Re: [TLS] Curve25519 and TLS
Bodo Moeller <bmoeller@acm.org> Mon, 30 June 2014 07:34 UTC
Return-Path: <SRS0=ovrA=33=acm.org=bmoeller@srs.kundenserver.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 590D31A019C for <tls@ietfa.amsl.com>; Mon, 30 Jun 2014 00:34:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.721
X-Spam-Level: *
X-Spam-Status: No, score=1.721 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, J_CHICKENPOX_12=0.6, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jrhBfedFwWSC for <tls@ietfa.amsl.com>; Mon, 30 Jun 2014 00:34:29 -0700 (PDT)
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.17.10]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0A281A0198 for <tls@ietf.org>; Mon, 30 Jun 2014 00:34:28 -0700 (PDT)
Received: from mail-yh0-f44.google.com (mail-yh0-f44.google.com [209.85.213.44]) by mrelayeu.kundenserver.de (node=mreue101) with ESMTP (Nemesis) id 0MNtFb-1Wza2M3o9z-007XnE; Mon, 30 Jun 2014 09:34:26 +0200
Received: by mail-yh0-f44.google.com with SMTP id f10so4608045yha.3 for <tls@ietf.org>; Mon, 30 Jun 2014 00:34:24 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.236.39.100 with SMTP id c64mr9994368yhb.103.1404113664816; Mon, 30 Jun 2014 00:34:24 -0700 (PDT)
Received: by 10.170.83.215 with HTTP; Mon, 30 Jun 2014 00:34:24 -0700 (PDT)
Date: Mon, 30 Jun 2014 09:34:24 +0200
Message-ID: <CADMpkcLvv71EPG6PKkWrakp2RzL82O=ZuFq4b8i6zjaR9qcnug@mail.gmail.com>
From: Bodo Moeller <bmoeller@acm.org>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a1137f868373c5404fd08b0b9"
X-Provags-ID: V02:K0:fMNrUJv85zBUCTonI1A3XY+ucd3h9i1QCDc9hNsmQFX Il0NREjJNlaRJtGbuyXxiSVd7qN+La3+qnKcvBJgVKZottlpKD NRGzVqlZLp9gTZ6UhKsulgM/jDzCj+6DAX7IRWeBzfK/W1LG4C 3ob3D3poctAn9bJwj8j/ADXObkeQaardo6IsgyY3WlGc9VvjXs eXWUMYyWy5z/uxW0JEXaUEf46w6c6BT+2Ll7zyTpexH9c4+Ryg +nqefKvBHjiiWH1RMmsFr3j+obPIvrj0Ti2s4PIZrbxBiOvnRX 2HRiku4zLS35XgdEUswOh/g3Uy7cAztLUBdxYDhwYsFmbj1dU5 tsfcW2M4zdfxpW9iOzjrPgJkyB7Pc/2DhsTPJduzhA1RrHVAxG BuJWmXUuO/WfM5zr/zy0M6xeH+k4w8mizFVDK9OPzt1+37DOU7 G2ASk
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/OUtlC4fbP9GKa8NyZlcKVjR696E
Subject: Re: [TLS] Curve25519 and TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jun 2014 07:35:33 -0000
[Resending my earlier message because apparently it hadn't made it to the list. If you read the quotes in Watson's reply to this, there's nothing new here.] ---------- Forwarded message ---------- From: Bodo Moeller <bmoeller@acm.org> Date: 2014-06-26 10:18 GMT+02:00 Subject: Re: [TLS] Curve25519 and TLS To: Watson Ladd <watsonbladd@gmail.com> Cc: "tls@ietf.org" <tls@ietf.org> Watson Ladd <watsonbladd@gmail.com>: TLS with ECC computes the premaster secret as H(abg) where g is the > generator of the group, and a and b are the ephemeral exponents. > Because of protocol weaknesses, this premaster secret must be > "contributory": neither side can be allowed to dictate it. > [...] > The solution is to follow the advice on contributory behaviour and > disallow a fixed list of public keys, namely those of small order. > Good point. Given that the cofactor present in your secret key guarantees that you'll end up in a prime-order group (regardless of how the peer's input was chosen), I think you'd rather want to check the ECDH result instead of checking against that larger blacklist of public keys. Alternatively we can compute the premaster secret as the hash of H(ag > | bg | abg): I have not yet confirmed that this solves the problem. > Hm, this looks like something that rather belongs into the premaster secret => master secret step. If you have this there (such as when you're using the proposed Extended Master Secret Extension [draft-bhargavan-tls-session-hash-00]), including the public keys here too would be redundant. If you'd normally be doing a public-key check or an ECDH result check, you could just skip this check if the protocol no longer has a need for such protection. In contrast, if you hash those additional inputs when computing the premaster secret, that's not something you could remove without affecting compatibility. (On the flip site, of course, if an implementation omits a check that's necessary for security reasons in the protocol that you're using, you wouldn't normally notice interoperability problems as a result. In contrast, if the protocol has those additional hash inputs, implementations couldn't get that wrong without failing to interoperate with others. However, there are many other more complex essential security checks that we trust implementations to get right, so the extra protocol complexity for this particular case doesn't seem warranted.) Bodo
- [TLS] Curve25519 and TLS Watson Ladd
- Re: [TLS] Curve25519 and TLS Andy Lutomirski
- Re: [TLS] Curve25519 and TLS Watson Ladd
- Re: [TLS] Curve25519 and TLS Eric Rescorla
- Re: [TLS] Curve25519 and TLS Watson Ladd
- Re: [TLS] Curve25519 and TLS Karthikeyan Bhargavan
- Re: [TLS] Curve25519 and TLS Viktor Dukhovni
- Re: [TLS] Curve25519 and TLS Watson Ladd
- Re: [TLS] Curve25519 and TLS Viktor Dukhovni
- Re: [TLS] Curve25519 and TLS Eric Rescorla
- Re: [TLS] Curve25519 and TLS Watson Ladd
- Re: [TLS] Curve25519 and TLS Eric Rescorla
- Re: [TLS] Curve25519 and TLS Paul Hoffman
- Re: [TLS] Curve25519 and TLS Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] Curve25519 and TLS Watson Ladd
- Re: [TLS] Curve25519 and TLS Watson Ladd
- Re: [TLS] Curve25519 and TLS Bodo Moeller
- Re: [TLS] Curve25519 and TLS Bodo Moeller