Re: [TLS] TLS 1.3 ECC Private Key Compromise? (was Re: Un-deprecating everything TLS 1.2)

Christopher Patton <cpatton@cloudflare.com> Tue, 06 October 2020 23:11 UTC

Return-Path: <cpatton@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFCE83A1532 for <tls@ietfa.amsl.com>; Tue, 6 Oct 2020 16:11:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.298
X-Spam-Level:
X-Spam-Status: No, score=-3.298 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vrIZSpiadG3P for <tls@ietfa.amsl.com>; Tue, 6 Oct 2020 16:11:40 -0700 (PDT)
Received: from mail-qt1-x829.google.com (mail-qt1-x829.google.com [IPv6:2607:f8b0:4864:20::829]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 900A63A1531 for <tls@ietf.org>; Tue, 6 Oct 2020 16:11:40 -0700 (PDT)
Received: by mail-qt1-x829.google.com with SMTP id q26so143628qtb.5 for <tls@ietf.org>; Tue, 06 Oct 2020 16:11:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IiJ3HHqu2aW8xO/r6t7/QOr6QCtMAzFn3VflD3rDXAM=; b=opLloGh/vlcCDGVO12NHCUQS+ZBqdstGx4k7Xw4nYArIL9HdKsy72gGy5i2ZGnZXti 2DLfJALwq0RTpWiKJIwQ596Y5/MuIo56cDEMvO85NLt5DZAzsWGkZxvE+2tJTg0CI/6X OpElflYwHP+aeLX7b7vC/5vG0nHpMh8ixqQLk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IiJ3HHqu2aW8xO/r6t7/QOr6QCtMAzFn3VflD3rDXAM=; b=uExZFHKE8nODIDsmWT117yuL6TMMVqSRrPpSFvssaVlL7uF14h94ilTkamuOoCpgrK k/tJRnY8r3zN2YwHdOlZe7nh4FqMOJBQAWjUgfOUR8WVUY+3/NDCXMJdgvnspqG6h9HE hqALsAOAKA7nHstDZCqbe3LmaQ9s8qdcR+EwFzukYRolsBC0UkiFYEnSHgpDhY+ddFE3 vnSv2la17Oc+L8L5Xtlx98EFF97Urj+HWENML71M/RWCT5WcQSmhYFEt/cOPrUsctbIv mKTW/5f0QP2PBPLlybifbsCIFNzdDz0Xn/7ld7cjpSqjUpqjQMV76hcoZOsHDJS5ry6q 3+4Q==
X-Gm-Message-State: AOAM5312xaBjCBxr6SvGGjTgsAsfTIw8RSDrbr+V4aXqFy3ofoK38V/S BUhqltHe+RtkVeTwqG+rsElk/QRiPF1LmNX5GTbVew==
X-Google-Smtp-Source: ABdhPJwiVNTEfdmw+IJ0BWOn8U9gPniBY9x8tg6kyzz3iubGuyzzDk0fPpoSRsqNHuIsvPSMXDK87hQdas4a65EFgyk=
X-Received: by 2002:ac8:74d:: with SMTP id k13mr620457qth.191.1602025899544; Tue, 06 Oct 2020 16:11:39 -0700 (PDT)
MIME-Version: 1.0
References: <eb32ba5a-8ea7-efb7-584d-0d0521d16f59@pobox.com> <0E05019B-32FF-4A0C-9AB5-E25544CA952D@akamai.com> <CAG2Zi21fDe-i4VauFv1KZWsBoSyCwtsx4APPAw9ceMnL6ZWSnQ@mail.gmail.com> <8a468f58-2da1-ee81-9f21-f8c76255c988@pobox.com> <CAG2Zi23LMfFYDjhJ_cXniqSuNVWPuiBoB6St1nMiWLFnA-Wz_w@mail.gmail.com> <51a02fc4-92f9-93dc-c60c-bfeed505d74e@pobox.com> <2c875954-e068-1c59-9eb7-f45dd68e61db@pobox.com>
In-Reply-To: <2c875954-e068-1c59-9eb7-f45dd68e61db@pobox.com>
From: Christopher Patton <cpatton@cloudflare.com>
Date: Tue, 6 Oct 2020 16:11:28 -0700
Message-ID: <CAG2Zi200yKraR_DOJ86yvKyBDTVB-V0u_+OAMjRYOMGOOJh=Cg@mail.gmail.com>
To: "Michael D'Errico" <mike-list@pobox.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a9eea505b108b85a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Fz54vSluhqC3nPwYhR0kw5X5MVg>
Subject: Re: [TLS] TLS 1.3 ECC Private Key Compromise? (was Re: Un-deprecating everything TLS 1.2)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Oct 2020 23:11:42 -0000

> > Please just tell me why I'm wrong and I'll feel
> > better since we won't have to malign another cute
> > furry animal.
>

I've told you already why I believe you're wrong here. At this point, it
won't do much good to continue posting about this list on the list. My
suggestion to you is to study the problem offline, and If you find an
attack and can demonstrate the works, then bring it back to the list. It
would also be helpful to look at implementations in order to understand how
others have interpreted the HRR code path. I bet this would clear up many
of your questions.

Chris P.