IETF Logo Mail Archive

Re: [TLS] Point validation in 1.3

Antoine Delignat-Lavaud <antoine@delignat-lavaud.fr> Thu, 17 November 2016 16:13 UTC

Return-Path: <antoine@delignat-lavaud.fr>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E229F12948A for <tls@ietfa.amsl.com>; Thu, 17 Nov 2016 08:13:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=delignat-lavaud.fr
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BrhdBx5Wh7cp for <tls@ietfa.amsl.com>; Thu, 17 Nov 2016 08:13:53 -0800 (PST)
Received: from argon.maxg.info (argon.maxg.info [IPv6:2001:41d0:2:7f22::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 570BA12940C for <tls@ietf.org>; Thu, 17 Nov 2016 08:13:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=delignat-lavaud.fr; s=dkim; h=Message-ID:References:In-Reply-To:Subject:Cc: To:From:Date:Content-Transfer-Encoding:Content-Type:MIME-Version; bh=aY2ZuDmXpDqRxMWhAKetTfnXeD8wEZ1FW3i7ozYgqv0=; b=SwSrDNnxypqmdo98qBZhiVKeDo mBlbFKo7DNL0r9zcGpkqIQEvGI+DwAdaESInt1pu+nNXAN1IVEL39eL7YIbPXkWJ7HX8EEsADyzYC yeLv39GCvo2eaa0etVv4NqoRABMQUgVObwK3MONEEATDGTPoJqtdvDRc/JGZm92q0hX70Gn31jyDz ptaRK9yeQMlXC07J8BqTnFW+7kZ5xpkUmprPZ0jwn4nib8iPr3i+npOBovQMD3TyJMmI0PNeQU5Kd Q5m9uUGuc/4SomAeJ7yI9DjtmPxKtRtyY45H7C5BRXj1WtMS1RBX/eh/Fxi/EIaCUjsuTzLHWHCXM Jh/Naw/A==;
Received: from localhost (authenticated.user.IP.removed [::1]) by argon.maxg.info with esmtpa (envelope-from <antoine@delignat-lavaud.fr>) id 1c7PJu-0000iQ-5u ; Thu, 17 Nov 2016 17:13:50 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Date: Thu, 17 Nov 2016 16:13:49 +0000
From: Antoine Delignat-Lavaud <antoine@delignat-lavaud.fr>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Organization: Microsoft Research
In-Reply-To: <873492101dd071c361b12de270fe166e@delignat-lavaud.fr>
References: <CACsn0cnX90rOH0OQzzksrg1CYLeDugt_tT3+EKBY=tZ37oFR4w@mail.gmail.com> <4D79E074-6231-4CDD-88A0-2E8EBEA1BCA5@gmail.com> <20161115153555.GA7882@LK-Perkele-V2.elisa-laajakaista.fi> <873492101dd071c361b12de270fe166e@delignat-lavaud.fr>
Message-ID: <3348e9a0ee34a9b10e87c8120c5885ca@delignat-lavaud.fr>
X-Sender: antoine@delignat-lavaud.fr
User-Agent: Roundcube Webmail/1.2.2
X-Virus-Checked: False
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/pkzYxXz8VBHo1kAyOtOh2YLgS60>
Cc: tls@ietf.org
Subject: Re: [TLS] Point validation in 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Nov 2016 16:13:56 -0000

Le 2016-11-17 14:58, Antoine Delignat-Lavaud a écrit :
> Le 2016-11-15 15:35, Ilari Liusvaara a écrit :
>> On Tue, Nov 15, 2016 at 05:02:24PM +0900, Yoav Nir wrote:
>>> I think the performance enhancement (in terms of handshakes per 
>>> second)
>>> that you get by reusing ephemeral keys is so great, that we have to
>>> assume people will do it.  You don’t have to keep the keys 
>>> indefinitely.
>>> It’s fine to generate a new key every second or ten seconds or so.
>>> 
>>> Which makes running the point validation all the more important.
>> 
>> There's two main reasons for point validation:
>> 
>> 1) Preventing leaking of the secret exponent.
>> 2) Preventing key collisions from low-order points.
>> 
>> TLS 1.3 isn't vulernable to 2) like TLS 1.2 and below are (without 
>> EMS).
>> 
>> X25519/X448 have been explicitly designed to resist 1).
>> 
>> If you want to prevent using low-order points for some reason, there 
>> is
>> a handy trick: Check if the output of X25519/X448 is all zeroes or
>> not, and abort if it is.
> 
> There is an unfortunately common mis-conception that X25519 doesn't
> need point validation for Diffie-Hellman which comes from the original
> PR of Bernstein et al. Curve25519 has an order 8 subgroup that can be
> used to do key collisions and transcript synchronization attacks (see
> III.B.2 in [1]). The proper validation is to exclude 0, 1,
> 325606250916557431795983626356110631294008115727848805560023387167927233504,
> 39382357235489614581723060781553021112529911719440698176882885853963445705823,
> 2^255 - 19 - 1, 2^255 - 19, 2^255 - 19 + 1, 2^255 - 19 +
> 325606250916557431795983626356110631294008115727848805560023387167927233504,
> 2^255 - 19 +
> 39382357235489614581723060781553021112529911719440698176882885853963445705823,
> 2(2^255 - 19) - 1, 2(2^255 - 19), and 2(2^255 - 19) + 1. Without this
> validation, any one peer of the connection can (mostly) control the
> session key, which is mitigated in TLS 1.3 but still an undesirable
> property in any compound authentication setting.

I misunderstood your message, if you check the output of the 
multiplication with the peer public key rather than the public key 
itself, checking for 0 is indeed the easiest (and safe) check to 
perform.

Antoine

v2.23.0 | Report a Bug | By Email