Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

On Jan 9, 2016 2:18 AM, "Ilari Liusvaara" wrote: > > On Fri, Jan 01, 2016 at 08:22:40PM +0200, Ilari Liusvaara wrote: > > On Thu, Dec 31, 2015 at 08:16:35PM +, Blumenthal, Uri - 0553 - MITLL wrote: > > > I think Watson made a good point about "omittable checks". ‎If

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

On Thu, Dec 31, 2015 at 9:43 AM, Adam Langley wrote: > On Wed, Dec 30, 2015 at 7:40 PM, Brian Smith wrote: > > When you say "the plan," whose plan are you referring to? If you read > that > > whole thread, there was a lot of well-founded opposition

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

On 31 December 2015 at 17:54, Ilari Liusvaara wrote: > Zero checks can already be unit-tested/interop-tested just as well. What ekr said applies, but also this: Yes, you can test that a given implementation does the right checks, but you won't be checking during

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

I'm finding myself a bit unclear on the scenario people are concerned about. It seems like there are two potential cases: 1. You have an implementation which already does some of the algorithms we know are susceptible to THS-type attacks. 2. You have an implementation which only does the CFRG

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

y, December 31, 2015 01:23 To: tls@ietf.org Subject: Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful? smime.p7s Description: S/MIME cryptographic signature ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

On Thu, Dec 31, 2015 at 12:23:50PM -0800, Eric Rescorla wrote: > On Thu, Dec 31, 2015 at 12:20 PM, Ilari Liusvaara > wrote: > > 2. Implementations which only do new algorithms can mandate EMS and not > implement old derivation at all, provided we make that a rule here.

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

On Thu, Dec 31, 2015 at 12:20 PM, Ilari Liusvaara wrote: > On Fri, Jan 01, 2016 at 06:22:00AM +1100, Martin Thomson wrote: > > On 31 December 2015 at 17:54, Ilari Liusvaara > wrote: > > > Zero checks can already be unit-tested/interop-tested

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

On Wed, Dec 30, 2015 at 09:16:12PM -0500, Watson Ladd wrote: > On Wed, Dec 30, 2015 at 7:47 PM, Brian Smith wrote: > > Watson Ladd wrote: > > > > Actually, because the check for non-zero result can/should/is in the > > X25519/X448 functions

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

On Thu, Dec 31, 2015 at 12:49 PM, Ilari Liusvaara wrote: > On Thu, Dec 31, 2015 at 12:23:50PM -0800, Eric Rescorla wrote: > > On Thu, Dec 31, 2015 at 12:20 PM, Ilari Liusvaara < > ilariliusva...@welho.com> > > wrote: > > > > 2. Implementations which only do new

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

On Thu, Dec 31, 2015 at 12:55:09PM -0800, Eric Rescorla wrote: > On Thu, Dec 31, 2015 at 12:49 PM, Ilari Liusvaara > wrote: > > > On Thu, Dec 31, 2015 at 12:23:50PM -0800, Eric Rescorla wrote: > > > On Thu, Dec 31, 2015 at 12:20 PM, Ilari Liusvaara < > >

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

Adam Langley wrote: > On Wed, Dec 30, 2015 at 4:03 PM, Brian Smith wrote: > > > I think it is a good idea to implement the session hash extension, in > > general. However, I think it is a bad idea to prescribe it as the > solution > > for this

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

On Wed, Dec 30, 2015 at 4:03 PM, Brian Smith wrote: > I think it is a good idea to implement the session hash extension, in > general. However, I think it is a bad idea to prescribe it as the solution > for this particular problem because: > > 1. draft-irtf-cfrg-curves-11,

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

On Thu, Dec 31, 2015 at 1:23 AM, Alyssa Rowan wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 2015-12-31 03:30, Adam Langley wrote: > >> I don't mind if the integration of curve25519 in TLS requires a >> zero-check or not, but what property are people hoping to

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

On Thu, Dec 31, 2015 at 06:23:08AM +, Alyssa Rowan wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 2015-12-31 03:30, Adam Langley wrote: > > > I don't mind if the integration of curve25519 in TLS requires a > > zero-check or not, but what property are people hoping to

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

On Wed, Dec 30, 2015 at 7:47 PM, Brian Smith wrote: > Watson Ladd wrote: >> >> Why not hash the public values into the result of the key exchange? I >> don't want security to depend on omittable checks. > > > One would need an omittable check in the

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

Martin Thomson wrote: > On 30 December 2015 at 22:16, Ilari Liusvaara > wrote: > >> Would it make sense to have session hash as a requirement in TLS > >> 1.2 when you want to use Curve25519? > > > > I don't think that is reasonable. > > I

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

Kurt Roeckx wrote: > On Tue, Dec 29, 2015 at 10:10:47PM +0200, Karthikeyan Bhargavan wrote: > > As mentioned before, validating Curve25519 public values is necessary in > TLS 1.2 without session hash. > > Otherwise, as we pointed out in [1], the triple handshake attack returns. >

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

On Thu, Dec 31, 2015 at 09:55:10AM +1100, Martin Thomson wrote: > On 30 December 2015 at 22:16, Ilari Liusvaara > wrote: > >> Would it make sense to have session hash as a requirement in TLS > >> 1.2 when you want to use Curve25519? > > > > I don't think that is

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

On Dec 30, 2015 7:08 PM, "Ilari Liusvaara" wrote: > > On Thu, Dec 31, 2015 at 09:55:10AM +1100, Martin Thomson wrote: > > On 30 December 2015 at 22:16, Ilari Liusvaara wrote: > > >> Would it make sense to have session hash as a requirement in

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

On Wed, Dec 30, 2015 at 7:23 PM, Watson Ladd wrote: > > On Dec 30, 2015 7:08 PM, "Ilari Liusvaara" > wrote: > > > > On Thu, Dec 31, 2015 at 09:55:10AM +1100, Martin Thomson wrote: > > > On 30 December 2015 at 22:16, Ilari Liusvaara < >

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

On Wed, Dec 30, 2015 at 07:23:12PM -0500, Watson Ladd wrote: > On Dec 30, 2015 7:08 PM, "Ilari Liusvaara" wrote: > > > > I also think I figured out a way to truly force contributory behaviour > > without any checks: > > > > It is a bit nasty hack: Throw the exchange keys

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

Watson Ladd wrote: > Why not hash the public values into the result of the key exchange? I > don't want security to depend on omittable checks. > One would need an omittable check in the code to decide whether to do that extra hashing, so that wouldn't solve the

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

On 30 December 2015 at 22:16, Ilari Liusvaara wrote: >> Would it make sense to have session hash as a requirement in TLS >> 1.2 when you want to use Curve25519? > > I don't think that is reasonable. I think that is entirely reasonable. TLS 1.2 relies on contributory

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2015-12-31 03:30, Adam Langley wrote: > I don't mind if the integration of curve25519 in TLS requires a > zero-check or not, but what property are people hoping to gain? If > one wants to avoid triple-handshake like issues then session-hash >

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

On Tue, Dec 22, 2015 at 2:09 PM, Brian Smith wrote: > If an implementation only implements ECDHE cipher suites then > implementing the session hash extension is not necessary, according to RFC > 7627. I believe there are also a few other factors that would implementing >

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

As mentioned before, validating Curve25519 public values is necessary in TLS 1.2 without session hash. Otherwise, as we pointed out in [1], the triple handshake attack returns. [1] http://www.internetsociety.org/doc/verified-contributive-channel-bindings-compound-authentication

[TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

The current draft [1] says: Other than this recommended check, implementations do not need to ensure that the public keys they receive are legitimate: this is not necessary for security with Curve25519. However, Thai Duong (of BEAST fame, among other things) wrote that TLS 1.2

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

Martin Thomson wrote: > Watson Ladd wrote: > > Textbook DH does not ensure contributory behavior. Applications don't > > implement the required checks for poorly designed protocols. If we insert > > checks, applications which fail to make those

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

Martin Thomson wrote: > On 23 December 2015 at 10:23, Brian Smith wrote: > > It may be the case that TLS requires contributory behavior and point > > validation is still unnecessary. Or, it may be the case that TLS doesn't > > really require

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

On Tue, Dec 22, 2015 at 02:09:32PM -1000, Brian Smith wrote: > If checking that the shared value isn't zero is sufficient It should suffice, ideally with a constant-time comparison. -- Viktor. ___ TLS mailing list TLS@ietf.org

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

On 23 December 2015 at 11:09, Brian Smith wrote: > If an implementation only implements ECDHE cipher suites then implementing > the session hash extension is not necessary, according to RFC 7627. I It doesn't really say that as far as I can see, though I guess that you

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

On Dec 22, 2015 4:15 PM, "Brian Smith" wrote: > > The current draft [1] says: > > Other than this recommended check, implementations do > not need to ensure that the public keys they receive > are legitimate: this is not necessary for security > with

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

On 23 December 2015 at 08:51, Watson Ladd wrote: > Textbook DH does not ensure contributory behavior. Applications don't > implement the required checks for poorly designed protocols. If we insert > checks, applications which fail to make those checks will be vulnerable, >

Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

On 23 December 2015 at 10:23, Brian Smith wrote: > It may be the case that TLS requires contributory behavior and point > validation is still unnecessary. Or, it may be the case that TLS doesn't > really require contributory behavior (though, it seems obvious to me that it >