Martin Thomson <martin.thom...@gmail.com> wrote: > Watson Ladd <watsonbl...@gmail.com> wrote: > > Textbook DH does not ensure contributory behavior. Applications don't > > implement the required checks for poorly designed protocols. If we insert > > checks, applications which fail to make those checks will be vulnerable, > > while fixing protocols closes the hole. > > I've done a fair bit of reading into this issue as well, finding > Thai's blog posting and a few other things. As Watson says, the > protocol can be designed so that it doesn't depend on the DH exchange > providing contributory behaviour. We should definitely do that either > way. >
TLS 1.2 and earlier versions are already defined. So, fixing the protocol is a good solution for TLS 1.3 and later, but draft-ietf-tls-curve25519 also is supposed to work for the versions that can't be fixed. > I understand that the checks are considered onerous by some, but I > still don't understand why anyone might refuse to do them. Checking > that you don't get a bad output from the DH computation is a tiny > piece of code that takes almost no time at all, even if you have to > worry about doing it in constant time. > To be clear, I'm not arguing that the draft should recommend or require such a check. Merely, I'm pointing out that we have the following contradictions that the draft doesn't resolve: 1. The draft says that Curve25519 doesn't require public key validation, full stop. 2. DJB said that Curve25519 may require public key validation for protocols that require contributory behavior. 3. Thai and Watson both said that TLS 1.2 and earlier require contributory behavior. It may be the case that TLS requires contributory behavior and point validation is still unnecessary. Or, it may be the case that TLS doesn't really require contributory behavior (though, it seems obvious to me that it does, at least for TLS 1.2 and earlier). Or, it may be the case that TLS requires contributory behavior and a check is necessary. The draft should make it clear which case we are dealing with, with a reference to the reasoning that gave us whatever conclusion is reached, but currently that is missing. Cheers, Brian -- https://briansmith.org/
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
