Re: [Cfrg] Security proofs v DH backdoors

"Mark D. Baushke" <mdb@juniper.net> Wed, 26 October 2016 23:21 UTC

Return-Path: <mdb@juniper.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A54311295A7 for <cfrg@ietfa.amsl.com>; Wed, 26 Oct 2016 16:21:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.922
X-Spam-Level:
X-Spam-Status: No, score=-1.922 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=junipernetworks.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jqAcJkcTIjrL for <cfrg@ietfa.amsl.com>; Wed, 26 Oct 2016 16:21:00 -0700 (PDT)
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-bl2nam02on0101.outbound.protection.outlook.com [104.47.38.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFD0512943C for <cfrg@irtf.org>; Wed, 26 Oct 2016 16:20:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=junipernetworks.onmicrosoft.com; s=selector1-juniper-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=bMo08dcg9Yht2oCPzI1uE5zYifcYU4kUOqgTqyyZLAI=; b=bgGKUQzI0drMUswENHhQgYp7i2CGBhRxn5UCTAl2AifJlgV9x5HLFjz5g+b5LooEqIS4HX9k01HriIIiQ8SNdsGQnO6xRgDJl2qMPnK4PhBuhWI/s0sFmK/zS67OXTz+5XVion0kRHhxa20UsX9uHf3NfXkvG0vyNWJ0tA3mi8I=
Received: from CO2PR05CA023.namprd05.prod.outlook.com (10.141.241.151) by CY1PR05MB2729.namprd05.prod.outlook.com (10.167.18.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.679.5; Wed, 26 Oct 2016 23:20:57 +0000
Received: from BN1BFFO11FD011.protection.gbl (2a01:111:f400:7c10::1:157) by CO2PR05CA023.outlook.office365.com (2a01:111:e400:1429::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.707.1 via Frontend Transport; Wed, 26 Oct 2016 23:20:57 +0000
Authentication-Results: spf=softfail (sender IP is 66.129.239.19) smtp.mailfrom=juniper.net; cs.auckland.ac.nz; dkim=none (message not signed) header.d=none;cs.auckland.ac.nz; dmarc=none action=none header.from=juniper.net;
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.19 as permitted sender)
Received: from P-EMFE01C-SAC.jnpr.net (66.129.239.19) by BN1BFFO11FD011.mail.protection.outlook.com (10.58.144.74) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.679.5 via Frontend Transport; Wed, 26 Oct 2016 23:20:56 +0000
Received: from p-mailhub01.juniper.net (10.160.2.17) by P-EMFE01C-SAC.jnpr.net (172.24.192.21) with Microsoft SMTP Server (TLS) id 14.3.123.3; Wed, 26 Oct 2016 16:20:34 -0700
Received: from eng-mail01.juniper.net (eng-mail01.juniper.net [172.17.28.114]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id u9QNKXxq002837; Wed, 26 Oct 2016 16:20:33 -0700 (envelope-from mdb@juniper.net)
Received: from eng-mail01.juniper.net (localhost [127.0.0.1]) by eng-mail01.juniper.net (Postfix) with ESMTP id 0D7BE1144E; Wed, 26 Oct 2016 16:20:32 -0700 (PDT)
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
In-Reply-To: <1477456366629.49872@cs.auckland.ac.nz>
References: <20161025131014.5709905.2866.6563@blackberry.com>, <20161025133016.GA9081@LK-Perkele-V2.elisa-laajakaista.fi> <1477456366629.49872@cs.auckland.ac.nz>
Comments: In-reply-to: Peter Gutmann <pgut001@cs.auckland.ac.nz> message dated "Wed, 26 Oct 2016 04:32:49 -0000."
From: "Mark D. Baushke" <mdb@juniper.net>
Date: Wed, 26 Oct 2016 16:20:32 -0700
Message-ID: <44595.1477524032@eng-mail01.juniper.net>
Sender: <mdb@juniper.net>
MIME-Version: 1.0
Content-Type: text/plain
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-HT: Tenant
X-Forefront-Antispam-Report: CIP:66.129.239.19; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(7916002)(2980300002)(189002)(199003)(586003)(81166006)(305945005)(105596002)(69596002)(110136003)(7696004)(15650500001)(8936002)(626004)(81156014)(87936001)(68736007)(8676002)(92566002)(53416004)(7126002)(76506005)(4326007)(5660300001)(117636001)(86362001)(2906002)(2950100002)(189998001)(5003940100001)(2810700001)(97736004)(76176999)(6916009)(106466001)(356003)(77096005)(48376002)(50466002)(19580405001)(47776003)(54356999)(50986999)(11100500001)(19580395003)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR05MB2729; H:P-EMFE01C-SAC.jnpr.net; FPR:; SPF:SoftFail; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; BN1BFFO11FD011; 1:qYCM6L6MM+4QIrCeD77WJVmsMQxeM5zds4zkxtASvZl3OVjbbvISkjGJ4dM9wNS1zBwqj7bGE5/Yd2nR36jE1KRPMD+LgkLUjZjG6BlUCZdjq57m5WQkxSsWcbFvgorP4AABkdsqkmKu3O3Qgx9wPWEeRh8+VTzSjeRpKoIH5BvaHxgC96xAZgvbHFnMu+SbkISd+JwXiTh6CHW1SltxOWgli0YgO6z5php7o1TbDwtoEMNt/Hd9Z/JCb0yLJf3P6Bo/1h+Q1+TFRJHk+vCqaKr+u+njDKRQZVmiCR/8B4K2calhhxH1Dst2C0BfzzaAXDZAr5zkOcPvSJPdYbzwlX8O60+81W3nn4N0qdhTGHT6KQxDAtcMDg5VC0fDti3CravW9RQHtcEhqiIgfH+m4pcad54O1uiLD5L9GMCQCmHJzucuTYyUoERWLC4hclAugG9m7d8GMbPaSzIhdlqPOpeaPMQNVR46ByIeJ6Nbs/FyrI8Ge5bNsps7nrPuwZM9Wsuhs1LjK6zD337BgYDGCnfEajKXs6g2jBAIrlVzBgCXR3UmQRaIPgzD+TCcZQ6e
X-MS-Office365-Filtering-Correlation-Id: 0414858d-213f-40de-042d-08d3fdf6bd3a
X-Microsoft-Exchange-Diagnostics: 1; CY1PR05MB2729; 2:MELrgJIDDN2VzCy2J+EfZF6QfktK2pXfvHitCD7tsCIbSfbIeWh8cXPXEb/6Fw64VZgtHq4/ZC1NRB0ylo+n+nFyukiCF5+RkPquiKeQdCMHf2jjNRsY/ENYrFWpes3ydNEtaHunRMiO92TkCfqGwQeDLd/zWy9iXUPeLCW6RiXs+ReMzxgQWQiCnOiusepJLDdoWLYlLkHZIbL/C0RDlA==; 3:yEBJNr3yeG2b7WS4igf6VOF1q/fSzr4co0zbLNEmp7tQGzkUQCXv1ls3RA+Bmk8YGk8sHCP3A4VagJf+2NstAv2vAb2dZs5LZB19bDPG5V03D628+PCk7wu2tgHNSWkHRL7vhTM2flT5VLakx0MlR3pZs8ownRtaWUOAwYZy9NDxxWrYb5jyP6kNBljbZlUEKqoLuTtivF9YUFbFDeMuKadPRbE1ZDWKtoQmEyfVE7wpW9E+JKzrz2l7qhWFTMl8; 25:jVEpUlJ8B68NNoOq8laR3tmFU6S4uEXGmWBpfJ1Bc58G9Z1k/eKZ8mwi6f+XNa1uVtT/MGscG6U5UpStpFSVyRGeLcoCmUx7p8DXWzOijLx5juFjSIinP+7Yh58y3FPM+WlzYXKnCRinREMY5b5dF6cD9Nv956SBFm1RLijgEb0d5WiJZoJ9dWaMY/I+JbeFUPfmobA5Fad6eyTfzYxxBMymo6vgCdhIkr/1zXoVPdGUEPNyjFMunnDCYtnNpZ3NfwRvNUp9+3iAaxLjAg177cbOuxXrFvil/L1YHrFgCBXKFADU25XH9J6pySW3gpAFCowKeqOmOEFcvKfYZ/EHSGRCKXceoUOMX/3EJkL8Uk4Qm/mLYGHAkFpsJx7Fq6xo1kf40w36qWszoVdtgHGIyHDiRl5UNsDviT8FIhVW5pVHN4Gm3tCAnhQ4fMeMdQYf
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR05MB2729;
X-Microsoft-Exchange-Diagnostics: 1; CY1PR05MB2729; 31:3qi8108IDbUDnnj44KF7xOI4YO7hztMOYKbiPb3BLUJmhdSAgwUOalRz0LrE+LsyA9Xo4zAFXHMMq3S3Yue2p0fq1lAb7d9oWY3hL13WMu/CojrfMUQxZrVAaiJZtXOSrSsVxvBYlReB7SZk1piz0kCQ7bUdR9FKS+XNndAoy8ZAK7e8fM8OLFPozoVwRLL6BnLaaLTeJjU774cNYbLWKx5yREyhVbxRowNZ4SbdEqqM72oLOtgRaYxqT/dlazpX; 20:F9YmUYQOZ4KXJy4lAc8a17V7JGYSnh76eoUbf/yLcotaKzUE0v6vV3/nj/6OHxXvS6X5ut0M7PkzQ27ZDbCJ2rlH8QNaA+NDeqy1hxz3NDfA2bKxtPxdPOHI3CKubk7lGMeg3Bho8Aze1NLrFtHBphx+8MueWPgMmpBPn3F/pnrUDsW20q6XjUvCGugB7Sqod0v10gQh5uU9e0b/3JtZIPVVGj0uKwwvWKtIqoNfzy37Qi//co1XGdOh8uJ3QchC5AnRERxM+uI3pO0wDxSd8oWbcGjxGXLKSeElxhCawur9R5wEmFl6vgW7EkvjKqpDAC+D9w6lBePwhE55jzyzNYgq2y01NWmfoZtvPfqyfozs+5Pdb/hu5lfaE87fCqeBMO45F5by7yI1jeY5c94A3k3dAbx5e6Pearezoz5gki13r4cGFPb4IYNAE54oW3IXAEKvSTrXBEzXMekrRH7mNi9vjfejOLZ6bIwqhCDSG3JlyqlKCOatwzJvuLk+DpJ8
X-Microsoft-Antispam-PRVS: <CY1PR05MB272983E50E122E902295A859BFAB0@CY1PR05MB2729.namprd05.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(192374486261705);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040176)(601004)(2401047)(13023025)(5005006)(13024025)(8121501046)(13018025)(13017025)(13015025)(3002001)(10201501046)(6055026); SRVR:CY1PR05MB2729; BCL:0; PCL:0; RULEID:; SRVR:CY1PR05MB2729;
X-Microsoft-Exchange-Diagnostics: 1; CY1PR05MB2729; 4:1a+XMzHYOScyfoyLcv/govK8qqYyKrM9Tjly58zFEZPQ6wQ8CGbP/n6QT7YJ95rTaH6Xy/NUstYg3BgM0X0lueQHIieOq6SdEThG2MxawnQ7buyECQaFau5ph988Q7OlqNNriUwzjnz6ISh6QzZDf1Z/k72nddfn50ZGBhWoiTNib1Co8A68/eSEnEp6aCyGNE2lIGqisikaXKcHENN5s5G8wOJFf97aeFVkwyl/LAS9b2diJmgscCUEWJgC62b2effGjR9+fwWJAHUvMm/D6sEwR2m5Mj0xSSOnA5vi9k7m3/Y0uv1BR4EzLO3U4NLoYsIv0NNLOPwOO+C9QCNQrYOpGyZWiTj4fNKJl3RcbSz0G/VFy1OTsF3D5hXFG5MubB8dUiHRhTgdlM0PZGKli1CbcMPwqETcpNF3Gga9KQ1Z+0DT94kKCQ4WU60APj9Xnj5rioGMcFK1qKOa9J4XZLI/b8rXA4HURwqG7R6fCm855g+zJ5B3v1FGA6mt+8A4cT2aKAUCPM+8FAtKJLwtgcNU1UTIm9tZBndjtAxYqqsTfA5tJJb6L+VcnfAhBHkQ
X-Forefront-PRVS: 0107098B6C
X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; CY1PR05MB2729; 23:JNw/3SdkAIWvIrNZQ0cwiA/8m7xsHMKZmWfcji0Vp?= =?us-ascii?Q?Y66dnpX//L6RkyOidAs2s8y4eszoehArV9mJhUE7lkP23Lz/Cso4AQ162Ktz?= =?us-ascii?Q?7KqJLJUv9f6RUJOwx2R5Lff2eSoU2XfAaS3BuADXVdD+86rtxAtjBKOnKqaZ?= =?us-ascii?Q?OSBxTbWeHNuvU+OYOG9Rt6FzirI5sBm5FIpBMLTnU9cyJ281rpVAAPRftNDw?= =?us-ascii?Q?CD1Vvug2gdYItvu/DGsBByG4oT81mwMNFJq/oRXGsDj/oDMMStakHBCGkdQH?= =?us-ascii?Q?Ta+pEN9rtRYtufO5rWU/Lb6iTdCFTaXP06+2bUD97JzPGlHtOmMMqNT1p+hy?= =?us-ascii?Q?20PMbq+psn3d8aVL2QzjK6xPdaWBUNFc8VhnjYWg0JGQVlg+O0pf48XVCKFX?= =?us-ascii?Q?EFYJh9mgy0AAM2n2G9SBd1tY60CLgYkDtJvZnKtDowyrjSE6nA7WKT1d62Wc?= =?us-ascii?Q?mb3/KdRlxtKbePvqzYevFZ0YvCL/wAkbxTFpEoXx3cqaHJ88LJuDstkVzoUd?= =?us-ascii?Q?EouRZSozBXX81d+Is3ndTZjD30GFfHi8vaInLHI6D6DwoELOgIZPi0ye4Dhb?= =?us-ascii?Q?7DTFdPY4hixVcgHuSwuaBUEZq3xdCotJan2t04Cy8Ba3pLtEj2LIiV52exZR?= =?us-ascii?Q?sqQgvX38oksh31nYAFd88x9zX+UnApxIR9y7GY1rdRnRRL1L/zYv+Ndjo6Ks?= =?us-ascii?Q?PPH9iSetYi7wfxe5kYxqXGV0IvJdzzfVG0l2L50Rz4w02Hs235YUe/VxbuDv?= =?us-ascii?Q?M2TC0bwX0VGabw60Rl9n6qjuECFexR51Z+wV95EXMnqJ35GY4fJpjio3SIBj?= =?us-ascii?Q?wSCwu7OBvInzZ3WZqi0pmuXkiFDfZCJKGlFr1ex92Oldg5gJkjyvvIYrmiGR?= =?us-ascii?Q?shjTtBn4CT39HWGqCsMjOBSzOD1m4oxhzEI/fYiH0zxlYZ1utnTBqaHY8D9O?= =?us-ascii?Q?U6c/OHG5xvh1Q8FffAsYPVMw325NmDJGXe7Z6vNv9FeT3MoZjrDS7lN6Bg4m?= =?us-ascii?Q?fmQrPi5URnrQ9ImcirgurWBFu3IQcNuF+u47SKSYDiRCNmYMo3PxHf1zK+/5?= =?us-ascii?Q?jlYg07dr2dVMq91makNIt4oXOJFRzduFzrtsrFDXzmrHdErZQuBD7CQdOKhY?= =?us-ascii?Q?R6AeSqtE1O6sEmhYf7v0MYC/pHfUCRc?=
X-Microsoft-Exchange-Diagnostics: 1; CY1PR05MB2729; 6:+nj3EP1mhoSlzKrTGyfmWVXeNCAQ39oP1DY7ozYdBNNEbzvIUguoamo07SG8dQK8FtF/x2eqsrjv9ad6+qIMkiVaeCUT2+IjoieDiTkudzdhefw8vFDS/l5dpMNHvSVzBxtRTXqOCgb9W0VHhC12nDLAK0zAPUA6OWOkpZeP0x9XG2/SklLKMeBHEwfjlG2QIbHehb6v0clUvRaDsDycChUC9eh+CQfjvRNkdfGYHs318HOV4QoUbfaNn6Qp6PIC6vR2NhRhbA0b4cFZuywMYQECSJA5T4WroUK2Cxm7QB+1+3zgDxQCw+J35NA1OOJ+adfxhe0n157YdB69uIn9aeB8kEAwPaaoccLEz2jdYnw=; 5:kAJ+rlqlJiQEEzpIpfZ1n72zdNRhSbaZKr53zUpkLiKB+LQppV44RogBqyOpiggTw7xU6T4BQwlT15PZRRrxG7CMhzkU+mv6MU+2ntLY77O5bdka7Msejkt1ZB8q2N6XbOcPRFxaAixe/vT9llLfsA==; 24:Nw4H+mHzlsZZ/NErL78fZCMmwTwjrcPIpv3kA+FGE19aYlC8RSYv04ufsLcCTLdb7fZE7bQ//qzUGJMlXU7z9tEpc8mz4Yj9wDe8eqeTgyk=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; CY1PR05MB2729; 7:cWsAARajdooVbmaNO5WCXHt+UZyuuSnwkAp86138j9G2A7jP2h7zblrwVIGXhW2VQmG8+8Vasa+BhcD9D13PDutoomS8s4XEsFiVr4hb5JQ8hiQ9AAnOgTyNl8hykvzQcnmxtmK6gMqC6FILC3LeWArjdNnIX7RkpMzn3JgtBg8af17QT4cYP6ok4LmqC79HiXFcJF6G9HfZgUx3nQY+zub0YDmMmI3gL+TYUAW/0o7cH2w6q+uoE6/ZvbX34yMQXMFkEv80vUY9ZffcKZ6SSfK6z20rIOZB/kMehmuLeAoYDI/CzR7QeSh/8YZpBBPUIaZvOKNFjYi6aizuRJ1sISyK/TAHYH+/50Ogxkg9BCo=
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Oct 2016 23:20:56.4262 (UTC)
X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.19]; Helo=[P-EMFE01C-SAC.jnpr.net]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR05MB2729
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/8WemDWtR5jq0AD7dPXE-lSvmX_Y>
Cc: CFRG <cfrg@irtf.org>
Subject: Re: [Cfrg] Security proofs v DH backdoors
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Oct 2016 23:21:01 -0000

Peter Gutmann <pgut001@cs.auckland.ac.nz> writes:

> Mark Bauschke mentioned they do checking on the OpenSSH list, taking

Minor typo. The lastname is Baushke without the "c" in it. Long story.

> (i.e. assuming) that q = ( p - 1 ) / 2. 

I may have sent a confusing message.

OpenSSL 1.0.2f (to address CVE-2016-0701) added a check where a "q"
parameter is available.

The OpenSSH dh.c::dh_new_group() is able to setup a dh->q value by using
the q = (p - 1) / 2 math. The dh.c::dh_pub_is_valid() could also check
any incoming DH using the OpenSSL
crypto/dh/dh_check.c::DH_check_pub_key() functionality which does:

       /* Check pub_key^q == 1 mod p */
        if (!BN_mod_exp(tmp, pub_key, dh->q, dh->p, ctx))
            goto err;
        if (!BN_is_one(tmp))
            *ret |= DH_CHECK_PUBKEY_INVALID;

as is mandated by NIST SP 800-56A rev1 section 5.6.2.4 FCC Full Public
Key Validation Routine.

In the Juniper Networks OpenSSH implementation a "q" with q=(p-1)/2
parameter validation is performed in FIPS mode because we are mandated
to validate the DH parameters for FIPS 140-2.

This is true even if it is the well known DH group14 (which is not
required for TLS or IPsec).

DH parameter validate can cause some issues if users configure support
for RFC 4419 while in FIPS mode as most of those groups seem to have a
problems finding a proper set of parameters to use a which results in a
well formed q-ordered subgroup evaluation... the result of the DH mod p
operations is p-1 in those situations which is not good.

	-- Mark