Re: [TLS] Should we require compressed points

Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 22 October 2014 22:05 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 782151AD0C7 for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 15:05:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xtuOKEFdDGx9 for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 15:05:24 -0700 (PDT)
Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.245]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 966191AD0B5 for <tls@ietf.org>; Wed, 22 Oct 2014 15:05:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=uoa; t=1414015523; x=1445551523; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=0Dvh6xMgxgHj18x7ImH5I+6g/nvJup+xoGghxtxNHKY=; b=GEqSMbZl6GD6XWXPjMJVP/8akNNDOP2akNCEIVgJ2j0APcRVghgVCwKx TIJSccoAAniHZbZ64p1LejDteB8wCiM0+m+igtjyKYGgArelUmlNrAO+s 1dEJr/ScWPKu/jOk0exhdgSK4cAkGmRjYu8BzCvg892gAh6PDsYQQwVIm k=;
X-IronPort-AV: E=Sophos;i="5.04,630,1406548800"; d="scan'208";a="285111580"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.171 - Outgoing - Outgoing
Received: from uxchange10-fe4.uoa.auckland.ac.nz ([130.216.4.171]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 23 Oct 2014 11:05:22 +1300
Received: from UXCN10-5.UoA.auckland.ac.nz ([169.254.5.15]) by uxchange10-fe4.UoA.auckland.ac.nz ([169.254.109.63]) with mapi id 14.03.0174.001; Thu, 23 Oct 2014 11:05:22 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] Should we require compressed points
Thread-Index: Ac/uREUpVp3/DFDqSFuEkHItOnnd1g==
Date: Wed, 22 Oct 2014 22:05:20 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C739B9D6118@uxcn10-5.UoA.auckland.ac.nz>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/X3S66ahK-tMTL9tiuYsDb1iuR3Y
Subject: Re: [TLS] Should we require compressed points
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Oct 2014 22:05:30 -0000

Watson Ladd <watsonbladd@gmail.com> writes:

>Ask Bouncycastle, Apple, and Go why they don't do this check. (Bouncycastle
>fixed it). The fact is implementations are exploitable as a result of taking
>shortcuts not revealed in ordinary testing.

Do you have more information on this?

In any case though, the determined programmer can goto fail no matter what you
do, so adding a requirement for point compression will just mean they'll screw
things up elsewhere.  In addition since they have to keep supporting
uncompressed points all it'll do is add more things for them to mess up.

Peter.