On Mon, May 26, 2014 at 11:18:08AM +0200, Johannes Merkle wrote: > > 2. When re-using keys for ECDHE (which is the default behavior in some > implementations, e.g. OpenSSL) or when using non-ephemeral ECDH, the > validity of the received public DH-key should be checked to avoid non- > group attacks. That is, it should be checked that the received point P > is on the curve (unless point compression was used). Small subgroup > checks could even be recommended for classical DH. Something in the > spirit of RFC 6989.
Even if point compression is used, one should check that the square root exists, unless both: 1) The invalid compressed points are guaranteed to be on the twist[1] AND 2) The curve is twist-secure (NIST and Brainpool aren't[2][3]). As for small subgroups, unless protocol properly hashes the public keys (and currently TLS does not), one should check for those[4] as those can cause trouble[5]. [1] E.g.: - Using Montgomery X-only - Using Weierstrass with usual square root mod 4k+3 [2] In fact, both have at least one very twist-insecure curve. [3] Most of twist-secure curves seem to also be designed for Montgomery X-only. [4] This checking is not really feasible for DH with arbitrary primes. (if one assumed SG, this could be done (check for -1, 0 or 1), but such check is wrong for non-SG primes). [5] Triple Handshake attack with DH handshakes anyone? -Ilari _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
