Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?
Karthikeyan Bhargavan <karthik.bhargavan@gmail.com> Tue, 29 December 2015 20:10 UTC
Return-Path: <karthik.bhargavan@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 7BF091A892B
for <tls@ietfa.amsl.com>; Tue, 29 Dec 2015 12:10:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001,
SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id a-nhs0CZqgXi for <tls@ietfa.amsl.com>;
Tue, 29 Dec 2015 12:10:52 -0800 (PST)
Received: from mail-wm0-x22d.google.com (mail-wm0-x22d.google.com
[IPv6:2a00:1450:400c:c09::22d])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 4702F1A891D
for <tls@ietf.org>; Tue, 29 Dec 2015 12:10:52 -0800 (PST)
Received: by mail-wm0-x22d.google.com with SMTP id f206so19724701wmf.0
for <tls@ietf.org>; Tue, 29 Dec 2015 12:10:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
h=from:subject:mime-version:content-type:in-reply-to:date:cc
:message-id:references:to;
bh=yrQnppABSE8QOtH1oXg4qSCaB1WFPdhywsL2jJB6Uhg=;
b=cziLRoBIKhK2BfXq+blgJV3XiW4DNyVxyxdhn9mVqYz2Bpc/Y+a1b1VEidlg7AdPFy
wcm95GyLgMUXAQgH3hrpx4EMPtM24uD1mx53oq8yKmhliCAYOa1q6sX3tzzOtNzK2gP5
Cs54JvUUf6vwAG3BVUenWBY1//bz9chViJlON2755zUZvBCgg0lyCZL0NZBQhoMJbhaT
ZYfd5QmAALsVWmwuuMRTv/PIDfS0GS+VeaC0AtlAFESiqIfHPJOPj2lEg9PhfGgtbeqr
+BMQ9QCiDLGmfNFOvrvArRMODEwqD+c2g/dmwdDHz+ijZ8uJPhVt6FKhtoWCAG2AtPP/
2eYg==
X-Received: by 10.28.230.74 with SMTP id d71mr47789995wmh.97.1451419850820;
Tue, 29 Dec 2015 12:10:50 -0800 (PST)
Received: from [192.168.0.103] (149-210-22-252.mobile.nym.cosmote.net.
[149.210.22.252])
by smtp.gmail.com with ESMTPSA id 198sm22642617wml.22.2015.12.29.12.10.49
(version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
Tue, 29 Dec 2015 12:10:50 -0800 (PST)
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
X-Google-Original-From: Karthikeyan Bhargavan <karthikeyan.bhargavan@inria.fr>
Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\))
Content-Type: multipart/signed;
boundary="Apple-Mail=_FD04CA69-25D1-4CFB-B19D-EA75DD154352";
protocol="application/pgp-signature"; micalg=pgp-sha512
X-Pgp-Agent: GPGMail 2.6b2
In-Reply-To: <CAFewVt5U9awAg4FbdWtXiCATd-kWttdsAwe3eWwcD5SXsKvyWQ@mail.gmail.com>
Date: Tue, 29 Dec 2015 22:10:47 +0200
Message-Id: <6F6EDAA8-15F2-4949-B927-4D0BD0E8FFE3@inria.fr>
References: <CAFewVt4Midtq7X6px4=A4hGkspQuJdzZQ907U=SJox0SdgfAJg@mail.gmail.com>
<CACsn0cng1o-5hm=zuL6puOGJ8A2bjB=fFsaFsBCmmVofNSuumg@mail.gmail.com>
<CABkgnnXQS3Ek6jDjx0aSQmaf+=EjfGWa8MG1AO4QwhJbK50VQg@mail.gmail.com>
<CAFewVt4NSGDP_At8XsX4OsxSUaj_2kRyFP_keDQhfnR0=mBhrg@mail.gmail.com>
<CABkgnnUq0_28U6VqE=ZPpwutOBUkTGwhxqHQOEvQve5JYfSVRA@mail.gmail.com>
<CAFewVt6fyqbOZfQkWY=9SM20WcrP0UhfH+3wvXjiYoTjPm2pgA@mail.gmail.com>
<CAFewVt5U9awAg4FbdWtXiCATd-kWttdsAwe3eWwcD5SXsKvyWQ@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
X-Mailer: Apple Mail (2.3096.5)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/7-m84CipG8zSS_dpzqtWGPqedEU>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation
necessary or helpful?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working
group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>,
<mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>,
<mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Dec 2015 20:10:54 -0000
As mentioned before, validating Curve25519 public values is necessary in TLS 1.2 without session hash. Otherwise, as we pointed out in [1], the triple handshake attack returns. [1] http://www.internetsociety.org/doc/verified-contributive-channel-bindings-compound-authentication <http://www.internetsociety.org/doc/verified-contributive-channel-bindings-compound-authentication> > On 29 Dec 2015, at 21:05, Brian Smith <brian@briansmith.org> wrote: > > On Tue, Dec 22, 2015 at 2:09 PM, Brian Smith <brian@briansmith.org <mailto:brian@briansmith.org>> wrote: > If an implementation only implements ECDHE cipher suites then implementing the session hash extension is not necessary, according to RFC 7627. I believe there are also a few other factors that would implementing the session hash extension to be unnecessary. > > If checking that the shared value isn't zero is sufficient, and/or blacklisting the public values that DJB mentions in [1] is sufficient, either would be better than mandating the implementation of the session hash extension just for this purpose. > > Actually, the check for a result of zero is already required in the current CFRG draft; see [1]. So, I think that the easiest way to fix the TLS draft is to just delete the misleading text. > > [1] https://tools.ietf.org/html/draft-irtf-cfrg-curves-11#section-6.1 <https://tools.ietf.org/html/draft-irtf-cfrg-curves-11#section-6.1> > Cheers, > Brian > -- > https://briansmith.org/ <https://briansmith.org/> > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] draft-ietf-tls-curve25519-01: Is public key… Brian Smith
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Watson Ladd
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Martin Thomson
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Brian Smith
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Martin Thomson
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Brian Smith
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Viktor Dukhovni
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Martin Thomson
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Brian Smith
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Karthikeyan Bhargavan
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Kurt Roeckx
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Martin Thomson
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Brian Smith
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Brian Smith
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Watson Ladd
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Eric Rescorla
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Brian Smith
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Watson Ladd
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Adam Langley
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Brian Smith
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Alyssa Rowan
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Jeffrey Walton
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Eric Rescorla
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Adam Langley
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Eric Rescorla
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Martin Thomson
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Eric Rescorla
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Eric Rescorla
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Ilari Liusvaara
- [TLS] TCP Keep Alive Question: draft-ietf-tls-tls… nalini.elkins
- Re: [TLS] TCP Keep Alive Question: draft-ietf-tls… Watson Ladd
- Re: [TLS] TCP Keep Alive Question: draft-ietf-tls… nalini.elkins
- Re: [TLS] TCP Keep Alive Question: draft-ietf-tls… Roland Zink
- Re: [TLS] TCP Keep Alive Question: draft-ietf-tls… nalini.elkins
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Watson Ladd