Re: [TLS] Curve25519 in TLS and Additional Curves in TLS
Alyssa Rowan <akr@akr.io> Thu, 10 April 2014 20:28 UTC
Return-Path: <akr@akr.io>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B21D1A03BA for <tls@ietfa.amsl.com>; Thu, 10 Apr 2014 13:28:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.798
X-Spam-Level:
X-Spam-Status: No, score=0.798 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sstrkGfL1SlW for <tls@ietfa.amsl.com>; Thu, 10 Apr 2014 13:28:25 -0700 (PDT)
Received: from entima.net (entima.net [78.129.143.175]) by ietfa.amsl.com (Postfix) with ESMTP id BFFB31A0073 for <tls@ietf.org>; Thu, 10 Apr 2014 13:28:25 -0700 (PDT)
Message-ID: <5346FEDE.9000909@akr.io>
Date: Thu, 10 Apr 2014 21:28:14 +0100
From: Alyssa Rowan <akr@akr.io>
MIME-Version: 1.0
To: tls@ietf.org
References: <87ob3456s1.fsf@latte.josefsson.org> <20140402164340.GA14790@roeckx.be> <20140407115102.3011d2e5@latte.josefsson.org> <CACsn0cmFLO2n8d-FVVb4wu=G5T88E7rRd8b=eYo-1uMZnMxkOQ@mail.gmail.com> <5344BD77.2020106@fifthhorseman.net> <2A0EFB9C05D0164E98F19BB0AF3708C7120AC18CAE@USMBX1.msg.corp.akamai.com> <1397044231.4019.4.camel@dhcp-2-127.brq.redhat.com> <4abda243-3fc2-4087-92f8-3db02769384f@email.android.com> <1397048457.4019.22.camel@dhcp-2-127.brq.redhat.com> <CACsn0ckyaGO9hqn7pDVE2VR-TWs5v+Y6NsnCqCvrwFGyUGfZ3A@mail.gmail.com> <1397118165.2419.23.camel@dhcp-2-127.brq.redhat.com>
In-Reply-To: <1397118165.2419.23.camel@dhcp-2-127.brq.redhat.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/MJfxaiQmHQY0YPj9BWhSBySbWSc
Subject: Re: [TLS] Curve25519 in TLS and Additional Curves in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Apr 2014 20:28:28 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 10/04/2014 09:22, Nikos Mavrogiannopoulos wrote: > And how does this affect an ephemeral key exchange? Assuming all side-channel attacks require repetition seems like the kind of rather dangerous thinking that has bought TLS very unpleasant surprises in the past. We've had quite enough of those already, I think. Curve25519 was designed _specifically_ so that it can use a lovely, extremely fast, constant-time Montgomery ladder: if you're not using that, frankly, you're doing it wrong. (Section 5 of the draft already addresses that, on my reading.) > That's why I asked input from other who plan to implement it. OK. Try _not_ to make your own implementation, especially not using a generic bignum library: you'll both have side-channel problems, and your performance will suck compared to the existing implementations. Several liberally-licensed, extremely good, highly-optimised, correct implementations of Curve25519 already exist: libsodium, for example. They're probably better in every way than one you (or I) could write. Practical implementation on most platforms in software therefore pretty much consists of taking a good implementation; carefully building scaffolding around it to plug it in; very thoroughly testing that; and that's it. This draft is, very simply, the standards part of that 'scaffolding'. Given big-endian is the 'wrong way round' from what comes out of and goes into literally every one of these implementations, it seems a bit silly to ask basically everyone to byte-swap for no reason when we could just... not. That's why I say use the existing little-endian format. It's not a holy war, it just feels utterly pragmatic in this case, just because it's simpler that way. Given bugs like Heartbleed, goto fail, the recent GnuTLS one (that doesn't have a cute name as far as I know?), and doubtless, many more to come - the simpler we can make that scaffolding, the less opportunity there is overall to screw it up. That's my take on it, anyway. - -- /akr -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJTRv7eAAoJEOyEjtkWi2t6Ef0P/jA3q3ahnLwY92wSByDmYVtD xZSXJFXFaJ/mF3h9ix94b55T5+Oyzr2pcOdbItW5AriG8PP3Rs702N7PXaIZWS8l SAEHMBB2bNWFlbwttpVLfrGqWdYIcjXhD/IDsiU+hRXs5K7Gb1DHM8Y8RLylNDTz xGpHGs1lJAc8ubLIKU3axXMavTbJWfHo8icou4EWiIqoFz1uR1rxUwhcSPg2CT7N IJNDD/Ap+4Mkcuo/L3r8jjzD9EN5PkuQUGGLgmT3WyZNMx/XMLbkrn/1eKOafjMc QpFbLA7dq0dGAtpW47U1kNcivO/eAX/Xq6LftTcQ15dZZgcEORIG60BxS5rsaudZ 0+frOMuTd0Dxv7g/1Zr4+ADK4C8vibSZUSMv19A1uA5chKzEqsjssndiNpfqy/WZ yGn/edoemDwE+jdVhHEQh4qZxycXJdqfAyg1M8FhUxahzFxEFnv/RlW54kgqULaQ He0OTB+lwMWbHQDXp9Aj2PcDdyFyA5QHWwjF8+zpDKhIB87aV30LEw1P3upwvtYG CZJ9XLqJz39GwRGGN+liugakBpWAyNFoOGnb5WvpUEdq1INEdUFHul2eQV0nF374 KXaHadVV32I1tQ7ECVVrv69/1xqWBAm0eC+LGgf9Cz+wT7chvAWf85/5u7QkvBJo KRCoFogKpVV9DXmCcUp+ =++Qz -----END PGP SIGNATURE-----
- [TLS] Curve25519 in TLS and Additional Curves in … Simon Josefsson
- Re: [TLS] Curve25519 in TLS and Additional Curves… Rob Stradling
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Rob Stradling
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andy Lutomirski
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andy Lutomirski
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… James Cloos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Bill Frantz
- Re: [TLS] Curve25519 in TLS and Additional Curves… Kurt Roeckx
- Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andrey Jivsov
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andrey Jivsov
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Simon Josefsson
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Daniel Kahn Gillmor
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andrey Jivsov
- Re: [TLS] Curve25519 in TLS and Additional Curves… Yoav Nir
- Re: [TLS] Curve25519 in TLS and Additional Curves… Fabrice
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard