IETF Logo Mail Archive

Re: [TLS] Curve25519 and TLS

Bodo Moeller <bmoeller@acm.org> Mon, 30 June 2014 07:34 UTC

Return-Path: <SRS0=ovrA=33=acm.org=bmoeller@srs.kundenserver.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 590D31A019C for <tls@ietfa.amsl.com>; Mon, 30 Jun 2014 00:34:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.721
X-Spam-Level: *
X-Spam-Status: No, score=1.721 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, J_CHICKENPOX_12=0.6, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jrhBfedFwWSC for <tls@ietfa.amsl.com>; Mon, 30 Jun 2014 00:34:29 -0700 (PDT)
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.17.10]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0A281A0198 for <tls@ietf.org>; Mon, 30 Jun 2014 00:34:28 -0700 (PDT)
Received: from mail-yh0-f44.google.com (mail-yh0-f44.google.com [209.85.213.44]) by mrelayeu.kundenserver.de (node=mreue101) with ESMTP (Nemesis) id 0MNtFb-1Wza2M3o9z-007XnE; Mon, 30 Jun 2014 09:34:26 +0200
Received: by mail-yh0-f44.google.com with SMTP id f10so4608045yha.3 for <tls@ietf.org>; Mon, 30 Jun 2014 00:34:24 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.236.39.100 with SMTP id c64mr9994368yhb.103.1404113664816; Mon, 30 Jun 2014 00:34:24 -0700 (PDT)
Received: by 10.170.83.215 with HTTP; Mon, 30 Jun 2014 00:34:24 -0700 (PDT)
Date: Mon, 30 Jun 2014 09:34:24 +0200
Message-ID: <CADMpkcLvv71EPG6PKkWrakp2RzL82O=ZuFq4b8i6zjaR9qcnug@mail.gmail.com>
From: Bodo Moeller <bmoeller@acm.org>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a1137f868373c5404fd08b0b9"
X-Provags-ID: V02:K0:fMNrUJv85zBUCTonI1A3XY+ucd3h9i1QCDc9hNsmQFX Il0NREjJNlaRJtGbuyXxiSVd7qN+La3+qnKcvBJgVKZottlpKD NRGzVqlZLp9gTZ6UhKsulgM/jDzCj+6DAX7IRWeBzfK/W1LG4C 3ob3D3poctAn9bJwj8j/ADXObkeQaardo6IsgyY3WlGc9VvjXs eXWUMYyWy5z/uxW0JEXaUEf46w6c6BT+2Ll7zyTpexH9c4+Ryg +nqefKvBHjiiWH1RMmsFr3j+obPIvrj0Ti2s4PIZrbxBiOvnRX 2HRiku4zLS35XgdEUswOh/g3Uy7cAztLUBdxYDhwYsFmbj1dU5 tsfcW2M4zdfxpW9iOzjrPgJkyB7Pc/2DhsTPJduzhA1RrHVAxG BuJWmXUuO/WfM5zr/zy0M6xeH+k4w8mizFVDK9OPzt1+37DOU7 G2ASk
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/OUtlC4fbP9GKa8NyZlcKVjR696E
Subject: Re: [TLS] Curve25519 and TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jun 2014 07:35:33 -0000

[Resending my earlier message because apparently it hadn't made it to the
list. If you read the quotes in Watson's reply to this, there's nothing new
here.]


---------- Forwarded message ----------
From: Bodo Moeller <bmoeller@acm.org>
Date: 2014-06-26 10:18 GMT+02:00
Subject: Re: [TLS] Curve25519 and TLS
To: Watson Ladd <watsonbladd@gmail.com>
Cc: "tls@ietf.org" <tls@ietf.org>


Watson Ladd <watsonbladd@gmail.com>:

 TLS with ECC computes the premaster secret as H(abg) where g is the
> generator of the group, and a and b are the ephemeral exponents.
> Because of protocol weaknesses, this premaster secret must be
> "contributory": neither side can be allowed to dictate it.
>

[...]

> The solution is to follow the advice on contributory behaviour and
> disallow a fixed list of public keys, namely those of small order.
>

Good point.  Given that the cofactor present in your secret key guarantees
that you'll end up in a prime-order group (regardless of how the peer's
input was chosen), I think you'd rather want to check the ECDH result
instead of checking against that larger blacklist of public keys.

Alternatively we can compute the premaster secret as the hash of H(ag
> | bg | abg): I have not yet confirmed that this solves the problem.
>

Hm, this looks like something that rather belongs into the premaster secret
=> master secret step.  If you have this there (such as when you're using
the proposed Extended Master Secret Extension
[draft-bhargavan-tls-session-hash-00]), including the public keys here too
would be redundant.  If you'd normally be doing a public-key check or an
ECDH result check, you could just skip this check if the protocol no longer
has a need for such protection.  In contrast, if you hash those additional
inputs when computing the premaster secret, that's not something you could
remove without affecting compatibility.

(On the flip site, of course, if an implementation omits a check that's
necessary for security reasons in the protocol that you're using, you
wouldn't normally notice interoperability problems as a result.  In
contrast, if the protocol has those additional hash inputs, implementations
couldn't get that wrong without failing to interoperate with others.
 However, there are many other more complex essential security checks that
we trust implementations to get right, so the extra protocol complexity for
this particular case doesn't seem warranted.)

Bodo

v2.23.0 | Report a Bug | By Email