Re: Forward secrecy in spiped

[Colin Percival <cperciva@tarsnap.com>]

On 04/30/14 00:28, Frederick Akalin wrote:
> On Tue, Apr 29, 2014 at 11:53 PM, Colin Percival <cperciva@tarsnap.com
> <mailto:cperciva@tarsnap.com>> wrote:
>     > + * is_zero_or_one(x, len):
>     > + * Returns non-zero if the big-endian value stored at (${x}, ${len}) is equal
>     > + * to either 0 or 1.
> 
>     This is wrong.  We need to detect 1; we don't need to detect 0.  (A validly
>     signed 0 implies that someone who has the shared key is not following the
>     protocol, in which case we've already lost.)
> 
> Isn't that an argument for detecting 0 even if -g isn't specified? It seems to
> be to be better to drop connections which are detected to not be conforming.

There's lots of "impossible" values -- all quadratic non-residues, for example
-- but there's no point checking for all of them.  There's always going to be
ways that a participant can deliberately sabotage the protocol (by revealing
the negotiated keys, if nothing else); the point of the protocol is to protect
compliant hosts from non-participants.  Even the -g option isn't about any level
of cryptographic security; it's purely about detecting misconfigurations.

-- 
Colin Percival
Security Officer Emeritus, FreeBSD | The power to serve
Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid