[Ach] choosing safe curves for elliptic-curve cryptography

Aaron Zauner azet at azet.org
Mon May 12 20:54:35 CEST 2014

ianG wrote:
> Yes, you can negotiate for NIST curves in TLS.  That's bad on two
> fronts.  Firstly TLS followed someone else's lead, which now turns out
> to have been recursively perverted (NIST followed someone else's lead).
> And secondly, because users can negotiate at all.
One can argue that future versions of TLS (very much in the future if I
take a look at it's history) should completely avoid negotiating
ciphers. There have been protocol-level problems with that all along.
I've seen the point of algorithmic agility come up at IETF lists (IIRC
you started that thread) - but there's far from consensus on how to
approach that.

TLS 1-1.2 seem to be particularly developed to be always backwards
compatible. I'm not quite sure why this is important in a security
standard since software like browsers will do this anyhow: i.e downgrade
to a lower TLS protocol version if necessary (or dumb).

The same holds true for datagram TLS (DTLS); which is more widely used
than most people realize:

(To all those heartbleed enthusiasts:
http://www.isg.rhul.ac.uk/~kp/dtls.pdf shows how al fardan and paterson
exploited heartbeat timing leaks in DTLS - the only place where there's
even a reason to use an extension like that)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140512/2c81ce27/attachment.sig>

More information about the Ach mailing list