Re: [Cfrg] Security proofs v DH backdoors

Peter Gutmann <pgut001@cs.auckland.ac.nz> Tue, 01 November 2016 00:50 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2464B12940F for <cfrg@ietfa.amsl.com>; Mon, 31 Oct 2016 17:50:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.697
X-Spam-Level:
X-Spam-Status: No, score=-5.697 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.497] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r40WiHR3_eDx for <cfrg@ietfa.amsl.com>; Mon, 31 Oct 2016 17:50:23 -0700 (PDT)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFB94120726 for <cfrg@irtf.org>; Mon, 31 Oct 2016 17:50:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1477961421; x=1509497421; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=KhzDeRbblpAm9znb9qG5BXP7vdKT09i1cMMhx2mjLis=; b=eAgVnkNBOyqrFvGQu2/wq5iJxUjAoMmxkxSaDeeJWQiaXVDHqBPBZjPz /o/Ms9NtgC43fOEpaJZki4zAaAEOgsTeUri8GXhbmHIi2oJ9pfbKe+Seo BJfdbZFaNAXpWomxQnjhPRi/EW9ZkfRLOG/PImTlHnBixophyfXrO59Jr g7RFar6OmSZQ/wzLfdnq7N+h8AorEpLJyg16nH69l9/TzJPaAsCg9XLPy VHMIvcR3H376zh8lhIcD9pXRsmPDI9i5BT3jeeb5DD1BlO9WND+qNezCl uqpLhZPLBH4peEb+aCMecX+D3WDVyXR5ofqKr5itsFEqUZ8vHINm4nqXz A==;
X-IronPort-AV: E=Sophos;i="5.31,577,1473076800"; d="scan'208";a="112935931"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.2.4 - Outgoing - Outgoing
Received: from uxcn13-ogg-c.uoa.auckland.ac.nz ([10.6.2.4]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 01 Nov 2016 13:50:17 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-ogg-c.UoA.auckland.ac.nz (10.6.2.24) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Tue, 1 Nov 2016 13:50:18 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1178.000; Tue, 1 Nov 2016 13:50:18 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Tony Arcieri <bascule@gmail.com>
Thread-Topic: [Cfrg] Security proofs v DH backdoors
Thread-Index: AQHSMEAWZy2e+SPalEyp/G+CJ2BAv6C9nFXGgAMQG4CAAanMIP//wRsAgAE7yBM=
Date: Tue, 1 Nov 2016 00:50:17 +0000
Message-ID: <1477961415238.78465@cs.auckland.ac.nz>
References: <20161025131014.5709905.2866.6563@blackberry.com> <20161025133016.GA9081@LK-Perkele-V2.elisa-laajakaista.fi> <1477456366629.49872@cs.auckland.ac.nz> <44595.1477524032@eng-mail01.juniper.net> <20161027103214.5709905.11728.6650@blackberry.com> <20161027125120.4d260334@pc1> <1477647359860.49982@cs.auckland.ac.nz> <CAHOTMVJprJ0HAXLcvdzeSW8N99L-_43Gh7vEqL4Z=T541TVnSQ@mail.gmail.com> <1477907089090.8356@cs.auckland.ac.nz>, <CAHOTMVLJup1kzRWiargq-jh8wb+oynSTVZ8HAEQCb4ysk9ozfA@mail.gmail.com>
In-Reply-To: <CAHOTMVLJup1kzRWiargq-jh8wb+oynSTVZ8HAEQCb4ysk9ozfA@mail.gmail.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/cHErFkriPn8IFtgrP639oN1xq-w>
Cc: CFRG <cfrg@irtf.org>
Subject: Re: [Cfrg] Security proofs v DH backdoors
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Nov 2016 00:50:28 -0000

Tony Arcieri <bascule@gmail.com> writes:

>I don't know about "millions" (it's hard to say without stats on internal TLS
>deployments which aren't visible from the Internet), but Logjam was pretty
>pervasive, and also one of the forcing factors for the PCI council to mandate
>TLS 1.1 at a minimum by 2018.

Logjam wasn't really a DH weakness though, it was a "dear God, we're still
using 512-bit keys in 2015?!?!?!?" weakness.  Also, TLS 1.1 won't fix that,
you can use toy keys with any version of the protocol (there's a somewhat
resigned explanatory comment in -LTS next to a SHOULD NOT that says that it
shouldn't be necessary to have an explicit SHOULD NOT for something that was
known to be broken 20 years ago, but that it's necessary because people will
continue to use it otherwise).  

Having said that, using logjam as an excuse to mandate 1.1 was pretty 
crafty :-).

Peter.