IETF Logo Mail Archive

Re: [TLS] Why are the brainpool curves not allowed in TLS 1.3?

Tony Arcieri <bascule@gmail.com> Tue, 17 July 2018 15:37 UTC

Return-Path: <bascule@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3536E130F16 for <tls@ietfa.amsl.com>; Tue, 17 Jul 2018 08:37:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o7PHVa84iVnN for <tls@ietfa.amsl.com>; Tue, 17 Jul 2018 08:37:29 -0700 (PDT)
Received: from mail-vk0-x22e.google.com (mail-vk0-x22e.google.com [IPv6:2607:f8b0:400c:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE88E130DFF for <tls@ietf.org>; Tue, 17 Jul 2018 08:37:28 -0700 (PDT)
Received: by mail-vk0-x22e.google.com with SMTP id j11-v6so810542vke.8 for <tls@ietf.org>; Tue, 17 Jul 2018 08:37:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IpEL6s4mZGc6XiYNsrGCIyQcv8dtw3F+naXTJ3WWIb8=; b=Jqj/n25LApU9CV27rdjU9odEN5bf6JjP1IpDUDogI5O7NLtL1IJObHl/aZcDg99w+b ng8q7jiwZMbabnN9bYjSn+ixVOfoa+++q8uWpkXUzPhYSJ4Ibr/jTUjcXtkI3oQNijWp UbcJTBLYxWCN+PgUdDc8BWzgJ+i66WO2r7xfCgTxYisbWPyiqxWPAt1+Q7XI5Adkxp8K sDp74ezKah1VZiyJIYV4H6kpk3MkUs2SidAOZr60FWrFq8zp26VqSGcsAxk2Tec5nGcR /IXn7wH1b/DtEWRn4F9PTBXetpJc4BUrntKJ3ItdlPNx9IW8EzGZZebDm4crQ8iTGq6k 9oNw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IpEL6s4mZGc6XiYNsrGCIyQcv8dtw3F+naXTJ3WWIb8=; b=Wnv62RWEcU+wtW8mIA8KOp0JPnT0OpggRSJwQxva6f1XyCFxC2MYC18iLhHeeMYSdo nlb30HmkJEBUDuricZTlj88z7tdKLcuJ2JcsFM2v7BkUnMMMpJfMfpjlKUN69+VleVcT WzOHhRDVv4qal9s6MycBEGP5lXzAhH9Lfm2Ye3i4S7X/6UCP8yUgiho26h/Pz3yyY3zY MEchzUf73xQol7hMBy/n4mn2cOjHzQtfq0sj5sdbimxaZGv89amGt7MMu9w0v5h4OBfv 8jY7KDXs6IJOjvrkEDfDcRPC4kiCSszlBZsj458IDYsDM6pAOVnVLr9KnUEV2qALqSaJ M2hw==
X-Gm-Message-State: AOUpUlFTCloAPwik+xJCgytBInj3ZAnfp62zeIDSzLAXWhsWpcK3X4C9 /BWmMgUINh4AD9ES/+3BuP/AHq7rs/p0dQCBulyQ7Mu6
X-Google-Smtp-Source: AAOMgpdJQ8YXd91Hg4B3ttFj0NPgITtZ3DwaQn3WMNARnfVLEeQHhlHBUBcatNR78AYC4fcgJ6dh9xoJSfZVrhqKwdE=
X-Received: by 2002:a1f:ebc7:: with SMTP id j190-v6mr1177684vkh.114.1531841847857; Tue, 17 Jul 2018 08:37:27 -0700 (PDT)
MIME-Version: 1.0
References: <DE8E4C1F24911E469CC24DD4819274AA2770426C@mail-essen-01.secunet.de> <20180717155550.1a18202e@computer> <5cde94e3-416a-6773-c35c-9bb3952f5097@secunet.com>
In-Reply-To: <5cde94e3-416a-6773-c35c-9bb3952f5097@secunet.com>
From: Tony Arcieri <bascule@gmail.com>
Date: Tue, 17 Jul 2018 08:37:16 -0700
Message-ID: <CAHOTMV+cVWv05EE4BnMdUgFd29OA5bsvVY8_FqtDARBfZM4EkQ@mail.gmail.com>
To: Johannes Merkle <johannes.merkle@secunet.com>
Cc: Hanno Böck <hanno@hboeck.de>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003196f7057133b96d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/LuKQaUKZREQmlsdxdEp9wi8-o4M>
Subject: Re: [TLS] Why are the brainpool curves not allowed in TLS 1.3?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2018 15:37:46 -0000

On Tue, Jul 17, 2018 at 8:04 AM Johannes Merkle <johannes.merkle@secunet.com>
wrote:

> Crypto agility definitely has its value. There are not so many curves
> supported by TLS 1.3, and all of them use primes
> of a very special form. Of course, this is exactly what makes these curves
> faster than the Brainpool curves, but from a
> security perspective it might be advisable to have alternatives at hand
> which have very different properties


Between the NIST curves and Curve25519/Ed448 we have this already.


> (and have not been generated by the NSA using seeds of obscure origin).
>

We've been through this before, e.g.:

https://www.ietf.org/mail-archive/web/tls/current/msg10271.html
https://bada55.cr.yp.to/brainpool.html

...the latter of which quotes you as saying the repeated digits in the "A"
and "B" values used in Brainpool seed generation process were "unfortunate".

There are no compelling practical reasons to continue to support the
Brainpool curves. They are both redundant and obscure.

--
Tony Arcieri

v2.23.0 | Report a Bug | By Email