Martin Thomson <martin.thom...@gmail.com> wrote: > On 30 December 2015 at 22:16, Ilari Liusvaara <ilariliusva...@welho.com> > wrote: > >> Would it make sense to have session hash as a requirement in TLS > >> 1.2 when you want to use Curve25519? > > > > I don't think that is reasonable. > > I think that is entirely reasonable. TLS 1.2 relies on contributory > behaviour. 25519 doesn't provide that unless you do some extra > checking that we know many implementations don't do. >
The check for zero is not "extra". It is required by the CFRG draft spec. Here's my proposed rewrite of this section: 2.3. Public key validation draft-irtf-cfrg-curves-11 specifies how to do the Diffie-Hellman computation and the checks that are required. Note in particular that [I-D.irtf-cfrg-curves Section 6.1] and [I-D.irtf-cfrg-curves Section 6.2] require implementations to check, in a side-channel-safe manner, that the result of the Diffie-Hellman computation is non-zero. Such a check is essential for preventing key dictation attacks in TLS, as described in [Contributive Section III.b.3]. Implementations MAY check that the peer's public value u-coordinate is on the curve, but such a check is not necessary when the check for a non-zero result is done. The practical consequence of this is that public u-coordinates must be reduced modulo the field order as required in draft-irtf-cfrg-curves-11 before being transmitted. [Contributive] Bhargavan, K, A. Delignat-Lavaud, and A. Pironti. "Verified Contributive Channel Bindings for Compound Authentication", Feb 2015, <https://www.internetsociety.org/sites/default/files/08_5.pdf>. I am not sure if [Contributive] is the best reference, but it is the only one I know of that actually addresses the issue specifically for TLS and these curves. Cheers, Brian -- https://briansmith.org/
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls