[Ach] choosing safe curves for elliptic-curve cryptography
azet at azet.org
Mon May 12 20:54:35 CEST 2014
> Yes, you can negotiate for NIST curves in TLS. That's bad on two
> fronts. Firstly TLS followed someone else's lead, which now turns out
> to have been recursively perverted (NIST followed someone else's lead).
> And secondly, because users can negotiate at all.
One can argue that future versions of TLS (very much in the future if I
take a look at it's history) should completely avoid negotiating
ciphers. There have been protocol-level problems with that all along.
I've seen the point of algorithmic agility come up at IETF lists (IIRC
you started that thread) - but there's far from consensus on how to
TLS 1-1.2 seem to be particularly developed to be always backwards
compatible. I'm not quite sure why this is important in a security
standard since software like browsers will do this anyhow: i.e downgrade
to a lower TLS protocol version if necessary (or dumb).
The same holds true for datagram TLS (DTLS); which is more widely used
than most people realize:
(To all those heartbleed enthusiasts:
http://www.isg.rhul.ac.uk/~kp/dtls.pdf shows how al fardan and paterson
exploited heartbeat timing leaks in DTLS - the only place where there's
even a reason to use an extension like that)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: OpenPGP digital signature
More information about the Ach