Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

Ilari Liusvaara <ilariliusvaara@welho.com> Sat, 09 January 2016 10:17 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCB121A6F5A for <tls@ietfa.amsl.com>; Sat, 9 Jan 2016 02:17:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wEF_W97-thkn for <tls@ietfa.amsl.com>; Sat, 9 Jan 2016 02:17:54 -0800 (PST)
Received: from welho-filter2.welho.com (welho-filter2.welho.com [83.102.41.24]) by ietfa.amsl.com (Postfix) with ESMTP id C5CC81A6F58 for <tls@ietf.org>; Sat, 9 Jan 2016 02:17:53 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id A47A24C1 for <tls@ietf.org>; Sat, 9 Jan 2016 12:17:51 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id i2-nO3dWpuuF for <tls@ietf.org>; Sat, 9 Jan 2016 12:17:51 +0200 (EET)
Received: from LK-Perkele-V2 (87-92-35-116.bb.dnainternet.fi [87.92.35.116]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 5F1B8231 for <tls@ietf.org>; Sat, 9 Jan 2016 12:17:51 +0200 (EET)
Date: Sat, 9 Jan 2016 12:17:48 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: tls@ietf.org
Message-ID: <20160109101748.GA8925@LK-Perkele-V2.elisa-laajakaista.fi>
References: <20151231201644.17780804.55594.43078@ll.mit.edu> <20160101182240.GA25903@LK-Perkele-V2.elisa-laajakaista.fi>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20160101182240.GA25903@LK-Perkele-V2.elisa-laajakaista.fi>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: ilariliusvaara@welho.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/OPpgPT06S-jXHt66x0HTh7uzrtY>
Subject: Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Jan 2016 10:17:56 -0000

On Fri, Jan 01, 2016 at 08:22:40PM +0200, Ilari Liusvaara wrote:
> On Thu, Dec 31, 2015 at 08:16:35PM +0000, Blumenthal, Uri - 0553 - MITLL wrote:
> > I think Watson made a good point about "omittable checks". ‎If an
> > implementation A "omits" this mechanism, it should fail session
> > establishment.
> 
> Well, here is one scheme that I can't break myself and has no checks one
> can just "omit":
> 
> PMS = SHA-512(A|B|DHF(a,B)) = SHA-512(A|B|DHF(b,A))
> 
> Where a and b are the private keys and A and B are the public keys
> and DHF is X25519 or X448.
 
And I broke that too...

Really, the only choice without omittable checks nor known security
issues is to imply EMS (or another modification to master secret
derivation) off the codeponts in TLS 1.0-1.2. That is, if
those groups are sent, thekey derivation will be EMS, even if EMS
extension was absent (and sending it is no-op).

(If there ever is another key derivation modifying extension, let
that specify what the heck to do with those groups).


-Ilari