Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

Martin Thomson <martin.thomson@gmail.com> Tue, 22 December 2015 23:16 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 412DB1A92ED for <tls@ietfa.amsl.com>; Tue, 22 Dec 2015 15:16:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b2NIB2I-LNI6 for <tls@ietfa.amsl.com>; Tue, 22 Dec 2015 15:16:48 -0800 (PST)
Received: from mail-ig0-x229.google.com (mail-ig0-x229.google.com [IPv6:2607:f8b0:4001:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1564F1A92BA for <tls@ietf.org>; Tue, 22 Dec 2015 15:16:48 -0800 (PST)
Received: by mail-ig0-x229.google.com with SMTP id jw2so68117442igc.1 for <tls@ietf.org>; Tue, 22 Dec 2015 15:16:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=53LcV2JUnM/LXL7dPWm0CY2Q1lP3U8q+dCwGG4i/F6I=; b=ChgKIrLymlcMUs+WcfMYZCq/EYK8EyClkzrlx/QNmE60ObUhVfcyxdaEWCmZ4ufpqk G1Q/Sy4INZvSkwA/V+YjFnQoGy67h9jkh0jr1qs9hbHcLN/50ynzLqfs0DP+rNm+rBJi GYDUalShnTcwe/xYJBgg90pyoyeapCNaWRo0J1d7wOiV8Hd7HPwmovU4pgVzIH/dUeM5 aZC5NHTOXqvDucJC3JoDjJh0LDvtCsb0cbHksxY1RkQMZ3lxbKinkFMxDUmq7OtLOxq9 U+J3o3Kqc+PGqbxodYogjZLSQ/hQXbQ1P+rSzdtB1FrspMPzZhl8G9TfqSLpuPPVZ5Zj YruA==
MIME-Version: 1.0
X-Received: by 10.50.143.10 with SMTP id sa10mr6200049igb.77.1450826207501; Tue, 22 Dec 2015 15:16:47 -0800 (PST)
Received: by 10.36.149.130 with HTTP; Tue, 22 Dec 2015 15:16:47 -0800 (PST)
In-Reply-To: <CACsn0cng1o-5hm=zuL6puOGJ8A2bjB=fFsaFsBCmmVofNSuumg@mail.gmail.com>
References: <CAFewVt4Midtq7X6px4=A4hGkspQuJdzZQ907U=SJox0SdgfAJg@mail.gmail.com> <CACsn0cng1o-5hm=zuL6puOGJ8A2bjB=fFsaFsBCmmVofNSuumg@mail.gmail.com>
Date: Wed, 23 Dec 2015 10:16:47 +1100
Message-ID: <CABkgnnXQS3Ek6jDjx0aSQmaf+=EjfGWa8MG1AO4QwhJbK50VQg@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/IOgCw0yt9imzM0yi_q3fodAAIN0>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Dec 2015 23:16:49 -0000

On 23 December 2015 at 08:51, Watson Ladd <watsonbladd@gmail.com> wrote:
> Textbook DH does not ensure contributory behavior. Applications don't
> implement the required checks for poorly designed protocols. If we insert
> checks, applications which fail to make those checks will be vulnerable,
> while fixing protocols closes the hole.

I've done a fair bit of reading into this issue as well, finding
Thai's blog posting and a few other things.  As Watson says, the
protocol can be designed so that it doesn't depend on the DH exchange
providing contributory behaviour.  We should definitely do that either
way.

I understand that the checks are considered onerous by some, but I
still don't understand why anyone might refuse to do them.  Checking
that you don't get a bad output from the DH computation is a tiny
piece of code that takes almost no time at all, even if you have to
worry about doing it in constant time.