Re: [TLS] Safe ECC usage
Kyle Hamilton <aerowolf@gmail.com> Sun, 29 September 2013 07:33 UTC
Return-Path: <aerowolf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 742C821F9EB0 for <tls@ietfa.amsl.com>; Sun, 29 Sep 2013 00:33:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.366
X-Spam-Level:
X-Spam-Status: No, score=-1.366 tagged_above=-999 required=5 tests=[AWL=0.433, BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001, SARE_BAYES_5x8=0.8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id muB3fT87CNsD for <tls@ietfa.amsl.com>; Sun, 29 Sep 2013 00:33:08 -0700 (PDT)
Received: from mail-wg0-x233.google.com (mail-wg0-x233.google.com [IPv6:2a00:1450:400c:c00::233]) by ietfa.amsl.com (Postfix) with ESMTP id 0459921F9E83 for <tls@ietf.org>; Sun, 29 Sep 2013 00:33:07 -0700 (PDT)
Received: by mail-wg0-f51.google.com with SMTP id c11so4225605wgh.18 for <tls@ietf.org>; Sun, 29 Sep 2013 00:33:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=e5yUhbavPjLR7oPpcv+bOIOL5k2S4HouwsQPD3Rb+Vk=; b=vTMmBcWI8nCVUrmsvwT3hN45V2ne2eRHKndBrIsVs6l9tumIV0gMnusETZkQ2dslGT ptgdo4dQI7fNKnFXaqQLW/k4tYDNCkVIQ9PT8uvRCgY4Ndjft6Xea+WBJPqeWF7E3GRD wOH8cQ4aUw/0B8opkmoVQdbeYkEp9jkSP/zPqa3Mb8BZsEtJDnOt0hkVQfNWLKZFpxRa VOi05//faeG76irtlswgHoiNXikOZ01W1cSwMeBQOIkpBYRX20ViAlcCmejqVwaSYHjK 50vMVC2Dd2m1JqA5pghxz9Zv2HLYvrV2zddPUVyKY0gdH3I5q6QlUxBOn2O3oy4iuAX7 aVXA==
MIME-Version: 1.0
X-Received: by 10.180.160.165 with SMTP id xl5mr8918719wib.48.1380439986908; Sun, 29 Sep 2013 00:33:06 -0700 (PDT)
Received: by 10.194.134.67 with HTTP; Sun, 29 Sep 2013 00:33:06 -0700 (PDT)
In-Reply-To: <20130926152757.15842.qmail@cr.yp.to>
References: <523E176F.3050304@gmail.com> <9A043F3CF02CD34C8E74AC1594475C7355674EE0@uxcn10-6.UoA.auckland.ac.nz> <20130926152757.15842.qmail@cr.yp.to>
Date: Sun, 29 Sep 2013 00:33:06 -0700
Message-ID: <CAPMEXDb4=BzU5JwnAFJRjdXHEa30Ara8VMbi2hZGneuKA3s0iw@mail.gmail.com>
From: Kyle Hamilton <aerowolf@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="047d7b62509c0db3f504e780bb2f"
Subject: Re: [TLS] Safe ECC usage
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Sep 2013 07:33:09 -0000
Dr Bernstein, That's all well and good, but perhaps should you try to figure out how your functions can in fact be used in such standards as TLS without having to resort to pulling hens' teeth? Or perhaps apply your (admittedly much better than mine) intellect to figure out how to create a single public key from a single private key which can be used for both signing and key derivation, thus permitting consolidation of both into a single X.509 Certificate structure? The lack of this is in fact a major impediment to using self-signed certificates as containers for curve25519 public keys. Granted, I've been severely out of touch for quite a while, and it's possible that (e.g.) Ed25519 permits the use of the same public key in this manner (even though Ed25519 has a peculiar recordkeeping requirement which makes it less than ideal). If it does, please accept my humble apology. If it does not, however, I'd like to ask you to design a function which can be used for both signature and derivation from the same public key, so as to create a clear path forward for at least one (if not more) externally-developed elliptical function for ease of integration into the preexisting TLS (and perhaps more importantly PKI) infrastructure. BULLRUN's first major visible success was in inducing everyone to think about "how do you know it's who you think you're talking to?", completely ignoring SSLv1's opportunistic encryption. Netscape carried this further by simply refusing to speak with SSL sites that didn't authenticate themselves. I don't know if there is any webserver out there that will do TLS without an identity certificate, and even if there is I doubt there is a client that will communicate in those conditions. So, we need at the very least a self-signed certificate to carry the public key used to derive the shared key. (Also, while I've hopefully got your attention, have you any plan to create an x64 ABI for Curve25519? I'm currently having to use it via a COM wrapper I hacked up in C#, 64-bit processes calling via COM to a 32-bit process which exports only one function that COM doesn't mandate: curve25519(). This is insecure to COM-debug capable processes at the very least, as it requires that the caller provide the caller's private key over a public data bus.) I have the utmost respect for your knowledge and intellect, but without having a plan to fit your function into a common framework, there is simply no way to use the function you keep trying to promote. -Kyle H (Note: I would -love- to find out that I'm wrong, on any or all of this.) On Thu, Sep 26, 2013 at 8:27 AM, D. J. Bernstein <djb@cr.yp.to> wrote: > Modern elliptic-curve cryptography solidly takes care of all of the > "brittleness" mentioned in this thread, and is much easier than RSA to > implement securely. Compare https://twitter.com/tweetnacl to the amount > of code required to implement similar functionality in OpenSSL. > > Peter Gutmann writes: > > potentially NSA-influenced values like P256 > > There is indisputably an unexplained seed c49d3608 86e70493 6a6678e1 > 139d26b7 819f7e90 for the NIST P-256 curve mod 2^256-2^224+2^192+2^96-1, > and similarly for the other NIST curves. This was identified by the 2005 > Brainpool standard as a major issue for the NIST curves; it has also > been highlighted recently by Bruce Schneier. > > Fortunately, one can design high-security elliptic curves that don't > have any unexplained constants. That's what I did with Curve25519. > Curve25519 is the curve y^2=x^3+486662x^2+x mod 2^255-19; every number > here is completely explained in the Curve25519 paper. > > > even without NSA skullduggery make a nice single target for attack. > > There have already been several detailed studies of the cost of finding > multiple discrete logs on the same curve (authors: Escott, Sager, > Selkirk, Tsapakidis, Kuhn, Struik, Hitchcock, Montague, Carter, Dawson, > Lee, Cheon, Hong, Bernstein, Lange). Basically, if finding one ECC key > costs 2^128, then finding 1000000 keys costs 1000*2^128, and the first > key found will still cost 2^128. For comparison, finding 1000000 AES > keys costs the same 2^128 as finding a single key, and the first AES key > will be found with cost only 2^128/1000000. > > Yaron Sheffer writes: > > The recipient needs to test that the received point is actually on > > the relevant curve. > > This is certainly an issue for the NIST curves. Fortunately, this test > is completely unnecessary for x-coordinate ECC using twist-secure curves > such as Curve25519. I introduced this approach at ECC 2001, using the > smaller curve y^2=x^3+7530x^2+x mod 2^226-5 as an illustration. > > Peter Gutmann writes: > > For example if you used the recommended (until not too long ago) way > > to generate your k for (EC)DSA then you'd leak a tiny bit of your > > private key on each signature (again, that nasty propensity of DLP > > algorithms to leak the private key). > > Ed25519 has three levels of defense against this type of problem. > > First, k is chosen as a random 512-bit string, many bits larger than the > group order l (around 2^252). This is overkill (compare to the 64 bits > in Algorithm 2 in Section 4.1.1 of BSI Technical Guideline TR-03111) but > also an inexpensive and comprehensive defense. > > Second, the group order l is very close to a power of 2, specifically > within 2^125 of 2^252, so the bias would be unnoticeable even if k were > as small as 256 bits. > > Third, k is actually produced in a deterministic way as a secret hash, > so the k-generation mechanism is fully testable---there's no need to > worry about the implementor accidentally choosing a biased RNG. > > ---D. J. Bernstein > Research Professor, Computer Science, University of Illinois at Chicago > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Yoav Nir
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Stephen Farrell
- [TLS] draft-sheffer-tls-bcp: DH recommendations Yaron Sheffer
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Yaron Sheffer
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Michael D'Errico
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Patrick Pelletier
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Xuelei Fan
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Martin Rex
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Yaron Sheffer
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Yoav Nir
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Yaron Sheffer
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Martin Rex
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Yaron Sheffer
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Peter Gutmann
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Yaron Sheffer
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Peter Gutmann
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Yaron Sheffer
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Michael Ströder
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Yaron Sheffer
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… james hughes
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… james hughes
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Michael Ströder
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Michael Ströder
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… james hughes
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Yoav Nir
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Yaron Sheffer
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Bill Frantz
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Ralph Holz
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Martin Rex
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Martin Rex
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Martin Rex
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… james hughes
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Peter Gutmann
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Peter Gutmann
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Yaron Sheffer
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Michael Ströder
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Yaron Sheffer
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… james hughes
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Peter Gutmann
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Michael Ströder
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Michael D'Errico
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Yoav Nir
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Yaron Sheffer
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Yaron Sheffer
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Stephen Farrell
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Patrick Pelletier
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Yoav Nir
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Michael D'Errico
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Yaron Sheffer
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Yaron Sheffer
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Ralph Holz
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… james hughes
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Ralph Holz
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Nikos Mavrogiannopoulos
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Patrick Pelletier
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Patrick Pelletier
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Patrick Pelletier
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Yoav Nir
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Peter Gutmann
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Patrick Pelletier
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Martin Rex
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Peter Gutmann
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Yaron Sheffer
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Alex Elsayed
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Michael D'Errico
- Re: [TLS] draft-sheffer-tls-bcp: DH recommendatio… Peter Gutmann
- [TLS] Safe ECC usage D. J. Bernstein
- Re: [TLS] Safe ECC usage Dan Brown
- Re: [TLS] Safe ECC usage D. J. Bernstein
- Re: [TLS] Safe ECC usage Dan Brown
- Re: [TLS] Safe ECC usage Kyle Hamilton
- Re: [TLS] Safe ECC usage Johannes Merkle
- Re: [TLS] Safe ECC usage Adam Langley
- Re: [TLS] Safe ECC usage Santosh Chokhani
- Re: [TLS] Safe ECC usage Martin Rex
- Re: [TLS] Safe ECC usage Kyle Hamilton
- Re: [TLS] Safe ECC usage Yoav Nir
- Re: [TLS] Safe ECC usage Martin Rex
- Re: [TLS] Safe ECC usage D. J. Bernstein
- Re: [TLS] Safe ECC usage Dan Brown
- Re: [TLS] Safe ECC usage Johannes Merkle
- Re: [TLS] Safe ECC usage Manuel Pégourié-Gonnard
- Re: [TLS] Safe ECC usage Yoav Nir
- Re: [TLS] Safe ECC usage D. J. Bernstein
- Re: [TLS] Safe ECC usage Dan Brown
- Re: [TLS] Safe ECC usage D. J. Bernstein
- Re: [TLS] Safe ECC usage Dan Brown
- Re: [TLS] Safe ECC usage Johannes Merkle
- [TLS] (offline note) Re: Safe ECC usage Rene Struik
- Re: [TLS] Safe ECC usage D. J. Bernstein
- [TLS] (EC)DSA potential problems (ECC "brittlenes… Martin Rex
- Re: [TLS] Safe ECC usage Dan Brown
- Re: [TLS] Safe ECC usage D. J. Bernstein
- Re: [TLS] Safe ECC usage Dan Brown
- Re: [TLS] Safe ECC usage Watson Ladd
- Re: [TLS] Safe ECC usage Dan Brown
- Re: [TLS] Safe ECC usage Johannes Merkle
- Re: [TLS] Safe ECC usage Nico Williams
- Re: [TLS] Safe ECC usage Dan Brown
- Re: [TLS] Safe ECC usage Nico Williams
- Re: [TLS] Safe ECC usage Michael StJohns
- Re: [TLS] Safe ECC usage Dan Brown
- Re: [TLS] Safe ECC usage Nico Williams
- Re: [TLS] Safe ECC usage Bill Frantz
- Re: [TLS] Safe ECC usage D. J. Bernstein
- Re: [TLS] Safe ECC usage Dan Brown
- [TLS] DH group negotiation extension [was: Re: dr… Daniel Kahn Gillmor
- Re: [TLS] DH group negotiation extension [was: Re… Dang, Quynh
- Re: [TLS] DH group negotiation extension [was: Re… Patrick Pelletier
- Re: [TLS] DH group negotiation extension [was: Re… Watson Ladd