Re: [TLS] Using Brainpool curves in TLS

Watson Ladd <watsonbladd@gmail.com> Tue, 15 October 2013 15:49 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92C5121F9E0B for <tls@ietfa.amsl.com>; Tue, 15 Oct 2013 08:49:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vIoafj3IeFs3 for <tls@ietfa.amsl.com>; Tue, 15 Oct 2013 08:49:55 -0700 (PDT)
Received: from mail-wi0-x232.google.com (mail-wi0-x232.google.com [IPv6:2a00:1450:400c:c05::232]) by ietfa.amsl.com (Postfix) with ESMTP id D57A021F9ACA for <tls@ietf.org>; Tue, 15 Oct 2013 08:49:53 -0700 (PDT)
Received: by mail-wi0-f178.google.com with SMTP id hn9so1816050wib.11 for <tls@ietf.org>; Tue, 15 Oct 2013 08:49:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=r365zaS3dehlwbppq8rA5JUNfFCpetP4mjjqEdnn+js=; b=Ra1bTLFodf8nQCGCZanhARqNqguOk0kzOMAweqT3srUG/e1KqP9Ymmh+UuEvp14p+N Jm5AjB+4/RvSrM+6K7+gSAPeufhyWNyTq9oUEHhUWkMPh+Fg4XZpPuIAj+7j+kmbOeua DINRwLVc+A4diiONDCmpV5IYZwuGxTzUJKXP5/ft6AOnBecAZM2Y49c6ETHheKC1pac0 mlTJBA2tgrjPz+QDtQSK/KZjJ0+QTuzhklt+3VGPGLsobD5m3viVhB3eAOiW+7fQ/C1V 4bESZyG/tajJMB0KdVG0DuXXTMFNxAo5GSScjyoKPAcmMD19bkHkzv41TN/FrtyPnNUp CqiQ==
MIME-Version: 1.0
X-Received: by 10.194.122.99 with SMTP id lr3mr34180419wjb.21.1381852192826; Tue, 15 Oct 2013 08:49:52 -0700 (PDT)
Received: by 10.194.242.131 with HTTP; Tue, 15 Oct 2013 08:49:52 -0700 (PDT)
In-Reply-To: <01b901cec9a0$004e12b0$00ea3810$@offspark.com>
References: <525C11B5.2050604@secunet.com> <525CEFA4.2030903@funwithsoftware.org> <01b901cec9a0$004e12b0$00ea3810$@offspark.com>
Date: Tue, 15 Oct 2013 08:49:52 -0700
Message-ID: <CACsn0ckOnrQTOLdUo9gT8hbTx4cEqX9CP6=BRFYtpV1CpT7HXQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Paul Bakker <p.j.bakker@offspark.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: Patrick Pelletier <code@funwithsoftware.org>, tls@ietf.org
Subject: Re: [TLS] Using Brainpool curves in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Oct 2013 15:49:56 -0000

On Tue, Oct 15, 2013 at 5:13 AM, Paul Bakker <p.j.bakker@offspark.com>; wrote:
> Fresh from the oven:
> https://polarssl.org/tech-updates/releases/polarssl-1.3.1-released
>
> So: yes.. ;)
>
>> -----Original Message-----
>> From: tls-bounces@ietf.org [mailto:tls-bounces@ietf.org] On Behalf Of
>> Patrick Pelletier
>> Sent: dinsdag 15 oktober 2013 9:33
>> To: TLS@ietf.org (tls@ietf.org)
>> Subject: Re: [TLS] Using Brainpool curves in TLS
>>
>> On 10/14/13 8:45 AM, Johannes Merkle wrote:
>> > jaust in case that someone hasn't noticed it: our draft on using the
>> > Brainpool curves in TLS has been published as RFC 7027
>> > http://www.rfc-editor.org/rfc/rfc7027.txt
>>
>> Is support available in any TLS libraries yet?  Do we know which libraries
> are
>> planning on adding support for Brainpool?

What problems does this solve? The Brainpool curves still have
unverifiable construction, Weirstrauß form (meaning many corner cases
in addition and the possibility of sending points not on the curve),
primes that are ugly and horribly slow (seriously, randomly picked
primes?),
come courtesy of our friends in the BND, and don't solve any problems
beyond a possible backdoor in NIST curves. What is the rationale
behind these curves as opposed to Curve25519? (The curve given by the
Montgomery equation y^2=x^3+486662x^2+x over the field
F(2^255-19), with canonical basepoint x=9).

The implementation in PolarSSL has a nonconstant pattern of memory
access. Seriously, it isn't 1999 anymore: everyone doing cryptography
should be aware of these issues.
Sincerely,
Watson Ladd

>>
>> --Patrick
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin