Re: [TLS] Curve25519 and TLS
Viktor Dukhovni <viktor1dane@dukhovni.org> Sat, 14 June 2014 07:39 UTC
Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 458A81B2BB4 for <tls@ietfa.amsl.com>; Sat, 14 Jun 2014 00:39:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level:
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8_VxEY4MoBJ9 for <tls@ietfa.amsl.com>; Sat, 14 Jun 2014 00:39:27 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF5F21B2BB2 for <tls@ietf.org>; Sat, 14 Jun 2014 00:39:27 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 48A8A2AB26D; Sat, 14 Jun 2014 07:39:25 +0000 (UTC)
Date: Sat, 14 Jun 2014 07:39:25 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20140614073925.GY8358@mournblade.imrryr.org>
References: <CACsn0cnm3wp6iN57fHAiY+=n=nSxOxvrZOj65bzXYTDy=Xyvkg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CACsn0cnm3wp6iN57fHAiY+=n=nSxOxvrZOj65bzXYTDy=Xyvkg@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/WXZIkBYhJIkPJ4O9EExnOZgiRwQ
Subject: Re: [TLS] Curve25519 and TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Jun 2014 07:39:29 -0000
On Fri, Jun 13, 2014 at 06:30:46PM -0300, Watson Ladd wrote: > TLS with ECC computes the premaster secret as H(abg) where g is the > generator of the group, and a and b are the ephemeral exponents. > Because of protocol weaknesses, this premaster secret must be > "contributory": neither side can be allowed to dictate it. > > Curve25519 has order 8*q, where q is some prime. All encoded public > keys lie on this or a twist with order 4*q'. (I might be wrong in the > details, but it's right enough). In particular there is a point of > order 2. As far as I can tell, this is not the case with Diffie-Hellman over Curve 25519, because the base-point (namely 9) has order 8, and the cyclic sub-group it generates has prime order. All private keys are multiples of 8, so an attacker M who chooses a low order element must send a public key m of order 1, 2, 4 or 8, which since Alice's private exponent is a multiple of 8 means that g^{am} is the identity. See the "Small-subgroup attacks" section of DJB's paper. Since key agreement with Curve25519 is presumably Diffie-Hellman with (9) as the base point and the recommended constraints on private exponents, there should be no problem. > A malicious server can provide a point of order 2, and with 50% > probability get a dictated premaster secret. Not useful when Alice's (or Bob's depending on whom Mallory is trying to fool) private exponent is a multiple of 8, the only check required is that the final shared secret is not the identity (IIRC the point at infinity is represented by "0" in Curve 25519 so the check is then just to make sure that the DH shared secret is not 32 zero octets). Corrections/elaboration from folks more familiar with 25519 welcome. -- Viktor.
- [TLS] Curve25519 and TLS Watson Ladd
- Re: [TLS] Curve25519 and TLS Andy Lutomirski
- Re: [TLS] Curve25519 and TLS Watson Ladd
- Re: [TLS] Curve25519 and TLS Eric Rescorla
- Re: [TLS] Curve25519 and TLS Watson Ladd
- Re: [TLS] Curve25519 and TLS Karthikeyan Bhargavan
- Re: [TLS] Curve25519 and TLS Viktor Dukhovni
- Re: [TLS] Curve25519 and TLS Watson Ladd
- Re: [TLS] Curve25519 and TLS Viktor Dukhovni
- Re: [TLS] Curve25519 and TLS Eric Rescorla
- Re: [TLS] Curve25519 and TLS Watson Ladd
- Re: [TLS] Curve25519 and TLS Eric Rescorla
- Re: [TLS] Curve25519 and TLS Paul Hoffman
- Re: [TLS] Curve25519 and TLS Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] Curve25519 and TLS Watson Ladd
- Re: [TLS] Curve25519 and TLS Watson Ladd
- Re: [TLS] Curve25519 and TLS Bodo Moeller
- Re: [TLS] Curve25519 and TLS Bodo Moeller