On Jan 9, 2016 2:18 AM, "Ilari Liusvaara" wrote:
>
> On Fri, Jan 01, 2016 at 08:22:40PM +0200, Ilari Liusvaara wrote:
> > On Thu, Dec 31, 2015 at 08:16:35PM +, Blumenthal, Uri - 0553 -
MITLL wrote:
> > > I think Watson made a good point about "omittable checks". If
On Thu, Dec 31, 2015 at 9:43 AM, Adam Langley
wrote:
> On Wed, Dec 30, 2015 at 7:40 PM, Brian Smith wrote:
> > When you say "the plan," whose plan are you referring to? If you read
> that
> > whole thread, there was a lot of well-founded opposition
On 31 December 2015 at 17:54, Ilari Liusvaara wrote:
> Zero checks can already be unit-tested/interop-tested just as well.
What ekr said applies, but also this:
Yes, you can test that a given implementation does the right checks,
but you won't be checking during
I'm finding myself a bit unclear on the scenario people are concerned about.
It seems like there are two potential cases:
1. You have an implementation which already does some of the algorithms
we know are susceptible to THS-type attacks.
2. You have an implementation which only does the CFRG
y, December 31, 2015 01:23
To: tls@ietf.org
Subject: Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation
necessary or helpful?
smime.p7s
Description: S/MIME cryptographic signature
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
On Thu, Dec 31, 2015 at 12:23:50PM -0800, Eric Rescorla wrote:
> On Thu, Dec 31, 2015 at 12:20 PM, Ilari Liusvaara
> wrote:
>
> 2. Implementations which only do new algorithms can mandate EMS and not
> implement old derivation at all, provided we make that a rule here.
On Thu, Dec 31, 2015 at 12:20 PM, Ilari Liusvaara
wrote:
> On Fri, Jan 01, 2016 at 06:22:00AM +1100, Martin Thomson wrote:
> > On 31 December 2015 at 17:54, Ilari Liusvaara
> wrote:
> > > Zero checks can already be unit-tested/interop-tested
On Wed, Dec 30, 2015 at 09:16:12PM -0500, Watson Ladd wrote:
> On Wed, Dec 30, 2015 at 7:47 PM, Brian Smith wrote:
> > Watson Ladd wrote:
> >
> > Actually, because the check for non-zero result can/should/is in the
> > X25519/X448 functions
On Thu, Dec 31, 2015 at 12:49 PM, Ilari Liusvaara
wrote:
> On Thu, Dec 31, 2015 at 12:23:50PM -0800, Eric Rescorla wrote:
> > On Thu, Dec 31, 2015 at 12:20 PM, Ilari Liusvaara <
> ilariliusva...@welho.com>
> > wrote:
> >
> > 2. Implementations which only do new
On Thu, Dec 31, 2015 at 12:55:09PM -0800, Eric Rescorla wrote:
> On Thu, Dec 31, 2015 at 12:49 PM, Ilari Liusvaara
> wrote:
>
> > On Thu, Dec 31, 2015 at 12:23:50PM -0800, Eric Rescorla wrote:
> > > On Thu, Dec 31, 2015 at 12:20 PM, Ilari Liusvaara <
> >
Adam Langley wrote:
> On Wed, Dec 30, 2015 at 4:03 PM, Brian Smith wrote:
>
> > I think it is a good idea to implement the session hash extension, in
> > general. However, I think it is a bad idea to prescribe it as the
> solution
> > for this
On Wed, Dec 30, 2015 at 4:03 PM, Brian Smith wrote:
> I think it is a good idea to implement the session hash extension, in
> general. However, I think it is a bad idea to prescribe it as the solution
> for this particular problem because:
>
> 1. draft-irtf-cfrg-curves-11,
On Thu, Dec 31, 2015 at 1:23 AM, Alyssa Rowan wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> On 2015-12-31 03:30, Adam Langley wrote:
>
>> I don't mind if the integration of curve25519 in TLS requires a
>> zero-check or not, but what property are people hoping to
On Thu, Dec 31, 2015 at 06:23:08AM +, Alyssa Rowan wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> On 2015-12-31 03:30, Adam Langley wrote:
>
> > I don't mind if the integration of curve25519 in TLS requires a
> > zero-check or not, but what property are people hoping to
On Wed, Dec 30, 2015 at 7:47 PM, Brian Smith wrote:
> Watson Ladd wrote:
>>
>> Why not hash the public values into the result of the key exchange? I
>> don't want security to depend on omittable checks.
>
>
> One would need an omittable check in the
Martin Thomson wrote:
> On 30 December 2015 at 22:16, Ilari Liusvaara
> wrote:
> >> Would it make sense to have session hash as a requirement in TLS
> >> 1.2 when you want to use Curve25519?
> >
> > I don't think that is reasonable.
>
> I
Kurt Roeckx wrote:
> On Tue, Dec 29, 2015 at 10:10:47PM +0200, Karthikeyan Bhargavan wrote:
> > As mentioned before, validating Curve25519 public values is necessary in
> TLS 1.2 without session hash.
> > Otherwise, as we pointed out in [1], the triple handshake attack returns.
>
On Thu, Dec 31, 2015 at 09:55:10AM +1100, Martin Thomson wrote:
> On 30 December 2015 at 22:16, Ilari Liusvaara
> wrote:
> >> Would it make sense to have session hash as a requirement in TLS
> >> 1.2 when you want to use Curve25519?
> >
> > I don't think that is
On Dec 30, 2015 7:08 PM, "Ilari Liusvaara" wrote:
>
> On Thu, Dec 31, 2015 at 09:55:10AM +1100, Martin Thomson wrote:
> > On 30 December 2015 at 22:16, Ilari Liusvaara
wrote:
> > >> Would it make sense to have session hash as a requirement in
On Wed, Dec 30, 2015 at 7:23 PM, Watson Ladd wrote:
>
> On Dec 30, 2015 7:08 PM, "Ilari Liusvaara"
> wrote:
> >
> > On Thu, Dec 31, 2015 at 09:55:10AM +1100, Martin Thomson wrote:
> > > On 30 December 2015 at 22:16, Ilari Liusvaara <
>
On Wed, Dec 30, 2015 at 07:23:12PM -0500, Watson Ladd wrote:
> On Dec 30, 2015 7:08 PM, "Ilari Liusvaara" wrote:
> >
> > I also think I figured out a way to truly force contributory behaviour
> > without any checks:
> >
> > It is a bit nasty hack: Throw the exchange keys
Watson Ladd wrote:
> Why not hash the public values into the result of the key exchange? I
> don't want security to depend on omittable checks.
>
One would need an omittable check in the code to decide whether to do that
extra hashing, so that wouldn't solve the
On 30 December 2015 at 22:16, Ilari Liusvaara wrote:
>> Would it make sense to have session hash as a requirement in TLS
>> 1.2 when you want to use Curve25519?
>
> I don't think that is reasonable.
I think that is entirely reasonable. TLS 1.2 relies on contributory
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 2015-12-31 03:30, Adam Langley wrote:
> I don't mind if the integration of curve25519 in TLS requires a
> zero-check or not, but what property are people hoping to gain? If
> one wants to avoid triple-handshake like issues then session-hash
>
On Tue, Dec 22, 2015 at 2:09 PM, Brian Smith wrote:
> If an implementation only implements ECDHE cipher suites then
> implementing the session hash extension is not necessary, according to RFC
> 7627. I believe there are also a few other factors that would implementing
>
As mentioned before, validating Curve25519 public values is necessary in TLS
1.2 without session hash.
Otherwise, as we pointed out in [1], the triple handshake attack returns.
[1]
http://www.internetsociety.org/doc/verified-contributive-channel-bindings-compound-authentication
The current draft [1] says:
Other than this recommended check, implementations do
not need to ensure that the public keys they receive
are legitimate: this is not necessary for security
with Curve25519.
However, Thai Duong (of BEAST fame, among other things) wrote that TLS 1.2
Martin Thomson wrote:
> Watson Ladd wrote:
> > Textbook DH does not ensure contributory behavior. Applications don't
> > implement the required checks for poorly designed protocols. If we insert
> > checks, applications which fail to make those
Martin Thomson wrote:
> On 23 December 2015 at 10:23, Brian Smith wrote:
> > It may be the case that TLS requires contributory behavior and point
> > validation is still unnecessary. Or, it may be the case that TLS doesn't
> > really require
On Tue, Dec 22, 2015 at 02:09:32PM -1000, Brian Smith wrote:
> If checking that the shared value isn't zero is sufficient
It should suffice, ideally with a constant-time comparison.
--
Viktor.
___
TLS mailing list
TLS@ietf.org
On 23 December 2015 at 11:09, Brian Smith wrote:
> If an implementation only implements ECDHE cipher suites then implementing
> the session hash extension is not necessary, according to RFC 7627. I
It doesn't really say that as far as I can see, though I guess that
you
On Dec 22, 2015 4:15 PM, "Brian Smith" wrote:
>
> The current draft [1] says:
>
> Other than this recommended check, implementations do
> not need to ensure that the public keys they receive
> are legitimate: this is not necessary for security
> with
On 23 December 2015 at 08:51, Watson Ladd wrote:
> Textbook DH does not ensure contributory behavior. Applications don't
> implement the required checks for poorly designed protocols. If we insert
> checks, applications which fail to make those checks will be vulnerable,
>
On 23 December 2015 at 10:23, Brian Smith wrote:
> It may be the case that TLS requires contributory behavior and point
> validation is still unnecessary. Or, it may be the case that TLS doesn't
> really require contributory behavior (though, it seems obvious to me that it
>
34 matches
Mail list logo