Eric Rescorla wrote: [..] > I am not an EC expert, but my impression based on the discussion in TLS was > that checking for the zero value for X25519 was not sufficient defense > against malicious peers if you didn't use the 7748 computations, hence the > language in 8446. Do you believe otherwise?
The draft currently says: Key-agreement schemes ECDHE-Curve25519 and ECDHE-Curve448 use the functions X25519 and X448, respectively, to perform the Diffie-Helman protocol as described in [RFC7748]. Implementations MUST check whether the computed Diffie-Hellman shared secret is the all-zero value and abort if so, as described in Section 6 of [RFC7748]. [...] This requires, perhaps too gently, the (Montgomery ladder) algorithm in RFC 7748. In contrast, RFC 8446 allows other, (non-Montgomery) algorithms to be used to compute X25519 and X448 in TLS: For these curves, implementations SHOULD use the approach specified in [RFC7748] to calculate the Diffie-Hellman shared secret. Implementations MUST check whether the computed Diffie-Hellman shared secret is the all-zero value and abort if so, as described in Section 6 of [RFC7748]. If implementors use an alternative implementation of these elliptic curves, they SHOULD perform the additional checks specified in Section 7 of [RFC7748]. But it is not clear exactly what "additional checks" are required (reject all invalid keys?), and for what purpose (ensure some "contributory behavior" property?) It seems the only observable difference would be that other algorithms might abort on some invalid DH inputs that the RFC 7748 algorithm accepts. So there are two orthogonal questions here: - Should tcpcrypt allow implementations that behave differently from RFC 7748? - Given that tcpcrypt does not depend on any "contributory behavior" property, is there any use in requiring DH input validation? If other algorithms are allowed *and* input validation is required, it seems we will have to explain more clearly what validation entails. d _______________________________________________ Tcpinc mailing list Tcpinc@ietf.org https://www.ietf.org/mailman/listinfo/tcpinc
