Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

Karthikeyan Bhargavan <karthik.bhargavan@gmail.com> Tue, 29 December 2015 20:10 UTC

Return-Path: <karthik.bhargavan@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BF091A892B for <tls@ietfa.amsl.com>; Tue, 29 Dec 2015 12:10:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a-nhs0CZqgXi for <tls@ietfa.amsl.com>; Tue, 29 Dec 2015 12:10:52 -0800 (PST)
Received: from mail-wm0-x22d.google.com (mail-wm0-x22d.google.com [IPv6:2a00:1450:400c:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4702F1A891D for <tls@ietf.org>; Tue, 29 Dec 2015 12:10:52 -0800 (PST)
Received: by mail-wm0-x22d.google.com with SMTP id f206so19724701wmf.0 for <tls@ietf.org>; Tue, 29 Dec 2015 12:10:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:subject:mime-version:content-type:in-reply-to:date:cc :message-id:references:to; bh=yrQnppABSE8QOtH1oXg4qSCaB1WFPdhywsL2jJB6Uhg=; b=cziLRoBIKhK2BfXq+blgJV3XiW4DNyVxyxdhn9mVqYz2Bpc/Y+a1b1VEidlg7AdPFy wcm95GyLgMUXAQgH3hrpx4EMPtM24uD1mx53oq8yKmhliCAYOa1q6sX3tzzOtNzK2gP5 Cs54JvUUf6vwAG3BVUenWBY1//bz9chViJlON2755zUZvBCgg0lyCZL0NZBQhoMJbhaT ZYfd5QmAALsVWmwuuMRTv/PIDfS0GS+VeaC0AtlAFESiqIfHPJOPj2lEg9PhfGgtbeqr +BMQ9QCiDLGmfNFOvrvArRMODEwqD+c2g/dmwdDHz+ijZ8uJPhVt6FKhtoWCAG2AtPP/ 2eYg==
X-Received: by 10.28.230.74 with SMTP id d71mr47789995wmh.97.1451419850820; Tue, 29 Dec 2015 12:10:50 -0800 (PST)
Received: from [192.168.0.103] (149-210-22-252.mobile.nym.cosmote.net. [149.210.22.252]) by smtp.gmail.com with ESMTPSA id 198sm22642617wml.22.2015.12.29.12.10.49 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 29 Dec 2015 12:10:50 -0800 (PST)
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
X-Google-Original-From: Karthikeyan Bhargavan <karthikeyan.bhargavan@inria.fr>
Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\))
Content-Type: multipart/signed; boundary="Apple-Mail=_FD04CA69-25D1-4CFB-B19D-EA75DD154352"; protocol="application/pgp-signature"; micalg=pgp-sha512
X-Pgp-Agent: GPGMail 2.6b2
In-Reply-To: <CAFewVt5U9awAg4FbdWtXiCATd-kWttdsAwe3eWwcD5SXsKvyWQ@mail.gmail.com>
Date: Tue, 29 Dec 2015 22:10:47 +0200
Message-Id: <6F6EDAA8-15F2-4949-B927-4D0BD0E8FFE3@inria.fr>
References: <CAFewVt4Midtq7X6px4=A4hGkspQuJdzZQ907U=SJox0SdgfAJg@mail.gmail.com> <CACsn0cng1o-5hm=zuL6puOGJ8A2bjB=fFsaFsBCmmVofNSuumg@mail.gmail.com> <CABkgnnXQS3Ek6jDjx0aSQmaf+=EjfGWa8MG1AO4QwhJbK50VQg@mail.gmail.com> <CAFewVt4NSGDP_At8XsX4OsxSUaj_2kRyFP_keDQhfnR0=mBhrg@mail.gmail.com> <CABkgnnUq0_28U6VqE=ZPpwutOBUkTGwhxqHQOEvQve5JYfSVRA@mail.gmail.com> <CAFewVt6fyqbOZfQkWY=9SM20WcrP0UhfH+3wvXjiYoTjPm2pgA@mail.gmail.com> <CAFewVt5U9awAg4FbdWtXiCATd-kWttdsAwe3eWwcD5SXsKvyWQ@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
X-Mailer: Apple Mail (2.3096.5)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/7-m84CipG8zSS_dpzqtWGPqedEU>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Dec 2015 20:10:54 -0000

As mentioned before, validating Curve25519 public values is necessary in TLS 1.2 without session hash.
Otherwise, as we pointed out in [1], the triple handshake attack returns.

[1] http://www.internetsociety.org/doc/verified-contributive-channel-bindings-compound-authentication <http://www.internetsociety.org/doc/verified-contributive-channel-bindings-compound-authentication>

> On 29 Dec 2015, at 21:05, Brian Smith <brian@briansmith.org> wrote:
> 
> On Tue, Dec 22, 2015 at 2:09 PM, Brian Smith <brian@briansmith.org <mailto:brian@briansmith.org>> wrote:
> If an implementation only implements ECDHE cipher suites then implementing the session hash extension is not necessary, according to RFC 7627. I believe there are also a few other factors that would implementing the session hash extension to be unnecessary.
> 
> If checking that the shared value isn't zero is sufficient, and/or blacklisting the public values that DJB mentions in [1] is sufficient, either would be better than mandating the implementation of the session hash extension just for this purpose.
> 
> Actually, the check for a result of zero is already required in the current CFRG draft; see [1]. So, I think that the easiest way to fix the TLS draft is to just delete the misleading text.
> 
> [1] https://tools.ietf.org/html/draft-irtf-cfrg-curves-11#section-6.1 <https://tools.ietf.org/html/draft-irtf-cfrg-curves-11#section-6.1>
> Cheers,
> Brian
> --
> https://briansmith.org/ <https://briansmith.org/>
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls