Re: [Cfrg] DH, not ECDH, subgroup attack question

Robert Moskowitz <rgm-sec@htt-consult.com> Tue, 28 January 2020 23:38 UTC

Return-Path: <rgm-sec@htt-consult.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41F941200EB for <cfrg@ietfa.amsl.com>; Tue, 28 Jan 2020 15:38:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yKLyv6mkWB4V for <cfrg@ietfa.amsl.com>; Tue, 28 Jan 2020 15:38:23 -0800 (PST)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [23.123.122.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7FC5120020 for <cfrg@irtf.org>; Tue, 28 Jan 2020 15:38:23 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id 140D562162; Tue, 28 Jan 2020 18:38:21 -0500 (EST)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 5daY2LfHWUzY; Tue, 28 Jan 2020 18:38:15 -0500 (EST)
Received: from lx140e.htt-consult.com (unknown [192.168.160.12]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id CC01F62132; Tue, 28 Jan 2020 18:38:14 -0500 (EST)
From: Robert Moskowitz <rgm-sec@htt-consult.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, Richard Barnes <rlb@ipv.sx>
Cc: IRTF CFRG <cfrg@irtf.org>
References: <93a5af6f-e40b-a3aa-ef1e-17ac1feb9ace@htt-consult.com> <CAL02cgRkbcrcgvNzueqQeGEFxMX_pO=JuEuys5txZYqcff3kxw@mail.gmail.com> <1580253099227.42957@cs.auckland.ac.nz> <627d0b50-730c-cf2d-eeaf-cdbbb1237efd@htt-consult.com> <d84e4f53-c242-70bf-a9bc-0ec061dfeb13@htt-consult.com>
Message-ID: <7b426f0e-a487-915b-a75b-565a59eba99f@htt-consult.com>
Date: Tue, 28 Jan 2020 18:38:09 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2
MIME-Version: 1.0
In-Reply-To: <d84e4f53-c242-70bf-a9bc-0ec061dfeb13@htt-consult.com>
Content-Type: multipart/alternative; boundary="------------E69B292E610ABFFE1D758FEE"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/wh3AM43zoGeM6HmiFRGq8pZ5LUI>
Subject: Re: [Cfrg] DH, not ECDH, subgroup attack question
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jan 2020 23:38:25 -0000


On 1/28/20 6:34 PM, Robert Moskowitz wrote:
>
>
> On 1/28/20 6:29 PM, Robert Moskowitz wrote:
>>
>>
>> On 1/28/20 6:11 PM, Peter Gutmann wrote:
>>>
>>> Just a nitpick, just saw the thread, this is a DH subgroup attack 
>>> question, not an ECDH subgroup attack question.
>>>
>>
>> Oh?  Thank you for nit picking.
>>
>> So if the keys used in the DH exchange are ony NIST p256 and p384 
>> this test is not needed?
>>
>> This issue was brought to my attention in a security review on use of 
>> p256 keys in exchange.   I just ran without digging into what I 
>> needed to add without catching what KIND of DH exchange it applies to....
>>
>> Now I have to read the comment again and figure this all out.
>>
>> Fun.  By some definition of fun.
>
> Ah, I jumped to the wrong section of TLS 1.3.  Not 4.2.8.1, but 4.2.8.2.
>
> My bad.
>
> Which points to sec 4.3.7.
>
> More reading!  Hopefully no more questions for here.

Sec 4.3.7 of ANSI X9.62-2005 which I don't have.  But the text in TLS 
looks clear enough to use.