Re: [Cfrg] ECDH subgroup attack question
Robert Moskowitz <rgm-sec@htt-consult.com> Tue, 28 January 2020 22:43 UTC
Return-Path: <rgm-sec@htt-consult.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 849B01200FE for <cfrg@ietfa.amsl.com>; Tue, 28 Jan 2020 14:43:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rlWq0afv0OzE for <cfrg@ietfa.amsl.com>; Tue, 28 Jan 2020 14:43:29 -0800 (PST)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [23.123.122.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38E1A120130 for <cfrg@irtf.org>; Tue, 28 Jan 2020 14:43:25 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id B41E36216A; Tue, 28 Jan 2020 17:43:23 -0500 (EST)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 2ZOrptCxwSiA; Tue, 28 Jan 2020 17:43:16 -0500 (EST)
Received: from lx140e.htt-consult.com (unknown [192.168.160.12]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id 9C8F162135; Tue, 28 Jan 2020 17:43:13 -0500 (EST)
To: Richard Barnes <rlb@ipv.sx>
Cc: IRTF CFRG <cfrg@irtf.org>
References: <93a5af6f-e40b-a3aa-ef1e-17ac1feb9ace@htt-consult.com> <CAL02cgRkbcrcgvNzueqQeGEFxMX_pO=JuEuys5txZYqcff3kxw@mail.gmail.com>
From: Robert Moskowitz <rgm-sec@htt-consult.com>
Message-ID: <7d4f2948-6f94-f0f0-4e6a-f934c4ddb70d@htt-consult.com>
Date: Tue, 28 Jan 2020 17:43:08 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2
MIME-Version: 1.0
In-Reply-To: <CAL02cgRkbcrcgvNzueqQeGEFxMX_pO=JuEuys5txZYqcff3kxw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------94A71B14F126B7434F1A3779"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/z-l3jBl_DdvPkTM2DQgotteTYt0>
Subject: Re: [Cfrg] ECDH subgroup attack question
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jan 2020 22:43:31 -0000
Is there some external document to reference when providing this text in a draft's Security Considerations section? Or is this 'so well known' now that putting it in the Security Considerations is all that is needed. thanks On 1/28/20 5:20 PM, Richard Barnes wrote: > > > On Tue, Jan 28, 2020 at 4:46 PM Robert Moskowitz > <rgm-sec@htt-consult.com <mailto:rgm-sec@htt-consult.com>> wrote: > > In TLS 1.3, RFC 8446 sec 4.2.8.1 the testing range for Y is: > > 1 < Y < p-1 > > In RFC 2785 sec 3.1, that references 2631, the range for Y is: > > "within the interval [2, p-1]" > > TLS 1.3 is more liberal, it seems to me, than 2785. > > > No, TLS 1.3 is more conservative, since it rules out p-1 (i.e., it > allows [2, p-2]). This is more safe because p-1 generates the > subgroup of order two {p-1, 1}. > > --Richard > > > What is 'right' / 'safe'. > > Further 2785 has a second check: > > Compute y^q mod p. If the result == 1, the key is valid. > > Is this test still advised? > > thank you > > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org <mailto:Cfrg@irtf.org> > https://www.irtf.org/mailman/listinfo/cfrg > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] ECDH subgroup attack question Robert Moskowitz
- Re: [Cfrg] ECDH subgroup attack question Andrey Jivsov
- Re: [Cfrg] ECDH subgroup attack question Richard Barnes
- Re: [Cfrg] ECDH subgroup attack question Robert Moskowitz
- Re: [Cfrg] DH, not ECDH, subgroup attack question Robert Moskowitz
- Re: [Cfrg] DH, not ECDH, subgroup attack question Peter Gutmann
- Re: [Cfrg] DH, not ECDH, subgroup attack question Robert Moskowitz
- Re: [Cfrg] DH, not ECDH, subgroup attack question Robert Moskowitz