2. When re-using keys for ECDHE (which is the default behavior in some
implementations, e.g. OpenSSL) or when using
non-ephemeral ECDH, the validity of the received public DH-key should be
checked to avoid non-group attacks. That is, it
should be checked that the received point P is on the curve (unless point
compression was used). Small subgroup checks
could even be recommended for classical DH. Something in the spirit of RFC 6989.
This is a problem for ephemeral DH as well due to Triple Handshake. We
might as well throw this in: it doesn't hurt. However, if you aren't
doing it already, odds are you aren't capable of implementing TLS
correctly, because you don't understand the issues associated with
implementing cryptography.
We should not assume people "understand" anything. If there are
cryptographic pitfalls, it is our job to spell them out. Which is why we
published RFC 6989 to close exactly this vulnerability (and why it was
published relatively quickly - 7 months from -00 to RFC). I'm still
wondering why an equivalent RFC for TLS has not been published yet.
Thanks,
Yaron
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
