IETF Logo Mail Archive

Re: [Cfrg] DH, not ECDH, subgroup attack question

Robert Moskowitz <rgm-sec@htt-consult.com> Tue, 28 January 2020 23:35 UTC

Return-Path: <rgm-sec@htt-consult.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76F8B120020 for <cfrg@ietfa.amsl.com>; Tue, 28 Jan 2020 15:35:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uol1y_1ezVs3 for <cfrg@ietfa.amsl.com>; Tue, 28 Jan 2020 15:35:11 -0800 (PST)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [23.123.122.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6C24120105 for <cfrg@irtf.org>; Tue, 28 Jan 2020 15:35:11 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id 3650C62162; Tue, 28 Jan 2020 18:35:09 -0500 (EST)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id qRfK3GYeawp2; Tue, 28 Jan 2020 18:35:02 -0500 (EST)
Received: from lx140e.htt-consult.com (unknown [192.168.160.12]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id E486F62132; Tue, 28 Jan 2020 18:34:59 -0500 (EST)
From: Robert Moskowitz <rgm-sec@htt-consult.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, Richard Barnes <rlb@ipv.sx>
Cc: IRTF CFRG <cfrg@irtf.org>
References: <93a5af6f-e40b-a3aa-ef1e-17ac1feb9ace@htt-consult.com> <CAL02cgRkbcrcgvNzueqQeGEFxMX_pO=JuEuys5txZYqcff3kxw@mail.gmail.com> <1580253099227.42957@cs.auckland.ac.nz> <627d0b50-730c-cf2d-eeaf-cdbbb1237efd@htt-consult.com>
Message-ID: <d84e4f53-c242-70bf-a9bc-0ec061dfeb13@htt-consult.com>
Date: Tue, 28 Jan 2020 18:34:55 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2
MIME-Version: 1.0
In-Reply-To: <627d0b50-730c-cf2d-eeaf-cdbbb1237efd@htt-consult.com>
Content-Type: multipart/alternative; boundary="------------F1E145D45F04D2C53413FE03"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/zcYnzniyZqvKTo5a5aUVaaYWb38>
Subject: Re: [Cfrg] DH, not ECDH, subgroup attack question
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jan 2020 23:35:13 -0000


On 1/28/20 6:29 PM, Robert Moskowitz wrote:
>
>
> On 1/28/20 6:11 PM, Peter Gutmann wrote:
>>
>> Just a nitpick, just saw the thread, this is a DH subgroup attack 
>> question, not an ECDH subgroup attack question.
>>
>
> Oh?  Thank you for nit picking.
>
> So if the keys used in the DH exchange are ony NIST p256 and p384 this 
> test is not needed?
>
> This issue was brought to my attention in a security review on use of 
> p256 keys in exchange.   I just ran without digging into what I needed 
> to add without catching what KIND of DH exchange it applies to....
>
> Now I have to read the comment again and figure this all out.
>
> Fun.  By some definition of fun.

Ah, I jumped to the wrong section of TLS 1.3.  Not 4.2.8.1, but 4.2.8.2.

My bad.

Which points to sec 4.3.7.

More reading!  Hopefully no more questions for here.

v2.23.0 | Report a Bug | By Email