Re: [TLS] Curve25519 in TLS and Additional Curves in TLS

Alyssa Rowan <akr@akr.io> Fri, 11 April 2014 07:53 UTC

User-Agent: K-9 Mail for Android
In-Reply-To: <1397201622.2324.13.camel@dhcp-2-127.brq.redhat.com>
References: <87ob3456s1.fsf@latte.josefsson.org> <20140402164340.GA14790@roeckx.be> <20140407115102.3011d2e5@latte.josefsson.org> <CACsn0cmFLO2n8d-FVVb4wu=G5T88E7rRd8b=eYo-1uMZnMxkOQ@mail.gmail.com> <5344BD77.2020106@fifthhorseman.net> <2A0EFB9C05D0164E98F19BB0AF3708C7120AC18CAE@USMBX1.msg.corp.akamai.com> <1397044231.4019.4.camel@dhcp-2-127.brq.redhat.com> <4abda243-3fc2-4087-92f8-3db02769384f@email.android.com> <1397048457.4019.22.camel@dhcp-2-127.brq.redhat.com> <CACsn0ckyaGO9hqn7pDVE2VR-TWs5v+Y6NsnCqCvrwFGyUGfZ3A@mail.gmail.com> <1397118165.2419.23.camel@dhcp-2-127.brq.redhat.com> <5346FEDE.9000909@akr.io> <1397201622.2324.13.camel@dhcp-2-127.brq.redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"
From: Alyssa Rowan <akr@akr.io>
Date: Fri, 11 Apr 2014 08:53:37 +0100
CC: tls@ietf.org
Message-ID: <72d7c28c-0022-497a-b5ca-3d36a6727e39@email.android.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/jbSi8y_dtz1aJKODWJtAXREiK2Y
Subject: Re: [TLS] Curve25519 in TLS and Additional Curves in TLS
Precedence: list

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 11 April 2014 08:33:42 BST, Nikos Mavrogiannopoulos <nmav@redhat.com> wrote:
>> Assuming all side-channel attacks require repetition seems like the
>> kind of rather dangerous thinking that has bought TLS very unpleasant
>> surprises in the past. We've had quite enough of those already, I think.
>Could you elaborate on how to achieve repetition on a protocol that runs
>only once with the same key? I find your argumentation hard to follow.

Perhaps you misunderstand. Naïvely assuming that every dangerous side-channel attack absolutely needs amplification via repetition is, I feel, optimistic (or, depending on your point of view, pessimistic).

(And if I ever develop such a one-shot attack, I shall name it something like #yolo, because cute attack names are in vogue.)

That's the kind of thinking that got us 20:20 hindsight gems like '[this timing attack] is not believed to be large enough to be exploitable'. Please let's be more careful.

Using good Curve25519 implementations gives us the opportunity to eliminate potential side-channels. Don't waste that opportunity.

- --
/akr
-----BEGIN PGP SIGNATURE-----
Version: APG v1.1.1

iQI3BAEBCgAhBQJTR5+BGhxBbHlzc2EgUm93YW4gPGFrckBha3IuaW8+AAoJEOyE
jtkWi2t69IgQALHjPUyvVhmPWiFH1V3MA1j0RZQBNT+zpguRmby9fp/Vi2VHdQDK
R49WKn5Lrtiqm20qELgsGS7lAFS0a0H3twTmZ/p6Cw9BBlOlcpaWU9bxBYvbQgGD
Ch0W4z+Nqz13LeeYy5909/JcQYEQp8YBzqtU/x4pMnlxPxQwicuKQr0KTrrEHRy5
XAW3zbo9XLz8zn2FMNCioHwMuK0zq3LZz4b5zRitotrtKR3KePgWddenr1NY9ooH
A4Fm1D7VEmB9ABcYMefKAPQeMBnVFx906EHYeyGFZ1QqlefmyDDGla/7FBIcbUoA
oiRCcfnj7ZbbkgPun2lPoY2xKhtAvHkkxTeNcZC+5aqEnEZakG6tCWtzZfRuu+oa
utYtTBR6kghlO73EhhSBpnadFCM4+H0h+1n9Wbr6LT5T8ZXYZ3TSglCcUzlsb0s9
7CYSI+BsMz5V4gov/5ulriBq5TKumKcEAXrbumnYjamphqBrscw9F4lRhIaUOFRT
yUA2t4+lNJUrdm28iCzkcZ7b1vF49KlBmFSRmvRYgPQki2PO3u0FDDb714sc5xr/
g3Nat95ZCMjxXGKWREcXg2r0qQcjdAS6xuDaWGblfx+8CThapBknk5PUjm5tgqCg
+AGDLdJ26xfUyFMURgUjM7i3xRP1uT2VjuUmUHuEfD2rX4oXMKjzfoTV
=JeFt
-----END PGP SIGNATURE-----

[TLS] Curve25519 in TLS and Additional Curves in … Simon Josefsson
Re: [TLS] Curve25519 in TLS and Additional Curves… Rob Stradling
Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
Re: [TLS] Curve25519 in TLS and Additional Curves… Rob Stradling
Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
Re: [TLS] Curve25519 in TLS and Additional Curves… Andy Lutomirski
Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
Re: [TLS] Curve25519 in TLS and Additional Curves… Andy Lutomirski
Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
Re: [TLS] Curve25519 in TLS and Additional Curves… James Cloos
Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
Re: [TLS] Curve25519 in TLS and Additional Curves… Bill Frantz
Re: [TLS] Curve25519 in TLS and Additional Curves… Kurt Roeckx
Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
Re: [TLS] Curve25519 in TLS and Additional Curves… Andrey Jivsov
Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
Re: [TLS] Curve25519 in TLS and Additional Curves… Andrey Jivsov
Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
Re: [TLS] Curve25519 in TLS and Additional Curves… Simon Josefsson
Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
Re: [TLS] Curve25519 in TLS and Additional Curves… Daniel Kahn Gillmor
Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
Re: [TLS] Curve25519 in TLS and Additional Curves… Andrey Jivsov
Re: [TLS] Curve25519 in TLS and Additional Curves… Yoav Nir
Re: [TLS] Curve25519 in TLS and Additional Curves… Fabrice
Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard