Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

Brian Smith <brian@briansmith.org> Tue, 29 December 2015 19:05 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 534201A1B1D for <tls@ietfa.amsl.com>; Tue, 29 Dec 2015 11:05:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UxtUmRG62fcc for <tls@ietfa.amsl.com>; Tue, 29 Dec 2015 11:05:18 -0800 (PST)
Received: from mail-oi0-x22e.google.com (mail-oi0-x22e.google.com [IPv6:2607:f8b0:4003:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18AD81A03A2 for <tls@ietf.org>; Tue, 29 Dec 2015 11:05:18 -0800 (PST)
Received: by mail-oi0-x22e.google.com with SMTP id y66so192310252oig.0 for <tls@ietf.org>; Tue, 29 Dec 2015 11:05:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=briansmith-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=oXi+arw/ssB4gd7pZ/bVBwSoVRJjMLOPTKI8RwLiDxg=; b=FFhD/CO15C7MwlWyfzBHvdsGGEcseJBXxhnd5gRuH0abklwPbP+2R6OcLj4IN+pCNY vKWYqOSNEDBuESdw/LLzdai7QPnHOQYGo5ATONtOPQ2paY8uu353xTBj+M2+63T8W5Gg CAiPZpj4j6bhPJ9xx1bULTWeQRw1uoyPfbQmlNzlSOk6TMJOu+JqLDsVG2rWbVwpRlgA 36ZHwKmVq+DrJdnhJMpC02QIktcfikM2DRNNvRYfKnPN6Rh9hAH6TJ2IQSw5e+9kDFMw MDy6xJTIVjJ+UGMLR8z9sQpO/46uX0K2UON0mUE7sflNKYxmUpvBk1WWSCv0DAou+nxF tw1w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=oXi+arw/ssB4gd7pZ/bVBwSoVRJjMLOPTKI8RwLiDxg=; b=lvZs1u3V2fWW76Kth6gSSntLCeo6F8CFqvI08tac61yXxk/2GF8I/NQJ7lpyyLXrVk rfnNQWJBfebDqqKZhyrazxcf+ZKxn3qVQ00WyHyNHKbq4JusQpL2bL+5+wtMdIBBKUpI AmuH4KlUFrbOM01IsIufgHye07kNC8C9FNSNMrJBU1jcoGLedzSBcbW7RafOZnh5ugyA NOFxHCJvtcAGzO6xRipKi9YJJpqKJEJ89wdwnVzoju4wZ53jX+yjFOTXI1LeaNSkB3GG hgRWcnKubXYivPojspvPo8QyySm3rV90dKroXMTLPqvPUn/HY7q1QBEtaGYqSocoagN6 orEw==
X-Gm-Message-State: ALoCoQl0+m0TnqWmhcJebFGSx4LQvDvFB0t391AGC3/VCuBKwBr8FDB9bde0slhcGSL4Gge7ilA89zhhpqF8vHU1sNUI4qQeMQ==
MIME-Version: 1.0
X-Received: by 10.202.189.7 with SMTP id n7mr36975443oif.55.1451415917422; Tue, 29 Dec 2015 11:05:17 -0800 (PST)
Received: by 10.76.62.8 with HTTP; Tue, 29 Dec 2015 11:05:17 -0800 (PST)
In-Reply-To: <CAFewVt6fyqbOZfQkWY=9SM20WcrP0UhfH+3wvXjiYoTjPm2pgA@mail.gmail.com>
References: <CAFewVt4Midtq7X6px4=A4hGkspQuJdzZQ907U=SJox0SdgfAJg@mail.gmail.com> <CACsn0cng1o-5hm=zuL6puOGJ8A2bjB=fFsaFsBCmmVofNSuumg@mail.gmail.com> <CABkgnnXQS3Ek6jDjx0aSQmaf+=EjfGWa8MG1AO4QwhJbK50VQg@mail.gmail.com> <CAFewVt4NSGDP_At8XsX4OsxSUaj_2kRyFP_keDQhfnR0=mBhrg@mail.gmail.com> <CABkgnnUq0_28U6VqE=ZPpwutOBUkTGwhxqHQOEvQve5JYfSVRA@mail.gmail.com> <CAFewVt6fyqbOZfQkWY=9SM20WcrP0UhfH+3wvXjiYoTjPm2pgA@mail.gmail.com>
Date: Tue, 29 Dec 2015 09:05:17 -1000
Message-ID: <CAFewVt5U9awAg4FbdWtXiCATd-kWttdsAwe3eWwcD5SXsKvyWQ@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary=001a113d70322df07505280e1a8a
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/HX7Wa9tqcawB1oy_a8c4ogxujhc>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Dec 2015 19:05:19 -0000

On Tue, Dec 22, 2015 at 2:09 PM, Brian Smith <brian@briansmith.org> wrote:

> If an implementation only implements ECDHE cipher suites then
> implementing the session hash extension is not necessary, according to RFC
> 7627. I believe there are also a few other factors that would implementing
> the session hash extension to be unnecessary.
>
> If checking that the shared value isn't zero is sufficient, and/or
> blacklisting the public values that DJB mentions in [1] is sufficient,
> either would be better than mandating the implementation of the session
> hash extension just for this purpose.
>

Actually, the check for a result of zero is already required in the current
CFRG draft; see [1]. So, I think that the easiest way to fix the TLS draft
is to just delete the misleading text.

[1] https://tools.ietf.org/html/draft-irtf-cfrg-curves-11#section-6.1

Cheers,
Brian
-- 
https://briansmith.org/