IETF Logo Mail Archive

Re: [Cfrg] Security proofs v DH backdoors

Antonio Sanso <asanso@adobe.com> Mon, 31 October 2016 09:21 UTC

Return-Path: <asanso@adobe.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0210712958D for <cfrg@ietfa.amsl.com>; Mon, 31 Oct 2016 02:21:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.022
X-Spam-Level:
X-Spam-Status: No, score=-2.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=adobe.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ND1GF4sK1MQj for <cfrg@ietfa.amsl.com>; Mon, 31 Oct 2016 02:21:26 -0700 (PDT)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0088.outbound.protection.outlook.com [104.47.36.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDD1C129584 for <cfrg@irtf.org>; Mon, 31 Oct 2016 02:21:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adobe.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=GkWHSY2kfPVBF08acHFbFOrGMa8ScybxEj6CojkJyUc=; b=mLXGMUqHJGyxOumdoUI3qoWEn/t4PMPsx4phqUpr2kqZhF/Y7Sk/srJBdH2SM0Alu4aMRy3xPRfIo3L+3GvT/UeQ1Ou34HI2ECkRGG4LtHDb+8p87gm9T+wkIzgcFtAXAw63zpGoPyzSTu4Cv6WrvP45ffuBNQB21E+iBqbZCJE=
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com (10.161.203.148) by BY1PR0201MB1029.namprd02.prod.outlook.com (10.161.203.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.693.12; Mon, 31 Oct 2016 09:21:23 +0000
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) by BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) with mapi id 15.01.0693.009; Mon, 31 Oct 2016 09:21:23 +0000
From: Antonio Sanso <asanso@adobe.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Thread-Topic: [Cfrg] Security proofs v DH backdoors
Thread-Index: AdIuwSDNwRWUIafTQyeYSwlwLZEKKQAAsvKAAB+FR4AAJ2g4kwAXcESAAACqUgAAL6odgAAAjdyAAGbYtwAADmwPgAAgR0uAAABDWoA=
Date: Mon, 31 Oct 2016 09:21:23 +0000
Message-ID: <1F1950F9-CCEE-476E-B776-57B3D6297279@adobe.com>
References: <20161025131014.5709905.2866.6563@blackberry.com> <20161025133016.GA9081@LK-Perkele-V2.elisa-laajakaista.fi> <1477456366629.49872@cs.auckland.ac.nz> <44595.1477524032@eng-mail01.juniper.net> <20161027103214.5709905.11728.6650@blackberry.com> <20161027125120.4d260334@pc1> <1477647359860.49982@cs.auckland.ac.nz> <CAEseHRpN94UWT+rPUbyxsZp8ToKYQR=3=Qn0qt_Kdn27Y6iwxg@mail.gmail.com> <1477824996551.98206@cs.auckland.ac.nz>, <CAEseHRqMXBN7MbZh53Rc_zNncG1OHKXHJYoNOFW0kAYoYBbDkw@mail.gmail.com> <1477905238437.70578@cs.auckland.ac.nz>
In-Reply-To: <1477905238437.70578@cs.auckland.ac.nz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=asanso@adobe.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [192.147.117.11]
x-ms-office365-filtering-correlation-id: f837ae4d-c452-436e-da8e-08d4016f48b8
x-microsoft-exchange-diagnostics: 1; BY1PR0201MB1029; 7:JrNZIGEGExN8nAfml/HSwqHEIntw6OONUnyF9/ITCyHAATlm9uqqNHERYAgIiP2VSV9fKIA/7Z/yh7kXqBHuZByAUeMdUdYJBAemknYXLlfa8uNHF3malajUhq1g4PUMzpI2E33QRNn+URcErBtfcJTLq55mPyA5YWzui9QV4dygyw0uc8fS3KeJfUs32popEzReWFOwetyKanoQNzOE1X9Pwq18zJBJU5hcBecbfqtc72MTzwTh45z5lMiNbTPjIKeolwcQdz+1shLBmkWXsZ73yBBMnobJwfybZnCHFZ6+TaoQTXdg/rVOAdFw8HAAcFyvRC4VG8J9+3EOJXweWiw0svGC836UnLoH+Wv58rY=; 20:ILZNyOKKp2Oa4Dd+sR0HNXy0G9RzMjUi9idnuub7NXuC7iIjBMJZByZtRly/pFRNx0J9caVwkkXTxI/GJ2LP1T8XRyz7Syp0lwHp0+/DGYUSodPC+uTz6WgQp3i4SrUoiBOh9HgXrZ2Djg8Jc+zV/nJLixSbUig3d6GKtCVYVLM=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY1PR0201MB1029;
x-microsoft-antispam-prvs: <BY1PR0201MB1029326DFBA061AF8A2E13BAD9AE0@BY1PR0201MB1029.namprd02.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040176)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(61426038)(61427038); SRVR:BY1PR0201MB1029; BCL:0; PCL:0; RULEID:; SRVR:BY1PR0201MB1029;
x-forefront-prvs: 01128BA907
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(199003)(189002)(377454003)(24454002)(81166006)(11100500001)(10090500001)(33656002)(586003)(92566002)(105586002)(7846002)(8676002)(2900100001)(99286002)(305945005)(106356001)(189998001)(15975445007)(81156014)(7736002)(82746002)(5002640100001)(87936001)(83716003)(36756003)(3660700001)(4326007)(93886004)(97736004)(3280700002)(5660300001)(8936002)(6916009)(2950100002)(2906002)(66066001)(110136003)(68736007)(77096005)(19580405001)(76176999)(50986999)(54356999)(10400500002)(122556002)(86362001)(6116002)(101416001)(102836003)(3846002)(19580395003)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY1PR0201MB1029; H:BY1PR0201MB1030.namprd02.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: adobe.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <082E7F0192F23041930C54F6E805C01C@namprd02.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: adobe.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Oct 2016 09:21:23.5321 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: fa7b1b5a-7b34-4387-94ae-d2c178decee1
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0201MB1029
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/OVDSNmKvV-GKZ18wmP-2ekYx7zE>
Cc: CFRG <cfrg@irtf.org>
Subject: Re: [Cfrg] Security proofs v DH backdoors
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Oct 2016 09:21:29 -0000

hi Peter,

On Oct 31, 2016, at 10:13 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:

> Michael Scott <mike.scott@miracl.com> writes:
> 
>> Its dead simple really (so surely must be a miscommunication). For example
>> you said that "any fault of any kind inevitably ends up leaking the private
>> key". This is a technical group, so I expected that this was not some
>> rhetorical flourish, but you meant exactly what you said. In hindsight (and
>> here is the miscommunication) it probably was meant as a rhetorical flourish.
> 
> Yeah, it was just general complaining about the brittleness of ECC (and some
> of the other mechanisms it's used with).  At one end of the scale you've got
> some pretty bulletproof/abuseproof modes, CBC with HMAC and -PSK, to which you
> can do almost anything and mostly just end up with data corruption
> (pathological worst-case with CBC, if you memset() the IV to all-zeroes on
> each block, is degradation to ECB), while at the other end of the scale you
> have ECC + AES-GCM, a simple fault in the RNG (so repeated k, repeated
> counter) means you lose the ECC private key, confidentiality, and integrity-
> protection, all in one go.

isn’t this a consequence of the reuse of GCM n-once rather than ECC fault?

regards

antonio

> 
>> A beginner reading that comment might assume that all they have to do is
>> induce any fault at all anywhere in an ECC binary, and out will pop the
>> private key. So no reverse engineering required to determine where to induce
>> the fault, just whack it anywhere.
> 
> I think they're probably going to realise it's not as simple as that :-).
> 
>> In my experience the vast majority of "any faults" just cause the program to
>> rather boringly crash, not revealing nothing to nobody.
> 
> If there's a fault and it's unhandled, the watchdog restarts the system.  In
> fact that's a standard error-handling strategy, fail-fast, go into an endless
> loop until the watchdog restarts the system and the error is cleared.
> 
> Peter.
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email