IETF Logo Mail Archive

Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2

Tero Kivinen <kivinen@iki.fi> Wed, 29 March 2017 16:08 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08073129443 for <curdle@ietfa.amsl.com>; Wed, 29 Mar 2017 09:08:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.12
X-Spam-Level:
X-Spam-Status: No, score=-1.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zYSRhYOL16WW for <curdle@ietfa.amsl.com>; Wed, 29 Mar 2017 09:08:56 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 453E7127201 for <curdle@ietf.org>; Wed, 29 Mar 2017 09:08:56 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id v2TG8hIu021299 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 29 Mar 2017 19:08:43 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id v2TG8hn5023940; Wed, 29 Mar 2017 19:08:43 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Message-ID: <22747.56331.274710.114550@fireball.acr.fi>
Date: Wed, 29 Mar 2017 19:08:43 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: "Mark D. Baushke" <mdb@juniper.net>, "Salz, Rich" <rsalz@akamai.com>, curdle <curdle@ietf.org>
In-Reply-To: <1490771481840.11723@cs.auckland.ac.nz>
References: <CADZyTkmr0WF3BOBby3rObBGGQaqMUq=0Ssc7NB9PAgPFDrk7dA@mail.gmail.com> <30381.1490720068@eng-mail01.juniper.net> <6ab576118c6945f4ba888dd403cf2471@usma1ex-dag1mb1.msg.corp.akamai.com> <1490766071333.6018@cs.auckland.ac.nz> <57287.1490768257@eng-mail01.juniper.net> <1490771481840.11723@cs.auckland.ac.nz>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 7 min
X-Total-Time: 20 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/F34Gn9yysiKgBppFFVzjvbOtvKA>
Subject: Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Mar 2017 16:08:58 -0000

Peter Gutmann writes:
> You do however need to get one or more people to actually verify them.  Until
> I asked about this a few years ago and Henrick Hellström (who probably doesn't
> work for the NSA or CIA :-) kindly obliged by running the tests, I don't know
> if anyone else had ever independently verified the values in RFC 2409 and 3526
> (someone may have, but if they did they didn't publish the fact).

I did verify the RFC 2409 primes (768, 1024, and 1536 bit groups) when
I generated the RFC3526. I do not know if anybody else has verified
the RFC3526 primes.

I did verify the RFC 7919 groups in Honolulu IETF, and there was even
typo in the draft at that point:

https://www.ietf.org/mail-archive/web/tls/current/msg15716.html

I also have page having primality proofs for the IKE and TLS groups on
my web page: https://kivinen.iki.fi/primes/

> Uhh, that's kinda missing the point, you want values that *won't* be adopted
> by everything else out there.  Unless you compartmentalised and said "these
> values are for SSH, these are for SSL, these are for IKE, these are for
> everything else".  I certainly don't want my SSH keyex to become collateral
> damage in some government agency that really just set out to break IKE, or
> VoIP, or SSL.

Actually breaking SSH is much more useful than breaking IKE or TLS.
The first time the adminstrator types sudo and his root password
inside his ssh connection, the stored SSH stream comes very valuable
for the attacker... Breaking IKE and TLS will most likely just give
some boring email text from the IETF mailing lists :-)
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email