
Should Curve25519 keys be validated? - zdw
https://research.kudelskisecurity.com/2017/04/25/should-ecdh-keys-be-validated/
======
benchaney
I disagree with the author.

>The first thing you learn in any infosec class is to reject invalid inputs,
and check return values for errors, even if there’s no obvious exploit in
sight. Doing this is sometimes called “defense in depth” or “best practice”.

Rejected invalid inputs is often a good idea, but it isn't defense in depth
and it isn't automatically best practice. Always doing something because you
"learned it an infosec class" is dogmatic.

>The point of Diffie-Hellman is that both key shares should equally contribute
to the shared secret, so that the protocol doesn’t allow key control, a
desirable attribute of any authenticated key agreement protocol, as discussed
in this MQV paper. If the protocol allows a peer to force the shared secret to
be zero, or more generally to lie in a subgroup, then the said peer can
surreptitiously weaken the protocol’s security (objection: “but why would a
peer be malicious?”).

This point was refuted earlier in the article. "If a peer is malicious, than
they can do much worse than sending invalid keys".

> It’s costless: adding a zero check is ten lines of code tops, which is
> unlikely to introduce new vulnerabilities nor to hurt performance.

Ten lines of code isn't costless, it is low cost. Even if it were costless, it
would still be better to not do it unless there is a compelling reason to do
it.

> It reduces the risk of non-obvious attacks. Take Signal’s protocol, for
> example. If Alice generates all-zero prekeys and identity key, and pushes
> them to the Signal’s servers, then all the peers who initiate a new session
> with Alice will encrypt their first message with the same key, derived from
> all-zero shared secrets—essentially, the first message will be in the clear
> for an eavesdropper. Alice can deny being malicious, arguing that her PRNG
> failed. That’s just an example scenario—granted, far-fetched—but there might
> be others, and checking for invalid keys is probably easier than proving
> that they will never be exploited.

Not only is this not a "non-obvious attack", this is the only possible attack.
The only thing that adding a check to prevent a zero key can do is prevent
someone from using a zero key. By the way, this attack gains nothing. Any
malicious user already has the ability to publicize any messages sent to them.

~~~
vetrom
So, in one important vein, I would disagree, but I'm not sure how well it
applies to this scenario -- if you are building a system based on deniable
encryption, one example that totally falls apart if one party can prove that
they have (forced) zero-keying I imagine would be in deniability, especially
if part of the zero keying depends on unpredictability of the keyspace of more
than one actor.

AKA, if the deniability of your protocol depends on the random keyspace of
more than one actor, a vector that allows some actor to compress the space of
permitted keys could allow an inference of more-likely potentially valid keys
vs invalid keys, thus disproving or at least weakening the deniability of the
protocol.

As for the malicious peer problem -- the malicious peer is the very model of
state-sanctioned surveillance. I think it would be an exercise in willful
blindness at the least to pretend that does not exist.

~~~
benchaney
Deniable encryption refers to the ability hide encrypted data without an
adversary being able to detect that there is encrypted data present. It
generally refers to file system encryption. I'm not sure how it would even
apply in a case where key exchange is used. Either way though, the attack
still doesn't get anything. If someone is participating the key exchange, then
they get access to the resulting key. They can publicize this key to do at
least as much damage as zero-keying.

> As for the malicious peer problem -- the malicious peer is the very model of
> state-sanctioned surveillance.

I'm really not sure what you mean by this. Some peers might be malicious, but
this attack gains them nothing. This is true whether the peer is a state
actor, or an 11 year old. Please try to have a basic understanding of what you
are talking about before you accuse other people of engaging in willful
blindness.

