Re: [Cfrg] Security proofs v DH backdoors
Peter Gutmann <pgut001@cs.auckland.ac.nz> Mon, 31 October 2016 09:14 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AB0F12957E for <cfrg@ietfa.amsl.com>; Mon, 31 Oct 2016 02:14:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.697
X-Spam-Level:
X-Spam-Status: No, score=-5.697 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.497] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h4J3U-xqhlWj for <cfrg@ietfa.amsl.com>; Mon, 31 Oct 2016 02:14:08 -0700 (PDT)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7570129579 for <cfrg@irtf.org>; Mon, 31 Oct 2016 02:14:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1477905244; x=1509441244; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=MBRMac/chxULWc7fS1qFroHm4HWjZ1V64YKZ8l6XWq8=; b=jESLqsmGgxCuhKiwPn/pdGw0yBGzovOunBV5IzLh0c95Zec26AipFJGb rCFDXQ0xQqdkGy+fmFvp/nd35ENdH+8GcxdeepjkDOIqhNSklBXCiQYTY ZGR928zmc3Uv5nyMrcruWOSgDAnu5CNqZ1Nv8KYM6EZs9fz8hw5vk8Ei7 nQ3YbPl/X67M0z4+8qD30QCFyQcxmm3I1PPmsd7Yn2AcQnWhJy95+wAay C5pQhWMgrrB3m6Rg8rYj3tT3y9gjsaIZ++nh613wdNAMm2NKZVOwKVsj9 rjDBmkb6WKg0rOlDdUvKKACeanYMDUcRndcJ4FPneYg4R1VxVYUtTW05R Q==;
X-IronPort-AV: E=Sophos;i="5.31,426,1473076800"; d="scan'208";a="112829815"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.2.5 - Outgoing - Outgoing
Received: from exchangemx.uoa.auckland.ac.nz (HELO uxcn13-ogg-d.UoA.auckland.ac.nz) ([10.6.2.5]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 31 Oct 2016 22:14:00 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Mon, 31 Oct 2016 22:14:00 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1178.000; Mon, 31 Oct 2016 22:14:00 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Michael Scott <mike.scott@miracl.com>
Thread-Topic: [Cfrg] Security proofs v DH backdoors
Thread-Index: AQHSMEAWZy2e+SPalEyp/G+CJ2BAv6C9nFXG//8rFoCABBBRCf//mdWAgAHarQs=
Date: Mon, 31 Oct 2016 09:13:59 +0000
Message-ID: <1477905238437.70578@cs.auckland.ac.nz>
References: <20161025131014.5709905.2866.6563@blackberry.com> <20161025133016.GA9081@LK-Perkele-V2.elisa-laajakaista.fi> <1477456366629.49872@cs.auckland.ac.nz> <44595.1477524032@eng-mail01.juniper.net> <20161027103214.5709905.11728.6650@blackberry.com> <20161027125120.4d260334@pc1> <1477647359860.49982@cs.auckland.ac.nz> <CAEseHRpN94UWT+rPUbyxsZp8ToKYQR=3=Qn0qt_Kdn27Y6iwxg@mail.gmail.com> <1477824996551.98206@cs.auckland.ac.nz>, <CAEseHRqMXBN7MbZh53Rc_zNncG1OHKXHJYoNOFW0kAYoYBbDkw@mail.gmail.com>
In-Reply-To: <CAEseHRqMXBN7MbZh53Rc_zNncG1OHKXHJYoNOFW0kAYoYBbDkw@mail.gmail.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/NHZdTziJzzF1bHyPnLLpvrE2nMA>
Cc: CFRG <cfrg@irtf.org>
Subject: Re: [Cfrg] Security proofs v DH backdoors
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Oct 2016 09:14:10 -0000
Michael Scott <mike.scott@miracl.com> writes: >Its dead simple really (so surely must be a miscommunication). For example >you said that "any fault of any kind inevitably ends up leaking the private >key". This is a technical group, so I expected that this was not some >rhetorical flourish, but you meant exactly what you said. In hindsight (and >here is the miscommunication) it probably was meant as a rhetorical flourish. Yeah, it was just general complaining about the brittleness of ECC (and some of the other mechanisms it's used with). At one end of the scale you've got some pretty bulletproof/abuseproof modes, CBC with HMAC and -PSK, to which you can do almost anything and mostly just end up with data corruption (pathological worst-case with CBC, if you memset() the IV to all-zeroes on each block, is degradation to ECB), while at the other end of the scale you have ECC + AES-GCM, a simple fault in the RNG (so repeated k, repeated counter) means you lose the ECC private key, confidentiality, and integrity- protection, all in one go. >A beginner reading that comment might assume that all they have to do is >induce any fault at all anywhere in an ECC binary, and out will pop the >private key. So no reverse engineering required to determine where to induce >the fault, just whack it anywhere. I think they're probably going to realise it's not as simple as that :-). >In my experience the vast majority of "any faults" just cause the program to >rather boringly crash, not revealing nothing to nobody. If there's a fault and it's unhandled, the watchdog restarts the system. In fact that's a standard error-handling strategy, fail-fast, go into an endless loop until the watchdog restarts the system and the error is cleared. Peter.
- [Cfrg] Security proofs v DH backdoors Dan Brown
- Re: [Cfrg] Security proofs v DH backdoors Ilari Liusvaara
- Re: [Cfrg] Security proofs v DH backdoors Hanno Böck
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Mark D. Baushke
- Re: [Cfrg] Security proofs v DH backdoors Dan Brown
- Re: [Cfrg] Security proofs v DH backdoors Hanno Böck
- Re: [Cfrg] Security proofs v DH backdoors Daniel Bleichenbacher
- Re: [Cfrg] Security proofs v DH backdoors John Mattsson
- Re: [Cfrg] Security proofs v DH backdoors Dan Brown
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Hanno Böck
- Re: [Cfrg] Security proofs v DH backdoors Michael Scott
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Hanno Böck
- Re: [Cfrg] Security proofs v DH backdoors Ilari Liusvaara
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Ilari Liusvaara
- Re: [Cfrg] Security proofs v DH backdoors Ilari Liusvaara
- Re: [Cfrg] Security proofs v DH backdoors Salz, Rich
- Re: [Cfrg] Security proofs v DH backdoors Michael Scott
- Re: [Cfrg] Security proofs v DH backdoors Tony Arcieri
- Re: [Cfrg] Security proofs v DH backdoors Hanno Böck
- Re: [Cfrg] Security proofs v DH backdoors Tony Arcieri
- Re: [Cfrg] Security proofs v DH backdoors David Adrian
- Re: [Cfrg] Security proofs v DH backdoors Watson Ladd
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Antonio Sanso
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Hanno Böck
- Re: [Cfrg] Security proofs v DH backdoors Tony Arcieri
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Tony Arcieri
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Watson Ladd
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Paterson, Kenny
- Re: [Cfrg] Security proofs v DH backdoors Paterson, Kenny