[TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

Brian Smith <brian@briansmith.org> Tue, 22 December 2015 21:14 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3E6E1A904D for <tls@ietfa.amsl.com>; Tue, 22 Dec 2015 13:14:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0j4ZsODqLuR0 for <tls@ietfa.amsl.com>; Tue, 22 Dec 2015 13:14:48 -0800 (PST)
Received: from mail-ob0-x236.google.com (mail-ob0-x236.google.com [IPv6:2607:f8b0:4003:c01::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D8331A904C for <tls@ietf.org>; Tue, 22 Dec 2015 13:14:48 -0800 (PST)
Received: by mail-ob0-x236.google.com with SMTP id iw8so152530449obc.1 for <tls@ietf.org>; Tue, 22 Dec 2015 13:14:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=briansmith-org.20150623.gappssmtp.com; s=20150623; h=mime-version:date:message-id:subject:from:to:content-type; bh=MLdeWzoAz9yCpPg8w/eOXWGUqw0GFxYORwrkD+D+pd4=; b=aOVprlanYQdik7HytmYkEh7IW7FeupDoEe72zRTZ7AKEBnNRzSdixUvEQCUKzVeYpw g+LZpMe/xKI4f5IFA9j5aSjk7apHjFlXKRjcFzWi8AphX2xnwk63RIDqxfpXMzzm8Hn4 zshj41JKOs1nsIjRhOlDgZLsJx6gHCyBC1ZPaWDh269uE3VEO7Sak1YcqLJknd5Zi0vf D3qL711DYACX5Mr+IA8I4eseY4DuA7MFJwiVSMf/I7KFQ9kXuZD46jm+rUqtseQNJNzZ dIrYRMglEEgz3h7hwWvh8+/sb4t7hCiVDcMTLlvLo7FyoptNdY8wUcruhZ1RwLphvvM9 cPYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=MLdeWzoAz9yCpPg8w/eOXWGUqw0GFxYORwrkD+D+pd4=; b=DlxAsLcvtzedLwcOHV9KBB8edgRU5XIl1+bTpeKS8F166MmPKtFl5vpL8lDYkitgGX oyoGUdrNuuT1MU+V52Wu4KgDuB/FhL9lysuJqbbFmetrKeE2Y9R1CWvtTAUOt4gmNZzY SR1qmS9sHqnIazSXkNSarnFBwQM76j+z+WOOV5qUoKzkj7TsbX5puKkJCN5GXJeNkaMe cXcH59cT7qL/r+I8Ytbr/0DpQPygZHK7mXYmvzGdleqxe13mIbp2WdzRS93NDQqaFqAw 1UZ2ceIypiD/Z3qns+NW6/BrpJUL9esSTsntQPMKZV1QoToogWUw5NaQo4RQhnqg11V/ OWCA==
X-Gm-Message-State: ALoCoQkKcChP1NeGDTS7SQ9wDSkh7mKft26fKVNMDS7pRHbKByYjjd+XzTIRI0omxjUipp0npzeIHTecXNauwEj5EcBvL+J9Rw==
MIME-Version: 1.0
X-Received: by 10.182.214.40 with SMTP id nx8mr12784159obc.20.1450818887507; Tue, 22 Dec 2015 13:14:47 -0800 (PST)
Received: by 10.76.62.8 with HTTP; Tue, 22 Dec 2015 13:14:47 -0800 (PST)
Date: Tue, 22 Dec 2015 11:14:47 -1000
Message-ID: <CAFewVt4Midtq7X6px4=A4hGkspQuJdzZQ907U=SJox0SdgfAJg@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary=e89a8ff1c01e6c7afa0527831807
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/dQmc3QZs-40OVSxREZS9PqVDAMk>
Subject: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Dec 2015 21:14:49 -0000

The current draft [1] says:

    Other than this recommended check, implementations do
    not need to ensure that the public keys they receive
    are legitimate: this is not necessary for security
    with Curve25519.

However, Thai Duong (of BEAST fame, among other things) wrote that TLS 1.2
and below do seem to benefit from public key validation in "Why not
validate Curve25519 public keys could be harmful" [2]. Watson Ladd had also
pointed out many times on this list that TLS is one protocol where
contributory behavior is required.

DJB himself had also pointed out did point out that some protocols do
require public key validation with Curve25519 "to ensure 'contributory'
behavior" in [3]. Thus, the statement in draft-ietf-tls-curve25519-01 that
"this is not necessary for security with Curve25519" in the current draft
is clearly overly general and misleading.

In particular, I noticed that the text in draft-ietf-tls-curve25519-01
section 2.3 focuses a lot on attacks that reveal the private key. However,
what about other attacks? In particular, I think that, at the very least,
the relevance or irrelevance to TLS of the key dictation attack that Thai
brought up, and the need or non-need for checking that the agreed value is
zero (basically the same thing), should be mentioned in the draft's
security considerations.

[1] https://tools.ietf.org/html/draft-ietf-tls-curve25519-01#section-2.3
[2]
http://vnhacker.blogspot.com/2015/09/why-not-validating-curve25519-public.html
[3] http://cr.yp.to/ecdh.html#validate

Cheers,
Brian
-- 
https://briansmith.org/