Another suggestion for draft-sheffer-tls-bcp When re-using keys for ECDHE (which is the default behavior in some implementations, e.g. OpenSSL) or when using non-ephemeral ECDH, the validity of the received public DH-key should be checked to avoid non-group attacks (if the curve is not twist secure). That is, it should be checked that the received point P is on the curve (unless point compression was used).
In addition, in case of classical DHE / DH, unless Sophie-Germain primes are used, it could make sense to check for small subgroups. -- Johannes _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
