Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

Brian Smith <brian@briansmith.org> Wed, 23 December 2015 00:09 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B91B1AC444 for <tls@ietfa.amsl.com>; Tue, 22 Dec 2015 16:09:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c2pUCdhR62BR for <tls@ietfa.amsl.com>; Tue, 22 Dec 2015 16:09:33 -0800 (PST)
Received: from mail-ob0-x22e.google.com (mail-ob0-x22e.google.com [IPv6:2607:f8b0:4003:c01::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C3311AC447 for <tls@ietf.org>; Tue, 22 Dec 2015 16:09:33 -0800 (PST)
Received: by mail-ob0-x22e.google.com with SMTP id 18so155839329obc.2 for <tls@ietf.org>; Tue, 22 Dec 2015 16:09:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=briansmith-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=gwQXe2m1DCpkMfp9q/vqGTE/IRS4deyG1gXWv3NtvjM=; b=b+eENS2C35r/X7/T2bas8H+ribDwff/Ti7sMSc6sNSGxBKtkpw0eX/C66mY9rgC6Em UDdlDmwHbWwNKTIFAj/HdLcI4I4PxF0HhOgFf6+y/9rOrMAmHkbqEM06Rwk7SU68cFeW NeeYcUrOM5L77ydP06LDNKy8gQblC9lg9yZNrUvJGqffA7P5jqw7loAYj9dgxckWEgZp 6vvzfhIUr03d0LsIfvgNOv2ApWvtVNZzluNIITd+nB/ZVXpuxYabTBACz62BQI4C95SO 5bduObMuAYzZtfFVEjtib04H6Cc6Q6UccBgifoWFJKjJNBrsx++HR5/P9csIX3nGZeyD PxQQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=gwQXe2m1DCpkMfp9q/vqGTE/IRS4deyG1gXWv3NtvjM=; b=jTvbaEX3Qg9u+GHj7lEpLQYUPIWR6kVwRhUFPq2XWBXByyxjzZcRXNPLEFaEG7UBoH aiql5U+2aqWpOIEVKKQDxlNVTnVGPqQVAa2G2HxWsHeDJxMLDNOiOJ8JrZmAQGkpvDqF ktclCKev72hq+vGZwD+Etkb8HGJe7vTKbcyHROSJOuxF/O0jFCy+0iwshIBMGxAi5JVT nWl/JcSdUDsGRWsZOcykMeoRjDZBCkfl5+uXHlZ/JvXgS9Gcu2guWGESVPSRu83cxItH lriBs4px/gXt0ewuNUkrxRq+rgl7sX1Bcn7V4owQ4IkTGj+qWPuEmrN0qKt1o6VGEb4r fdSw==
X-Gm-Message-State: ALoCoQlZQkRBjPKiSQ0z8EifhEShuAYMjnGJOjE8e/Gau3L/lJ6HszKT5+vKaVQ6fHQecVIytf3G8rfxW5y96xfZNkRzJtItlQ==
MIME-Version: 1.0
X-Received: by 10.60.150.237 with SMTP id ul13mr12945055oeb.49.1450829372470; Tue, 22 Dec 2015 16:09:32 -0800 (PST)
Received: by 10.76.62.8 with HTTP; Tue, 22 Dec 2015 16:09:32 -0800 (PST)
In-Reply-To: <CABkgnnUq0_28U6VqE=ZPpwutOBUkTGwhxqHQOEvQve5JYfSVRA@mail.gmail.com>
References: <CAFewVt4Midtq7X6px4=A4hGkspQuJdzZQ907U=SJox0SdgfAJg@mail.gmail.com> <CACsn0cng1o-5hm=zuL6puOGJ8A2bjB=fFsaFsBCmmVofNSuumg@mail.gmail.com> <CABkgnnXQS3Ek6jDjx0aSQmaf+=EjfGWa8MG1AO4QwhJbK50VQg@mail.gmail.com> <CAFewVt4NSGDP_At8XsX4OsxSUaj_2kRyFP_keDQhfnR0=mBhrg@mail.gmail.com> <CABkgnnUq0_28U6VqE=ZPpwutOBUkTGwhxqHQOEvQve5JYfSVRA@mail.gmail.com>
Date: Tue, 22 Dec 2015 14:09:32 -1000
Message-ID: <CAFewVt6fyqbOZfQkWY=9SM20WcrP0UhfH+3wvXjiYoTjPm2pgA@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary=047d7b44fcc0604f6c052785891c
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/WIdmYmwwp2T2Ho1-rn7hW2BqPKc>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Dec 2015 00:09:34 -0000

Martin Thomson <martin.thomson@gmail.com> wrote:

> On 23 December 2015 at 10:23, Brian Smith <brian@briansmith.org> wrote:
> > It may be the case that TLS requires contributory behavior and point
> > validation is still unnecessary. Or, it may be the case that TLS doesn't
> > really require contributory behavior (though, it seems obvious to me
> that it
> > does, at least for TLS 1.2 and earlier). Or, it may be the case that TLS
> > requires contributory behavior and a check is necessary. The draft should
> > make it clear which case we are dealing with, with a reference to the
> > reasoning that gave us whatever conclusion is reached, but currently
> that is
> > missing.
>
> My understanding is that with session hash TLS 1.2 is OK, as is 1.3.
> Like Watson and Thai, I think that 1.2 without session hash is not OK.
>
> That suggests that the 25519 draft should require session hash in 1.2.
>

If an implementation only implements ECDHE cipher suites then implementing
the session hash extension is not necessary, according to RFC 7627. I
believe there are also a few other factors that would implementing the
session hash extension to be unnecessary.

If checking that the shared value isn't zero is sufficient, and/or
blacklisting the public values that DJB mentions in [1] is sufficient,
either would be better than mandating the implementation of the session
hash extension just for this purpose.

[1] http://cr.yp.to/ecdh.html#validate

Cheers,
Brian
-- 
https://briansmith.org/