Re: [TLS] Curve25519 in TLS
Manuel Pégourié-Gonnard <mpg@elzevir.fr> Wed, 16 October 2013 13:05 UTC
Return-Path: <mpg@elzevir.fr>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9282711E82A3 for <tls@ietfa.amsl.com>; Wed, 16 Oct 2013 06:05:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.949
X-Spam-Level:
X-Spam-Status: No, score=-1.949 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HELO_EQ_FR=0.35, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TmB5qOns+uLg for <tls@ietfa.amsl.com>; Wed, 16 Oct 2013 06:05:09 -0700 (PDT)
Received: from mordell.elzevir.fr (mordell.elzevir.fr [92.243.3.74]) by ietfa.amsl.com (Postfix) with ESMTP id 798F811E8268 for <tls@ietf.org>; Wed, 16 Oct 2013 06:05:08 -0700 (PDT)
Received: from thue.elzevir.fr (thue.elzevir.fr [88.165.216.11]) by mordell.elzevir.fr (Postfix) with ESMTPS id 3961B16153; Wed, 16 Oct 2013 15:05:04 +0200 (CEST)
Received: from [192.168.0.124] (unknown [192.168.0.254]) by thue.elzevir.fr (Postfix) with ESMTPSA id 95B51260A6; Wed, 16 Oct 2013 15:05:00 +0200 (CEST)
Message-ID: <525E8EFC.8010705@elzevir.fr>
Date: Wed, 16 Oct 2013 15:05:00 +0200
From: Manuel Pégourié-Gonnard <mpg@elzevir.fr>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.0
MIME-Version: 1.0
To: mrex@sap.com
References: <20131016064235.D19D71A9FD@ld9781.wdf.sap.corp>
In-Reply-To: <20131016064235.D19D71A9FD@ld9781.wdf.sap.corp>
X-Enigmail-Version: 1.5.2
OpenPGP: id=98EED379; url=https://elzevir.fr/gpg/mpg.asc
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: Simon Josefsson <simon@josefsson.org>, tls@ietf.org
Subject: Re: [TLS] Curve25519 in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Oct 2013 13:05:17 -0000
On 16/10/2013 08:42, Martin Rex wrote: > Make it work completely _without_ rfc4492 bloat, > and similar to DH instead, defining new KeyExchange Methods > and seperate ciphersuites for it. > If we want to cover all existing key exchanges and ciphersuites, this would mean defining four new key exchanges (ECDH25519-PSK,RSA,ECDSA,anon), and 52 new ciphersuites currently. And then duplicating every ECDHE-based ciphersuite defined in the future. And if at some point, a new Montgomery or Edwards curve is proposed (maybe the recent curve3617), duplicating all that again. That's quite a lot of trouble: what specific problem would it solve? What exactly do you mean by RFC 4492 "bloat", and in which specific way defining new key exchanges would make it lighter? As an implementer, I don't feel like adding new key exchanges for Curve25519 would make my life any easier, as it would come *in addition* to RFC 4492 support. Anyway, I believe that cryptographic parameters agility is a highly desirable property of a protocol like TLS, and RFC 4492 provide that, better than specialised key exchanges supporting only one curve. If that solution had been adopted in early 2006, the only one curve would probably have been a NIST curve (curve25519 was very new at the time, while NIST curves had been around for years), and you wouldn't be very happy now, I guess. I hope my first post didn't give the wrong impression: I don't think the framework from RFC 4492 is a misfit for the Curve25519 ECDH function, the only real point of friction is the encoding of the public keys. The other remarks I made are merely things I'd like to see clarified in the draft, and information that seemed relevant to me to discuss the public key format. Manuel.
- [TLS] Testing consensus for adding curve25519 to … Adam Langley
- Re: [TLS] Testing consensus for adding curve25519… Russ Housley
- Re: [TLS] Testing consensus for adding curve25519… Rob P Williams
- Re: [TLS] Testing consensus for adding curve25519… Patrick Pelletier
- Re: [TLS] Testing consensus for adding curve25519… Douglas Stebila
- Re: [TLS] Testing consensus for adding curve25519… Douglas Stebila
- Re: [TLS] Testing consensus for adding curve25519… Nick Mathewson
- [TLS] Curve25519 in TLS Simon Josefsson
- Re: [TLS] Testing consensus for adding curve25519… Nico Williams
- Re: [TLS] Testing consensus for adding curve25519… Douglas Stebila
- Re: [TLS] Testing consensus for adding curve25519… Dan Brown
- Re: [TLS] Curve25519 in TLS Rob Stradling
- Re: [TLS] Testing consensus for adding curve25519… Nick Mathewson
- Re: [TLS] Testing consensus for adding curve25519… Dan Brown
- Re: [TLS] Curve25519 in TLS Simon Josefsson
- Re: [TLS] Testing consensus for adding curve25519… Douglas Stebila
- Re: [TLS] Curve25519 in TLS Kyle Hamilton
- Re: [TLS] Curve25519 in TLS Rob Stradling
- Re: [TLS] Curve25519 in TLS Yoav Nir
- Re: [TLS] Curve25519 in TLS Dan Brown
- Re: [TLS] Curve25519 in TLS Bodo Moeller
- [TLS] Koblitz curves [was RE: Curve25519 in TLS] Dan Brown
- Re: [TLS] Curve25519 in TLS Rob Stradling
- Re: [TLS] Curve25519 in TLS Simon Josefsson
- Re: [TLS] Curve25519 in TLS Rob Stradling
- Re: [TLS] Curve25519 in TLS Nico Williams
- Re: [TLS] Curve25519 in TLS Rob Stradling
- Re: [TLS] Curve25519 in TLS Paul Bakker
- Re: [TLS] Curve25519 in TLS Yoav Nir
- Re: [TLS] Curve25519 in TLS Rob Stradling
- [TLS] Curve25519 in TLS Simon Josefsson
- [TLS] Ed25519 for PKIX Simon Josefsson
- Re: [TLS] Ed25519 for PKIX Adam Langley
- Re: [TLS] Ed25519 for PKIX Simon Josefsson
- Re: [TLS] Curve25519 in TLS Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS Martin Rex
- Re: [TLS] Curve25519 in TLS Juho Vähä-Herttua
- Re: [TLS] Curve25519 in TLS Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS Watson Ladd
- Re: [TLS] Curve25519 in TLS Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS Simon Josefsson
- Re: [TLS] Curve25519 in TLS Martin Rex
- Re: [TLS] Curve25519 in TLS Nico Williams