Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

Martin Thomson <martin.thomson@gmail.com> Wed, 30 December 2015 22:55 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B009C1B29E7 for <tls@ietfa.amsl.com>; Wed, 30 Dec 2015 14:55:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r8pguFUr-61P for <tls@ietfa.amsl.com>; Wed, 30 Dec 2015 14:55:11 -0800 (PST)
Received: from mail-io0-x230.google.com (mail-io0-x230.google.com [IPv6:2607:f8b0:4001:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F9081B29E6 for <tls@ietf.org>; Wed, 30 Dec 2015 14:55:11 -0800 (PST)
Received: by mail-io0-x230.google.com with SMTP id 77so52285377ioc.2 for <tls@ietf.org>; Wed, 30 Dec 2015 14:55:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=SczE7ACTkaFbSjzEREQRpZMj7vQF6jLDuz7e5CbQud0=; b=P8D5Fqki635RVfARtiC9pDDUHkLYpqDVMDPZI0CjH6P8i9YJZtoCJr9qEjuFMXmK4G y81uV7fMB2JWYy6/FO4jTuQy8yAcYZcudFmn7fB+PyUoJ85aksHV8WQgV/kde9u/VCv7 dM7WnX5VXLM99W7CA3BkytZeG+Js+K089SSLDfeN3UH1CvQNEus/Cxri93d2OnweWWps 2gtkwbPP36+JPrnWIg3wIZb0c5JCzYec+XEQ3XTgerXWx/8iphZWfj5pWHXrIrZqbI/o N9ZnbFZ0VKedTaqvGEgFezdOZIpmR9UhnXkdCo7Gl9FxgHDwsLt4zoCfJX6wfdMtY86G Kl/g==
MIME-Version: 1.0
X-Received: by 10.107.33.12 with SMTP id h12mr10860822ioh.108.1451516110695; Wed, 30 Dec 2015 14:55:10 -0800 (PST)
Received: by 10.36.149.130 with HTTP; Wed, 30 Dec 2015 14:55:10 -0800 (PST)
In-Reply-To: <20151230111631.GB23341@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CAFewVt4Midtq7X6px4=A4hGkspQuJdzZQ907U=SJox0SdgfAJg@mail.gmail.com> <CACsn0cng1o-5hm=zuL6puOGJ8A2bjB=fFsaFsBCmmVofNSuumg@mail.gmail.com> <CABkgnnXQS3Ek6jDjx0aSQmaf+=EjfGWa8MG1AO4QwhJbK50VQg@mail.gmail.com> <CAFewVt4NSGDP_At8XsX4OsxSUaj_2kRyFP_keDQhfnR0=mBhrg@mail.gmail.com> <CABkgnnUq0_28U6VqE=ZPpwutOBUkTGwhxqHQOEvQve5JYfSVRA@mail.gmail.com> <CAFewVt6fyqbOZfQkWY=9SM20WcrP0UhfH+3wvXjiYoTjPm2pgA@mail.gmail.com> <CAFewVt5U9awAg4FbdWtXiCATd-kWttdsAwe3eWwcD5SXsKvyWQ@mail.gmail.com> <6F6EDAA8-15F2-4949-B927-4D0BD0E8FFE3@inria.fr> <20151230105207.GB6140@roeckx.be> <20151230111631.GB23341@LK-Perkele-V2.elisa-laajakaista.fi>
Date: Thu, 31 Dec 2015 09:55:10 +1100
Message-ID: <CABkgnnV+mzt6tQbM7m2hN5Y=Qk8G1AeYtC=+Xy+e31pdEiq-pQ@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/KDYGWFNkD34ylQMOwCAtxqnjsQo>
Cc: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>, "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Dec 2015 22:55:12 -0000

On 30 December 2015 at 22:16, Ilari Liusvaara <ilariliusvaara@welho.com> wrote:
>> Would it make sense to have session hash as a requirement in TLS
>> 1.2 when you want to use Curve25519?
>
> I don't think that is reasonable.

I think that is entirely reasonable.  TLS 1.2 relies on contributory
behaviour.  25519 doesn't provide that unless you do some extra
checking that we know many implementations don't do.

I'd be OK with either requiring session hash, some checking of values,
or both.  Otherwise we create a situation where the shared secret can
be forced by an attacker.