Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

Watson Ladd <watsonbladd@gmail.com> Sat, 09 January 2016 13:57 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C49811A875A for <tls@ietfa.amsl.com>; Sat, 9 Jan 2016 05:57:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uac6D8sEJWmW for <tls@ietfa.amsl.com>; Sat, 9 Jan 2016 05:57:13 -0800 (PST)
Received: from mail-yk0-x235.google.com (mail-yk0-x235.google.com [IPv6:2607:f8b0:4002:c07::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 146181A8762 for <tls@ietf.org>; Sat, 9 Jan 2016 05:57:13 -0800 (PST)
Received: by mail-yk0-x235.google.com with SMTP id v14so297138963ykd.3 for <tls@ietf.org>; Sat, 09 Jan 2016 05:57:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=P2/oAwXM4ygT5GW+NdYGe05YzouNHM4pLxLnO0OB2rY=; b=QDOy/Dkr742Bf72wzb+GnMGRn1uRo1bxiKbxMhYifcO68IBlQLzEudVgJLf4PoJ0j9 MhT3m7HG3JyL5bvJVhRiWG/DSltpuTi2vuew5Yk86iFirVplGLNg6BQDvpj7f6uwX1rf u88wlCgpq3/YQAswh+dgUlaKHVRKAQV7/orXaEOA7dMDVs7PLDe2CVRsugwlsh5DZktT 9vM0Si3i67nQifyHI3PjNjuWMlICVClYH35FANTOsYQx8LZswoQBwAyp/yOLbO3VBjNV MdCwQsuQM6v8w61iwxqWSe5foTwpQkLSrAyd4z3WxyUP8BBpvSnMyjV69DRsfPT6ZzGc KOWg==
MIME-Version: 1.0
X-Received: by 10.129.123.134 with SMTP id w128mr62421481ywc.345.1452347832363; Sat, 09 Jan 2016 05:57:12 -0800 (PST)
Received: by 10.13.216.150 with HTTP; Sat, 9 Jan 2016 05:57:11 -0800 (PST)
Received: by 10.13.216.150 with HTTP; Sat, 9 Jan 2016 05:57:11 -0800 (PST)
In-Reply-To: <20160109101748.GA8925@LK-Perkele-V2.elisa-laajakaista.fi>
References: <20151231201644.17780804.55594.43078@ll.mit.edu> <20160101182240.GA25903@LK-Perkele-V2.elisa-laajakaista.fi> <20160109101748.GA8925@LK-Perkele-V2.elisa-laajakaista.fi>
Date: Sat, 9 Jan 2016 05:57:11 -0800
Message-ID: <CACsn0cmaggeBDUrw3eiYzfpM23tZ1jjvm=_AXW1Y14mzAVaxYg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: multipart/alternative; boundary=001a1144fe52a370790528e714c6
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/_7DXf74lZfRSWFs83n_2e4NRaJI>
Cc: tls@ietf.org
Subject: Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Jan 2016 13:57:14 -0000

On Jan 9, 2016 2:18 AM, "Ilari Liusvaara" <ilariliusvaara@welho.com> wrote:
>
> On Fri, Jan 01, 2016 at 08:22:40PM +0200, Ilari Liusvaara wrote:
> > On Thu, Dec 31, 2015 at 08:16:35PM +0000, Blumenthal, Uri - 0553 -
MITLL wrote:
> > > I think Watson made a good point about "omittable checks". ‎If an
> > > implementation A "omits" this mechanism, it should fail session
> > > establishment.
> >
> > Well, here is one scheme that I can't break myself and has no checks one
> > can just "omit":
> >
> > PMS = SHA-512(A|B|DHF(a,B)) = SHA-512(A|B|DHF(b,A))
> >
> > Where a and b are the private keys and A and B are the public keys
> > and DHF is X25519 or X448.
>
> And I broke that too...
>
> Really, the only choice without omittable checks nor known security
> issues is to imply EMS (or another modification to master secret
> derivation) off the codeponts in TLS 1.0-1.2. That is, if
> those groups are sent, thekey derivation will be EMS, even if EMS
> extension was absent (and sending it is no-op).
>
> (If there ever is another key derivation modifying extension, let
> that specify what the heck to do with those groups).

Would you mind explaining the attack in more detail? I'm pretty sure that
with at least one honestly generated value the result cannot be controlled.
>
>
> -Ilari
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls