Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

Adam Langley wrote: > On Wed, Dec 30, 2015 at 4:03 PM, Brian Smith wrote: > > > I think it is a good idea to implement the session hash extension, in > > general. However, I think it is a bad idea to prescribe it as the > solution > > for this

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

On Wed, Dec 30, 2015 at 4:03 PM, Brian Smith wrote: > I think it is a good idea to implement the session hash extension, in > general. However, I think it is a bad idea to prescribe it as the solution > for this particular problem because: > > 1. draft-irtf-cfrg-curves-11,

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

On Thu, Dec 31, 2015 at 1:23 AM, Alyssa Rowan wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 2015-12-31 03:30, Adam Langley wrote: > >> I don't mind if the integration of curve25519 in TLS requires a >> zero-check or not, but what property are people hoping to

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

On Thu, Dec 31, 2015 at 06:23:08AM +, Alyssa Rowan wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 2015-12-31 03:30, Adam Langley wrote: > > > I don't mind if the integration of curve25519 in TLS requires a > > zero-check or not, but what property are people hoping to

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

On Wed, Dec 30, 2015 at 7:47 PM, Brian Smith wrote: > Watson Ladd wrote: >> >> Why not hash the public values into the result of the key exchange? I >> don't want security to depend on omittable checks. > > > One would need an omittable check in the

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

Martin Thomson wrote: > On 30 December 2015 at 22:16, Ilari Liusvaara > wrote: > >> Would it make sense to have session hash as a requirement in TLS > >> 1.2 when you want to use Curve25519? > > > > I don't think that is reasonable. > > I

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

Kurt Roeckx wrote: > On Tue, Dec 29, 2015 at 10:10:47PM +0200, Karthikeyan Bhargavan wrote: > > As mentioned before, validating Curve25519 public values is necessary in > TLS 1.2 without session hash. > > Otherwise, as we pointed out in [1], the triple handshake attack returns. >

[TLS] draft-ietf-tls-curve25519: Remove Appendix A

I suggest that the entire Appendix A be removed, as it duplicates draft-irtf-cfrg-curves-11 and it is too difficult and tedious to verify that it matches what draft-irtf-cfrg-curves-11 says. Also, it doesn't say anything about X448. I've noticed that the draft has a few other places that talk

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

On Thu, Dec 31, 2015 at 09:55:10AM +1100, Martin Thomson wrote: > On 30 December 2015 at 22:16, Ilari Liusvaara > wrote: > >> Would it make sense to have session hash as a requirement in TLS > >> 1.2 when you want to use Curve25519? > > > > I don't think that is

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

On Dec 30, 2015 7:08 PM, "Ilari Liusvaara" wrote: > > On Thu, Dec 31, 2015 at 09:55:10AM +1100, Martin Thomson wrote: > > On 30 December 2015 at 22:16, Ilari Liusvaara wrote: > > >> Would it make sense to have session hash as a requirement in

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

On Wed, Dec 30, 2015 at 7:23 PM, Watson Ladd wrote: > > On Dec 30, 2015 7:08 PM, "Ilari Liusvaara" > wrote: > > > > On Thu, Dec 31, 2015 at 09:55:10AM +1100, Martin Thomson wrote: > > > On 30 December 2015 at 22:16, Ilari Liusvaara < >

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

On Wed, Dec 30, 2015 at 07:23:12PM -0500, Watson Ladd wrote: > On Dec 30, 2015 7:08 PM, "Ilari Liusvaara" wrote: > > > > I also think I figured out a way to truly force contributory behaviour > > without any checks: > > > > It is a bit nasty hack: Throw the exchange keys

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

Watson Ladd wrote: > Why not hash the public values into the result of the key exchange? I > don't want security to depend on omittable checks. > One would need an omittable check in the code to decide whether to do that extra hashing, so that wouldn't solve the

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

On 30 December 2015 at 22:16, Ilari Liusvaara wrote: >> Would it make sense to have session hash as a requirement in TLS >> 1.2 when you want to use Curve25519? > > I don't think that is reasonable. I think that is entirely reasonable. TLS 1.2 relies on contributory

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2015-12-31 03:30, Adam Langley wrote: > I don't mind if the integration of curve25519 in TLS requires a > zero-check or not, but what property are people hoping to gain? If > one wants to avoid triple-handshake like issues then session-hash >

Re: [TLS] draft-ietf-tls-curve25519-01 and the X25519 significant bit.

On Tue, Dec 29, 2015 at 09:02:25AM -1000, Brian Smith wrote: > > Does that matter, though? The CFRG document doesn't allow the sender to set > the high bit to 1, right? In particular, it says "All calculations are > performed in GF(p), i.e., they are performed modulo p." and "For X25519, > the