On 1/27/21 11:12 AM, Nym Seddon wrote:
Hi Stefan,
In the recommendations from SafeCurves (https://safecurves.cr.yp.to/twist.html)
there are a number of attacks against ECC twists. Two of those attacks are
relevant against NIST P192: invalid-curve attacks and invalid-curve attacks
against ladders.
Both attacks can be mitigated by checking the supplied public key is on the
correct curve, before performing curve operations.
Not sure if the right place for those checks are in the signature verification
code provided in these patches, or when reading public keys from the
certificates. Does the kernel provide functions for checking curve points
satisfy their respective curve equations?
There are also tables describing the cost of combined attacks on various
curves, where NIST P224 already falls below the safe threshold. Because of
that, I would recommend not implementing support for NIST P192 (since it would
fair even worse).
What are your thoughts?
I am calling into a function performing such a test at the end of the
function parsing the public key:
return ecc_is_pubkey_valid_full(ctx->curve, ctx->pub_key)
https://elixir.bootlin.com/linux/latest/source/crypto/ecc.c#L1458
Is that good 'enough' ?
Stefan
