IETF Logo Mail Archive

Re: [TLS] Curve25519 and TLS

Bodo Moeller <bmoeller@acm.org> Thu, 26 June 2014 16:17 UTC

Return-Path: <SRS0=59t6=3X=acm.org=bmoeller@srs.kundenserver.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03AD71B2C01 for <tls@ietfa.amsl.com>; Thu, 26 Jun 2014 09:17:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.421
X-Spam-Level:
X-Spam-Status: No, score=0.421 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, J_CHICKENPOX_12=0.6, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oMDJKgWeyHYS for <tls@ietfa.amsl.com>; Thu, 26 Jun 2014 09:17:49 -0700 (PDT)
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.187]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED51C1B305F for <tls@ietf.org>; Thu, 26 Jun 2014 08:27:43 -0700 (PDT)
Received: from mail-yh0-f47.google.com (mail-yh0-f47.google.com [209.85.213.47]) by mrelayeu.kundenserver.de (node=mreue004) with ESMTP (Nemesis) id 0MVqDE-1XBC3J1XKa-00X7kh; Thu, 26 Jun 2014 17:27:41 +0200
Received: by mail-yh0-f47.google.com with SMTP id v1so2195742yhn.6 for <tls@ietf.org>; Thu, 26 Jun 2014 08:27:40 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.236.36.45 with SMTP id v33mr22866971yha.129.1403796460436; Thu, 26 Jun 2014 08:27:40 -0700 (PDT)
Received: by 10.170.83.215 with HTTP; Thu, 26 Jun 2014 08:27:40 -0700 (PDT)
In-Reply-To: <CACsn0c=-BrTjvf2P+TmnGqJZrU0tn_oLoPqk7nmUm-+HkZfALg@mail.gmail.com>
References: <CACsn0cnm3wp6iN57fHAiY+=n=nSxOxvrZOj65bzXYTDy=Xyvkg@mail.gmail.com> <CADMpkc+S927gY20vwaqviGo2ULpPi1pBvrxYOv_e5ffUj7bJKg@mail.gmail.com> <CACsn0c=-BrTjvf2P+TmnGqJZrU0tn_oLoPqk7nmUm-+HkZfALg@mail.gmail.com>
Date: Thu, 26 Jun 2014 17:27:40 +0200
Message-ID: <CADMpkc+OnibMH-pup9FWycMN6Af8sKzM1RwAtfyX9xOg7CruWw@mail.gmail.com>
From: Bodo Moeller <bmoeller@acm.org>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="089e0160bc685c851204fcbed5c4"
X-Provags-ID: V02:K0:mfn4FG15A632/2wngEqy3P9/4wDwBkSgSVZxJxdJeOV lWk609X9vykxLIAF14wgt9C34rEWoiPA9PtPkNNFrU0uARCI+l NNBDmjL6SVqmBRq4sJtHDqqRtOui5+6kgK0F2RbyGRHQSTZ1ur w4Qnp+mlya/zfvQ/MISX4EdOlHqjz2JBvR58iYK1QO0vG93aMw kkjNWEcxHm2mjiem+6VCjujZU0pGJiiajU/TYxKpfoy2Cmi5ND DTwPGq4j4FWoSL7rzPIHA7tV0Z8FI8yGxHi7iYtKEaijUuAxmH +wIyLXr7xVZ62v+LgOM+mDTAMIW7G6Y60ovVFBGMn0aEhMa2se 8Ve+xBSrI5+/bzVexs46uxocS7Lto4OZTqkNNaVsh+vA0nSr7S 5gfP+VsJzHjjFRNdIxc30rs+YvwsmcLxyS9+Ng5azmJVflQTFq Vry5v
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/9pxSjPld8XmP3CKJDYdRuJ5-jtQ
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Curve25519 and TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jun 2014 20:39:21 -0000

Watson Ladd <watsonbladd@gmail.com>:

>> Alternatively we can compute the premaster secret as the hash of H(ag
> >> | bg | abg): I have not yet confirmed that this solves the problem.
>


> > Hm, this looks like something that rather belongs into the premaster
> secret
> > => master secret step.  If you have this there (such as when you're using
> > the proposed Extended Master Secret Extension
> > [draft-bhargavan-tls-session-hash-00]), including the public keys here
> too
> > would be redundant.  If you'd normally be doing a public-key check or an
> > ECDH result check, you could just skip this check if the protocol no
> longer
> > has a need for such protection.  In contrast, if you hash those
> additional
> > inputs when computing the premaster secret, that's not something you
> could
> > remove without affecting compatibility.
>


> Yes, we could make EMSE a dependency of Curve25519. Or we could change
> the way we compute
> the PMS to avoid doing this: I proposed this solution because its very
> simple for some implementations.
>
> What do we gain from having the PMS calculated the same way for each curve?
>

My argument wasn't about doing things the same way for each curve. What I
don't like is introducing overhead (hashing an input at the premaster
secret level that we'll be hashing at the master secret level too, in
certain protocol variants) that could be avoided by using your other
proposal, a Curve25519-specific check.

(For many hashes, it would be actual computational overhead because those
two public keys are large enough to take up an additional input block.)

v2.23.0 | Report a Bug | By Email