IETF Logo Mail Archive

Re: [TLS] Curve25519 and TLS

Watson Ladd <watsonbladd@gmail.com> Sat, 14 June 2014 12:36 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFF251B2C28 for <tls@ietfa.amsl.com>; Sat, 14 Jun 2014 05:36:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7O1t-k4W7T3e for <tls@ietfa.amsl.com>; Sat, 14 Jun 2014 05:36:32 -0700 (PDT)
Received: from mail-yh0-x231.google.com (mail-yh0-x231.google.com [IPv6:2607:f8b0:4002:c01::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 598281B2C27 for <tls@ietf.org>; Sat, 14 Jun 2014 05:36:32 -0700 (PDT)
Received: by mail-yh0-f49.google.com with SMTP id f73so2979174yha.22 for <tls@ietf.org>; Sat, 14 Jun 2014 05:36:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=Ax6U0+ztnSh6wxwTuzQExsm0CX/dyQxsaGQ0q3jo1+k=; b=I/MBN+OapPxdU80uT8i6nut3cYtPc3DjgTKROyo1IgYg1uC/92A82AnbX4Vc3TkbJm e6UCq8MElOvDOeSKVWqAOb6BtVpgCqkrcSWwyRRG+00qQTYOyn/ObM4wQtV7mThYugO2 nAxSnSsensdoLVppg+8Y1fYfLY5V54BxUNVWV1AB+r9CCiDebmtDA6cYfsoJXKV6LohE M3CGAq/1flcfXNLvdHdACY7ySyrAF9u5ulVzUravtY2GMq1LTnEs+flPD0qheJ0aUerF +nRhChQpsE855J7UNxnmc9irIOtdk/7WV3Zbbj2hj5gN+9QLCM+pwFom1p1Lsc3RO8w5 78qw==
MIME-Version: 1.0
X-Received: by 10.236.134.169 with SMTP id s29mr14158722yhi.4.1402749391659; Sat, 14 Jun 2014 05:36:31 -0700 (PDT)
Received: by 10.170.39.136 with HTTP; Sat, 14 Jun 2014 05:36:31 -0700 (PDT)
In-Reply-To: <20140614073925.GY8358@mournblade.imrryr.org>
References: <CACsn0cnm3wp6iN57fHAiY+=n=nSxOxvrZOj65bzXYTDy=Xyvkg@mail.gmail.com> <20140614073925.GY8358@mournblade.imrryr.org>
Date: Sat, 14 Jun 2014 09:36:31 -0300
Message-ID: <CACsn0c=OnRQA1+tKFXxBGZ8aQaOYuLqhupxJ98A-N=ELfWXWuA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/ovieGF_ScAo9FzR_rsQtrVLXA8w
Subject: Re: [TLS] Curve25519 and TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Jun 2014 12:36:34 -0000

On Sat, Jun 14, 2014 at 4:39 AM, Viktor Dukhovni
<viktor1dane@dukhovni.org> wrote:
> On Fri, Jun 13, 2014 at 06:30:46PM -0300, Watson Ladd wrote:
>
>> TLS with ECC computes the premaster secret as H(abg) where g is the
>> generator of the group, and a and b are the ephemeral exponents.
>> Because of protocol weaknesses, this premaster secret must be
>> "contributory": neither side can be allowed to dictate it.
>>
>> Curve25519 has order 8*q, where q is some prime. All encoded public
>> keys lie on this or a twist with order 4*q'. (I might be wrong in the
>> details, but it's right enough). In particular there is a point of
>> order 2.
>
> As far as I can tell, this is not the case with Diffie-Hellman over
> Curve 25519, because the base-point (namely 9) has order 8, and
> the cyclic sub-group it generates has prime order.  All private
> keys are multiples of 8, so an attacker M who chooses a low order
> element must send a public key m of order 1, 2, 4 or 8, which since
> Alice's private exponent is a multiple of 8 means that g^{am} is
> the identity.

Yes, the only key that results is the identity. So the attack is 100%,
not 50%, effective.

>
> See the "Small-subgroup attacks" section of DJB's paper.  Since
> key agreement with Curve25519 is presumably Diffie-Hellman with
> (9) as the base point and the recommended constraints on private
> exponents, there should be no problem.

Read http://cr.yp.to/ecdh.html, the portion after "contributory behavior".

This is not an attack that recovers the exponent: it's an attack that
involves predicting the premaster secret ahead of time.
>
>> A malicious server can provide a point of order 2, and with 50%
>> probability get a dictated premaster secret.
>
> Not useful when Alice's (or Bob's depending on whom Mallory is
> trying to fool) private exponent is a multiple of 8, the only check
> required is that the final shared secret is not the identity (IIRC
> the point at infinity is represented by "0" in Curve 25519 so the
> check is then just to make sure that the DH shared secret is not
> 32 zero octets).

Yes, but this check isn't specified in the johnsson-tls-curve25519
draft. It needs to be.
Section 2.1 states
   Parties exchange  their public keys (see Section 2.3) and compute a
shared secret as x_S = Curve25519(d, x_peer).  This shared secret is
     used directly as  the premaster secret, which is always exactly
32 bytes when ECDHE  with Curve25519 is used.

That implies there is no check on the value of the shared secret.
Sincerely,
Watson Ladd

>
> Corrections/elaboration from folks more familiar with 25519 welcome.
>
> --
>         Viktor.
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email