Re: [TLS] Point validation in 1.3
Antoine Delignat-Lavaud <antoine@delignat-lavaud.fr> Thu, 17 November 2016 16:13 UTC
Return-Path: <antoine@delignat-lavaud.fr>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E229F12948A for <tls@ietfa.amsl.com>; Thu, 17 Nov 2016 08:13:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=delignat-lavaud.fr
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BrhdBx5Wh7cp for <tls@ietfa.amsl.com>; Thu, 17 Nov 2016 08:13:53 -0800 (PST)
Received: from argon.maxg.info (argon.maxg.info [IPv6:2001:41d0:2:7f22::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 570BA12940C for <tls@ietf.org>; Thu, 17 Nov 2016 08:13:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=delignat-lavaud.fr; s=dkim; h=Message-ID:References:In-Reply-To:Subject:Cc: To:From:Date:Content-Transfer-Encoding:Content-Type:MIME-Version; bh=aY2ZuDmXpDqRxMWhAKetTfnXeD8wEZ1FW3i7ozYgqv0=; b=SwSrDNnxypqmdo98qBZhiVKeDo mBlbFKo7DNL0r9zcGpkqIQEvGI+DwAdaESInt1pu+nNXAN1IVEL39eL7YIbPXkWJ7HX8EEsADyzYC yeLv39GCvo2eaa0etVv4NqoRABMQUgVObwK3MONEEATDGTPoJqtdvDRc/JGZm92q0hX70Gn31jyDz ptaRK9yeQMlXC07J8BqTnFW+7kZ5xpkUmprPZ0jwn4nib8iPr3i+npOBovQMD3TyJMmI0PNeQU5Kd Q5m9uUGuc/4SomAeJ7yI9DjtmPxKtRtyY45H7C5BRXj1WtMS1RBX/eh/Fxi/EIaCUjsuTzLHWHCXM Jh/Naw/A==;
Received: from localhost (authenticated.user.IP.removed [::1]) by argon.maxg.info with esmtpa (envelope-from <antoine@delignat-lavaud.fr>) id 1c7PJu-0000iQ-5u ; Thu, 17 Nov 2016 17:13:50 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Date: Thu, 17 Nov 2016 16:13:49 +0000
From: Antoine Delignat-Lavaud <antoine@delignat-lavaud.fr>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Organization: Microsoft Research
In-Reply-To: <873492101dd071c361b12de270fe166e@delignat-lavaud.fr>
References: <CACsn0cnX90rOH0OQzzksrg1CYLeDugt_tT3+EKBY=tZ37oFR4w@mail.gmail.com> <4D79E074-6231-4CDD-88A0-2E8EBEA1BCA5@gmail.com> <20161115153555.GA7882@LK-Perkele-V2.elisa-laajakaista.fi> <873492101dd071c361b12de270fe166e@delignat-lavaud.fr>
Message-ID: <3348e9a0ee34a9b10e87c8120c5885ca@delignat-lavaud.fr>
X-Sender: antoine@delignat-lavaud.fr
User-Agent: Roundcube Webmail/1.2.2
X-Virus-Checked: False
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/pkzYxXz8VBHo1kAyOtOh2YLgS60>
Cc: tls@ietf.org
Subject: Re: [TLS] Point validation in 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Nov 2016 16:13:56 -0000
Le 2016-11-17 14:58, Antoine Delignat-Lavaud a écrit : > Le 2016-11-15 15:35, Ilari Liusvaara a écrit : >> On Tue, Nov 15, 2016 at 05:02:24PM +0900, Yoav Nir wrote: >>> I think the performance enhancement (in terms of handshakes per >>> second) >>> that you get by reusing ephemeral keys is so great, that we have to >>> assume people will do it. You don’t have to keep the keys >>> indefinitely. >>> It’s fine to generate a new key every second or ten seconds or so. >>> >>> Which makes running the point validation all the more important. >> >> There's two main reasons for point validation: >> >> 1) Preventing leaking of the secret exponent. >> 2) Preventing key collisions from low-order points. >> >> TLS 1.3 isn't vulernable to 2) like TLS 1.2 and below are (without >> EMS). >> >> X25519/X448 have been explicitly designed to resist 1). >> >> If you want to prevent using low-order points for some reason, there >> is >> a handy trick: Check if the output of X25519/X448 is all zeroes or >> not, and abort if it is. > > There is an unfortunately common mis-conception that X25519 doesn't > need point validation for Diffie-Hellman which comes from the original > PR of Bernstein et al. Curve25519 has an order 8 subgroup that can be > used to do key collisions and transcript synchronization attacks (see > III.B.2 in [1]). The proper validation is to exclude 0, 1, > 325606250916557431795983626356110631294008115727848805560023387167927233504, > 39382357235489614581723060781553021112529911719440698176882885853963445705823, > 2^255 - 19 - 1, 2^255 - 19, 2^255 - 19 + 1, 2^255 - 19 + > 325606250916557431795983626356110631294008115727848805560023387167927233504, > 2^255 - 19 + > 39382357235489614581723060781553021112529911719440698176882885853963445705823, > 2(2^255 - 19) - 1, 2(2^255 - 19), and 2(2^255 - 19) + 1. Without this > validation, any one peer of the connection can (mostly) control the > session key, which is mitigated in TLS 1.3 but still an undesirable > property in any compound authentication setting. I misunderstood your message, if you check the output of the multiplication with the peer public key rather than the public key itself, checking for 0 is indeed the easiest (and safe) check to perform. Antoine
- [TLS] Point validation in 1.3 Watson Ladd
- Re: [TLS] Point validation in 1.3 Eric Rescorla
- Re: [TLS] Point validation in 1.3 Yoav Nir
- Re: [TLS] Point validation in 1.3 Ilari Liusvaara
- Re: [TLS] Point validation in 1.3 Antoine Delignat-Lavaud
- Re: [TLS] Point validation in 1.3 Antoine Delignat-Lavaud