail.com> <CAFewVt4NSGDP_At8XsX4OsxSUaj_2kRyFP_keDQhfnR0=mBhrg@mail.gmail.com> <CABkgnnUq0_28U6VqE=ZPpwutOBUkTGwhxqHQOEvQve5JYfSVRA@mail.gmail.com> <CAFewVt6fyqbOZfQkWY=9SM20WcrP0UhfH+3wvXjiYoTjPm2pgA@mail.gmail.com> <CAFewVt5U9awAg4FbdWtXiCATd-kWttdsAwe3eWwcD5SXsKvyWQ@mail.gmail.com> <6F6EDAA8-15F2-4949-B927-4D0BD0E8FFE3@inria.fr> <20151230105207.GB6140@roeckx.be> <20151230111631.GB23341@LK-Perkele-V2.elisa-laajakaista.fi> <CABkgnnV+mzt6tQbM7m2hN5Y=Qk8G1AeYtC=+Xy+e31pdEiq-pQ@mail.gmail.com> <20151231000803.GA23937@LK-Perkele-V2.elisa-laajakaista.fi> <CACsn0c=Wmy9oqnDFuhBY-YUSSYv2Wf-Wf09he+vjwvko=eciFg@mail.gmail.com> <CAFewVt5GinBy=eE3OmTyZ3UHibuS0NM-TQOyF=Dqaut--WX-Jw@mail.gmail.com>
Date: Wed, 30 Dec 2015 21:16:12 -0500
Message-ID: <CACsn0cno2uMo6b5NV=pdq9X_0rBXHiZi6RuUi141C-somwc6+Q@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Brian Smith <brian@briansmith.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/30qOawjgnARDpduHu0w98c-V1Tw>
Cc: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>, "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Dec 2015 02:16:15 -0000

On Wed, Dec 30, 2015 at 7:47 PM, Brian Smith <brian@briansmith.org> wrote:
> Watson Ladd <watsonbladd@gmail.com> wrote:
>>
>> Why not hash the public values into the result of the key exchange? I
>> don't want security to depend on omittable checks.
>
>
> One would need an omittable check in the code to decide whether to do that
> extra hashing, so that wouldn't solve the (non-)problem of "omittable
> checks".
>
> Similarly, one would need an omittable check to decide whether to require
> the session hash extension, so it wouldn't solve the (non-)problem of
> "omittable checks".
>
> Actually, because the check for non-zero result can/should/is in the
> X25519/X448 functions themselves, the check for non-zero result is the least
> likely of all these possible solutions to be omitted. And, it is also the
> easiest to test.

Failure to compute H(A, B, X25591(a, B)) would result in an
interoperability failure with any other implementation of this
ciphersuite. By contrast a zero check will not be exercised by basic
interoperability testing, nor would mandatory use of session hash.

All currently existing implementations of the X25519 function do not
perform zero checks. Ones that do have to return a value, which can
easily be ignored. Short of calling abort there is no way for
implementors of cryptographic functions to ensure that callers pay
attention to return values.

>
> Cheers,
> Brian
> --
> https://briansmith.org/
>



-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.