Re: [Webpush] Suggestion regarding curve validation in draft-ietf-webpush-encryption

Martin Thomson <> Fri, 12 May 2017 00:31 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 20FA712EAD9 for <>; Thu, 11 May 2017 17:31:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dXcQXFnTEBYO for <>; Thu, 11 May 2017 17:31:36 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:400c:c0c::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AFC56129B84 for <>; Thu, 11 May 2017 17:26:31 -0700 (PDT)
Received: by with SMTP id w50so33452050wrc.0 for <>; Thu, 11 May 2017 17:26:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=O4IQIwjEQ7596KkwkGMFJ4OVI8fuayx5qC4q911CMIo=; b=rXdx9FofK4CyqbY7RPBg3G65ZTJhOuLJq0mRGSH1jmy8EyP9Gjf/UkUSu3Z2gA1va1 txHBYJM16EZILIV1hgNdk/0O1Fgqy2JXfF+g/khqHzwM3KHSI0w1GMoeezLU/fPrvT+0 dD5s8Gcs6itMNZ8INwY5GFTCJlOzmOIgJ+WF6IusQVC5IFtbzYe023o92LpnCJZO37kj NN8W3mLSMX5GClfOZn2ysBgEeJYNWwDwCH/cwOKR42oghKthzl/WaS1noHu9UxFgW0Od j6HcCoHVIoqvQx+861iH69H6CXMu8oREaI4C40Rk4msNUn9vyAJAjBwTOvh+qFnUedub r3iw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=O4IQIwjEQ7596KkwkGMFJ4OVI8fuayx5qC4q911CMIo=; b=OHC4n6KohDazaSbSNZ4mI5/gBCsKsYX+hstSIMtvrrDsoNYYCQXsCes/WHj8yeorzw keSLTVI2rz19SrPjcAqx8uoI2bpZ1ihHkV5C/xCNNC+dFvD3SU9L9hwTgmNxSB4nARjz d2VcDsFGrs0glVb7MfcMNdwH7VEyBVxqKyqMkisrk7hpbpDflIznKEbx4yBFFnsAGwc2 8ySKWl4O4KpCdHK1icp0Rfd0piQv1NtnlxxM1KBaew3PNqRNJfngHsXNDVl8FdMKBeBJ 93dYPxdtAwrr+i7yf69OVKwtY0hSfCr31houyVoFaj0jiFTTixzO5Y2hL8uXP0LXgeBc 87VA==
X-Gm-Message-State: AODbwcDp0XwSlbslcZONc1At8ci6AdQw5sI+aSyvtn3eQINo63Q7/Dsz mdxdLnjrdvLrW+jyxgHBJTqbVV2i8Q==
X-Received: by with SMTP id 18mr321287ljt.103.1494548790224; Thu, 11 May 2017 17:26:30 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Thu, 11 May 2017 17:26:29 -0700 (PDT)
In-Reply-To: <>
References: <>
From: Martin Thomson <>
Date: Fri, 12 May 2017 10:26:29 +1000
Message-ID: <>
To: Peter Beverloo <>
Cc: "" <>, Quan Nguyen <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [Webpush] Suggestion regarding curve validation in draft-ietf-webpush-encryption
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 12 May 2017 00:31:38 -0000

Yeah, probably not a bad idea.  I originally assumed that this was
part of most libraries (NSS does this always), but since writing the
draft I've learned that not every library does this properly.

I've updated my private copy of the draft.  I've also checked that my
implementations of the draft aren't vulnerable (I only traced the
code, but it appears that they all end up in the openssl key import
code, which validates points:

On 12 May 2017 at 04:57, Peter Beverloo <> wrote:
> Relaying for Quan Nguyen (cc'd):
>       I would suggest adding a section about verifying peer's public key
>       is on the private key's curve in ECDH protocol. Without this check,
>       for the curve that they use P-256, it would allow attacker to
>       extract the private key.
> Thanks,
> Peter