-
Notifications
You must be signed in to change notification settings - Fork 119
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
libsodium's Curve25519 point validation conflicts with Noise's approach #82
Comments
Is it currently panicking here? https://github.com/mcginty/snow/blob/1408112/src/resolvers/libsodium.rs#L110 let pubkey = sodium_curve25519::GroupElement::from_slice(&pubkey[0..32])
.expect("Can't construct public key for Dh25519"); Looking at the You could implement option 2 without copying the blacklist from libsodium by returning It’s a six of one, half dozen of another to me: there’s no legitimate reason for these points to ever be a used as a public key and doing so is a sort of self-inflicted plaintext recovery attack. Noise would catch an attacker swapping a legitimate public key for one of these as a MAC verification failure, although given the current use of |
@tarcieri it errors at the DH calculation which does properly return an |
My concern about the workaround of always returning a |
Where does point validation occur in
Since the Noise handshake cryptographically binds all parameters ala a transcript hash, any discrepancies on either side will result in a MAC verification failure, so getting anything wrong will automatically fail closed. That said, I'd agree failing closed early on a point validation failure feels safer to me. |
I agree that it's kind of... counterintuitive, but libsodium (and sodiumoxide) do the low-order check in the scalarmult function. So, it sounds like the safe option here is to fail closed. I'll keep it this way unless there's a compelling real-world issue that justifies a more sketchy workaround. |
This is a continuation of the conversation started on #75.
Summary
libsodium has made the decision to try to prevent accidental foot-shooting by refusing to do DH operations on points that are clearly not securely randomly generated.
Noise has taken the approach of not validating keys at all, since it's impossible to definitively say that a point is safe, so it creates a false sense of security.
libsodium has a blacklist it maintains for low-order
GroupElement
points, and returns an error if encountered.Workarounds
For snow, the two options are either to:
The text was updated successfully, but these errors were encountered: