Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

Eric Rescorla <ekr@rtfm.com> Thu, 31 December 2015 20:24 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C76C81A8ACA for <tls@ietfa.amsl.com>; Thu, 31 Dec 2015 12:24:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 231NgofkhZtQ for <tls@ietfa.amsl.com>; Thu, 31 Dec 2015 12:24:30 -0800 (PST)
Received: from mail-yk0-x231.google.com (mail-yk0-x231.google.com [IPv6:2607:f8b0:4002:c07::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9044C1A8AC8 for <tls@ietf.org>; Thu, 31 Dec 2015 12:24:30 -0800 (PST)
Received: by mail-yk0-x231.google.com with SMTP id a85so109949288ykb.1 for <tls@ietf.org>; Thu, 31 Dec 2015 12:24:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=da6PGYPq0OF2OKBeoDHc0ERNoEiBuCZtYRoaOU1YmGE=; b=gwCwvBK23loZM+YRy+blYKqAH9Wls8GSKGi1+lrvTqqyGY3gm2AI93F8/cEUjfUmng vyvcHlQ7XUJYJQIIBwF6yadm7+xaN2H0dJVkl8F9pAjovcR4BQiR8quwk/Sf4WBiKz2y IMDlLDyldy8miANdfzhOd3iQeR4fwEkBI08kFygZeHnTk93EIJ19QBPmmZ7escByQRag I0YIE/RUbquTFvMsCMEMMSqjOAyEAPQ7hANLoaCp1OQQHMM3WrZNtyPvusgBnYaUgzr0 scW8riCgSSR8T1pQmWZEYGK0ekwwzjfBHWij2TTcvtmVCrSXkyxRTV1fCPiW5HNrQ4/s yf4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=da6PGYPq0OF2OKBeoDHc0ERNoEiBuCZtYRoaOU1YmGE=; b=EG5SUNw7tIinJl+nGXBrzwxwDl3yZ+JjuGMja6O8MOSMKiDCrG6jGXMKpTKUCIrQSU DhhXYwnDSFZPF0t854buQT6wktcYImI/iqXYkSoi0dKbjtvWS47vXEG0a3YvyMFuYUHD h/5HdzW6bPNGbBbW7nIX3EivDZCcUP0HAnxv/9TDfVRvtvDyIJMsjlC66bU7sxpu3mOH lRFwOhNDXjBr4hEehVm61m0pF77j4lJeWlHKBmDut0K4l2pHPg5/IPBfgElPsERfVwWo /BuDovIjJsH3wdaQDsyeGOziSHswlt9guYKW3drvxslP1iGUA+PWH/WnLcC/daP0lArK jfqw==
X-Gm-Message-State: ALoCoQmbxp2voEbApP4JWpGrjwaar8TLc/6GfQeOC0Bq1fwTpwLlffivlRknvGqOo7SAt2P3qWE2y67Zht6Phf2skjr7CDqJvg==
X-Received: by 10.129.153.3 with SMTP id q3mr60233808ywg.231.1451593469756; Thu, 31 Dec 2015 12:24:29 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.249.197 with HTTP; Thu, 31 Dec 2015 12:23:50 -0800 (PST)
In-Reply-To: <20151231202043.GA24791@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CABkgnnUq0_28U6VqE=ZPpwutOBUkTGwhxqHQOEvQve5JYfSVRA@mail.gmail.com> <CAFewVt6fyqbOZfQkWY=9SM20WcrP0UhfH+3wvXjiYoTjPm2pgA@mail.gmail.com> <CAFewVt5U9awAg4FbdWtXiCATd-kWttdsAwe3eWwcD5SXsKvyWQ@mail.gmail.com> <6F6EDAA8-15F2-4949-B927-4D0BD0E8FFE3@inria.fr> <20151230105207.GB6140@roeckx.be> <CAFewVt4+eysHvxnP=q-Gn-0DgQWLkoTs5OSc8v_t6qRtsk7TWg@mail.gmail.com> <CAMfhd9VYAaioMJqsk1M=sEQ-tJ_GJpDk5LsYcydK0Dwv-jQG1g@mail.gmail.com> <5684C9CC.2080703@akr.io> <20151231065451.GA24161@LK-Perkele-V2.elisa-laajakaista.fi> <CABkgnnV3FKvP46urvvdUA35boNiy944wjg0R_kHmjWW=pZo+sA@mail.gmail.com> <20151231202043.GA24791@LK-Perkele-V2.elisa-laajakaista.fi>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 31 Dec 2015 12:23:50 -0800
Message-ID: <CABcZeBPbPw9V2ZDEOmWcOrcUMvb+jFbJ6f54Dbei7f7nwXcBFQ@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: multipart/alternative; boundary=94eb2c0bbfae1fce5e05283771d0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Nl2NdQ8cgU0hJ_w86J2g4IsnAgs>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Dec 2015 20:24:32 -0000

On Thu, Dec 31, 2015 at 12:20 PM, Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:

> On Fri, Jan 01, 2016 at 06:22:00AM +1100, Martin Thomson wrote:
> > On 31 December 2015 at 17:54, Ilari Liusvaara <ilariliusvaara@welho.com>
> wrote:
> > > Zero checks can already be unit-tested/interop-tested just as well.
> >
> >
> > What ekr said applies, but also this:
>
> I thought the ekr's point was that if you need THS resistance, you
> require EMS. If you don't, not much point worrying what properties
> individual key exchanges have.
>

I think I was trying to say *almost* this: Namely that given that we have
existing
mechanisms that rely on EMS for THS resistance, and most stacks will
continue
to use them, then it's easier to just require EMS.


> Yes, you can test that a given implementation does the right checks,
> > but you won't be checking during normal operation.  If you require
> > session-hash, then every handshake includes that check and if someone
> > messes up, the handshake just fails.  That far more visible.
>
> I don't think the parts that actually matter are tested in normal
> use. Unless you mean deimplementing entiere old TLS master secret
> derivation...


What I was suggesting was that:

1.  Implementations which support old algorithms need to have EMS for THS
resistance already.

2. Implementations which only do new algorithms can mandate EMS and not
implement old derivation at all, provided we make that a rule here.

-Ekr