Re: [TLS] Point validation in 1.3
Antoine Delignat-Lavaud <antoine@delignat-lavaud.fr> Thu, 17 November 2016 14:59 UTC
Return-Path: <antoine@delignat-lavaud.fr>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6064B1295CA for <tls@ietfa.amsl.com>; Thu, 17 Nov 2016 06:59:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=delignat-lavaud.fr
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9oZvS86VsCXG for <tls@ietfa.amsl.com>; Thu, 17 Nov 2016 06:59:04 -0800 (PST)
Received: from argon.maxg.info (argon.maxg.info [IPv6:2001:41d0:2:7f22::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6FC81294AF for <tls@ietf.org>; Thu, 17 Nov 2016 06:59:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=delignat-lavaud.fr; s=dkim; h=Message-ID:References:In-Reply-To:Subject:Cc: To:From:Date:Content-Transfer-Encoding:Content-Type:MIME-Version; bh=BL1PFKSt1XFYQFwxMOCrPX9ykERki2T6/9IOxhNHvRA=; b=BvxpAn/2lek2OdeGgf7cL3sELj Nl+9FYbPJIn13Kdp8zgG5UIgfMeQtHCxaprim25cbOcfBmMhDOyz7C5uzXtpoVPep631TsjQMEtVz j111+8RQEFrwFwPHqVYyTPL1oad9e2LDMxutdYvN1RENdZwtia8xUYJcmouRSWi5na3YcYG+2/rwF HLvYK9r6J2X9BXCw5GgJNkyePdx0dkhgWm63koEHmkwZUkIYT9Nf7znRA5GqLCrGjw/Yguf3wY8i/ O+3S6g5CDuFH003vKwyRamg9O4sWS0QQLp5bA3CjRL++0UuqPEyFj1MY84SBDe/1W1a3E+nJ/6pOX eg4IWeBg==;
Received: from localhost (authenticated.user.IP.removed [::1]) by argon.maxg.info with esmtpa (envelope-from <antoine@delignat-lavaud.fr>) id 1c7O9T-0001tc-Qw ; Thu, 17 Nov 2016 15:58:59 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Date: Thu, 17 Nov 2016 14:58:58 +0000
From: Antoine Delignat-Lavaud <antoine@delignat-lavaud.fr>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Organization: Microsoft Research
In-Reply-To: <20161115153555.GA7882@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CACsn0cnX90rOH0OQzzksrg1CYLeDugt_tT3+EKBY=tZ37oFR4w@mail.gmail.com> <4D79E074-6231-4CDD-88A0-2E8EBEA1BCA5@gmail.com> <20161115153555.GA7882@LK-Perkele-V2.elisa-laajakaista.fi>
Message-ID: <873492101dd071c361b12de270fe166e@delignat-lavaud.fr>
X-Sender: antoine@delignat-lavaud.fr
User-Agent: Roundcube Webmail/1.2.2
X-Virus-Checked: False
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/l-z1XZlLJqQmIXWhbl4LXeD6DDY>
Cc: tls@ietf.org
Subject: Re: [TLS] Point validation in 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Nov 2016 14:59:06 -0000
Le 2016-11-15 15:35, Ilari Liusvaara a écrit : > On Tue, Nov 15, 2016 at 05:02:24PM +0900, Yoav Nir wrote: >> I think the performance enhancement (in terms of handshakes per >> second) >> that you get by reusing ephemeral keys is so great, that we have to >> assume people will do it. You don’t have to keep the keys >> indefinitely. >> It’s fine to generate a new key every second or ten seconds or so. >> >> Which makes running the point validation all the more important. > > There's two main reasons for point validation: > > 1) Preventing leaking of the secret exponent. > 2) Preventing key collisions from low-order points. > > TLS 1.3 isn't vulernable to 2) like TLS 1.2 and below are (without > EMS). > > X25519/X448 have been explicitly designed to resist 1). > > If you want to prevent using low-order points for some reason, there is > a handy trick: Check if the output of X25519/X448 is all zeroes or > not, and abort if it is. There is an unfortunately common mis-conception that X25519 doesn't need point validation for Diffie-Hellman which comes from the original PR of Bernstein et al. Curve25519 has an order 8 subgroup that can be used to do key collisions and transcript synchronization attacks (see III.B.2 in [1]). The proper validation is to exclude 0, 1, 325606250916557431795983626356110631294008115727848805560023387167927233504, 39382357235489614581723060781553021112529911719440698176882885853963445705823, 2^255 - 19 - 1, 2^255 - 19, 2^255 - 19 + 1, 2^255 - 19 + 325606250916557431795983626356110631294008115727848805560023387167927233504, 2^255 - 19 + 39382357235489614581723060781553021112529911719440698176882885853963445705823, 2(2^255 - 19) - 1, 2(2^255 - 19), and 2(2^255 - 19) + 1. Without this validation, any one peer of the connection can (mostly) control the session key, which is mitigated in TLS 1.3 but still an undesirable property in any compound authentication setting. Best, Antoine [1] http://antoine.delignat-lavaud.fr/doc/ndss15.pdf
- [TLS] Point validation in 1.3 Watson Ladd
- Re: [TLS] Point validation in 1.3 Eric Rescorla
- Re: [TLS] Point validation in 1.3 Yoav Nir
- Re: [TLS] Point validation in 1.3 Ilari Liusvaara
- Re: [TLS] Point validation in 1.3 Antoine Delignat-Lavaud
- Re: [TLS] Point validation in 1.3 Antoine Delignat-Lavaud