Re: [Cfrg] Security proofs v DH backdoors
Dan Brown <danibrown@blackberry.com> Thu, 27 October 2016 10:32 UTC
Return-Path: <danibrown@blackberry.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7132129D4A for <cfrg@ietfa.amsl.com>; Thu, 27 Oct 2016 03:32:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.032
X-Spam-Level:
X-Spam-Status: No, score=-3.032 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KaBrzLa8B7m1 for <cfrg@ietfa.amsl.com>; Thu, 27 Oct 2016 03:32:21 -0700 (PDT)
Received: from smtp-p02.blackberry.com (smtp-p02.blackberry.com [208.65.78.89]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1238C129D4B for <cfrg@irtf.org>; Thu, 27 Oct 2016 03:32:20 -0700 (PDT)
Received: from xct108cnc.rim.net ([10.65.161.208]) by mhs214cnc.rim.net with ESMTP/TLS/DHE-RSA-AES256-SHA; 27 Oct 2016 06:32:09 -0400
Received: from XCT197YKF.rim.net (10.2.25.5) by XCT108CNC.rim.net (10.65.161.208) with Microsoft SMTP Server (TLS) id 14.3.319.2; Thu, 27 Oct 2016 06:32:18 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT197YKF.rim.net ([fe80::459a:3e96:7706:5ba1%12]) with mapi id 14.03.0319.002; Thu, 27 Oct 2016 06:32:18 -0400
From: Dan Brown <danibrown@blackberry.com>
To: "Mark D. Baushke" <mdb@juniper.net>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
Thread-Topic: [Cfrg] Security proofs v DH backdoors
Thread-Index: AQHSL9+c3X+YapHg8EyMi8s5IjBNmqC8Gwj8
Date: Thu, 27 Oct 2016 10:32:17 +0000
Message-ID: <20161027103214.5709905.11728.6650@blackberry.com>
References: <20161025131014.5709905.2866.6563@blackberry.com>, <20161025133016.GA9081@LK-Perkele-V2.elisa-laajakaista.fi> <1477456366629.49872@cs.auckland.ac.nz>, <44595.1477524032@eng-mail01.juniper.net>
In-Reply-To: <44595.1477524032@eng-mail01.juniper.net>
Accept-Language: en-US, en-CA
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="windows-1256"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/RJ5goDH24ZbZyJukQbWs-V1dF9A>
Cc: CFRG <cfrg@irtf.org>
Subject: Re: [Cfrg] Security proofs v DH backdoors
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Oct 2016 10:32:26 -0000
For q=(p-1)/2, literally computing c^q for client public key is very slow. Why not use a faster alternative, such as checking Legendre symbol (c/p), use cofactor DH, or use even private keys? Sent from my BlackBerry 10 smartphone on the Rogers network. Original Message From: Mark D. Baushke Sent: Wednesday, October 26, 2016 7:21 PM To: Peter Gutmann Cc: Ilari Liusvaara; Dan Brown; CFRG Subject: Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann <pgut001@cs.auckland.ac.nz> writes: > Mark Bauschke mentioned they do checking on the OpenSSH list, taking Minor typo. The lastname is Baushke without the "c" in it. Long story. > (i.e. assuming) that q = ( p - 1 ) / 2. I may have sent a confusing message. OpenSSL 1.0.2f (to address CVE-2016-0701) added a check where a "q" parameter is available. The OpenSSH dh.c::dh_new_group() is able to setup a dh->q value by using the q = (p - 1) / 2 math. The dh.c::dh_pub_is_valid() could also check any incoming DH using the OpenSSL crypto/dh/dh_check.c::DH_check_pub_key() functionality which does: /* Check pub_key^q == 1 mod p */ if (!BN_mod_exp(tmp, pub_key, dh->q, dh->p, ctx)) goto err; if (!BN_is_one(tmp)) *ret |= DH_CHECK_PUBKEY_INVALID; as is mandated by NIST SP 800-56A rev1 section 5.6.2.4 FCC Full Public Key Validation Routine. In the Juniper Networks OpenSSH implementation a "q" with q=(p-1)/2 parameter validation is performed in FIPS mode because we are mandated to validate the DH parameters for FIPS 140-2. This is true even if it is the well known DH group14 (which is not required for TLS or IPsec). DH parameter validate can cause some issues if users configure support for RFC 4419 while in FIPS mode as most of those groups seem to have a problems finding a proper set of parameters to use a which results in a well formed q-ordered subgroup evaluation... the result of the DH mod p operations is p-1 in those situations which is not good. -- Mark
- [Cfrg] Security proofs v DH backdoors Dan Brown
- Re: [Cfrg] Security proofs v DH backdoors Ilari Liusvaara
- Re: [Cfrg] Security proofs v DH backdoors Hanno Böck
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Mark D. Baushke
- Re: [Cfrg] Security proofs v DH backdoors Dan Brown
- Re: [Cfrg] Security proofs v DH backdoors Hanno Böck
- Re: [Cfrg] Security proofs v DH backdoors Daniel Bleichenbacher
- Re: [Cfrg] Security proofs v DH backdoors John Mattsson
- Re: [Cfrg] Security proofs v DH backdoors Dan Brown
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Hanno Böck
- Re: [Cfrg] Security proofs v DH backdoors Michael Scott
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Hanno Böck
- Re: [Cfrg] Security proofs v DH backdoors Ilari Liusvaara
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Ilari Liusvaara
- Re: [Cfrg] Security proofs v DH backdoors Ilari Liusvaara
- Re: [Cfrg] Security proofs v DH backdoors Salz, Rich
- Re: [Cfrg] Security proofs v DH backdoors Michael Scott
- Re: [Cfrg] Security proofs v DH backdoors Tony Arcieri
- Re: [Cfrg] Security proofs v DH backdoors Hanno Böck
- Re: [Cfrg] Security proofs v DH backdoors Tony Arcieri
- Re: [Cfrg] Security proofs v DH backdoors David Adrian
- Re: [Cfrg] Security proofs v DH backdoors Watson Ladd
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Antonio Sanso
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Hanno Böck
- Re: [Cfrg] Security proofs v DH backdoors Tony Arcieri
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Tony Arcieri
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Watson Ladd
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Paterson, Kenny
- Re: [Cfrg] Security proofs v DH backdoors Paterson, Kenny