Re: [IPsec] New draft on IKE Diffie-Hellman checks

Hugo Krawczyk <hugo@ee.technion.ac.il> Mon, 10 December 2012 22:56 UTC

Return-Path: <hugokraw@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AE7821F85E6 for <ipsec@ietfa.amsl.com>; Mon, 10 Dec 2012 14:56:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.143
X-Spam-Level:
X-Spam-Status: No, score=-2.143 tagged_above=-999 required=5 tests=[AWL=0.833, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 414ZIlJnIV8I for <ipsec@ietfa.amsl.com>; Mon, 10 Dec 2012 14:56:48 -0800 (PST)
Received: from mail-vc0-f172.google.com (mail-vc0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id 9AE8621F8507 for <ipsec@ietf.org>; Mon, 10 Dec 2012 14:56:48 -0800 (PST)
Received: by mail-vc0-f172.google.com with SMTP id fw7so3340368vcb.31 for <ipsec@ietf.org>; Mon, 10 Dec 2012 14:56:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=woLufvmT9IqVmbSrNhceStcWd4hPnTSOsaOJc/NDX9g=; b=vmZMC9Dz/Mbv0GwUnbd37iJXlPAhtSSce/9KefWPvj9zOuSOUAoDORAWGQrTkvn0ua 6KmTz0Qzox9sWRTHa8dPjv6zafOmXdadwpiLXUPC41kAqYAZnn6lrKR4rhVsfb+CEVuH nA8P9I/iWdgGr+hPWzPiodERzpBhFP72Jdol5JfFYqD9RDJdGvWNoo1GEjfKuWtwuOVV IHS+YTIIJMkD06fkpaWG5u9EUUt6Gn9+JXklsNQirFACpb/5XPNTghLDxZCFCLIE38RY uQq1quXGQDOzdSjVCOXEjipxhQWB6SO219zmJFf0rKG8jYgsGBxRUYcMk5FQ2rzCxM3u MVsw==
Received: by 10.58.198.164 with SMTP id jd4mr10279709vec.34.1355180208104; Mon, 10 Dec 2012 14:56:48 -0800 (PST)
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 10.58.29.50 with HTTP; Mon, 10 Dec 2012 14:56:28 -0800 (PST)
In-Reply-To: <A113ACFD9DF8B04F96395BDEACB340421E4BE9@xmb-rcd-x04.cisco.com>
References: <50C62D6A.8010709@gmail.com> <CADi0yUPp4=8BMXf8543rMzc2bYE8XAM6vjSxZa-9cjBUv5zdSA@mail.gmail.com> <A113ACFD9DF8B04F96395BDEACB340421E4BE9@xmb-rcd-x04.cisco.com>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Mon, 10 Dec 2012 17:56:28 -0500
X-Google-Sender-Auth: ygb_RxvQ0gFL3qG8gHIav-AxhAk
Message-ID: <CADi0yUOKt2SAbWVrSio68e1cD5WQ4HaJaaZcpMQG9G+3nXDXBA@mail.gmail.com>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
Content-Type: multipart/alternative; boundary="e89a8f642ee0e9242f04d0877ad0"
Cc: IPsecme WG <ipsec@ietf.org>
Subject: Re: [IPsec] New draft on IKE Diffie-Hellman checks
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Dec 2012 22:56:49 -0000

If the recommendation is to be compatible with the unnecessary checks of
56A in this case then say that.
As written now, one would assume that there is a security benefit to it.
(That's how we carry legacy misconceptions from standard to standard.)

Hugo

On Mon, Dec 10, 2012 at 4:53 PM, Scott Fluhrer (sfluhrer) <
sfluhrer@cisco.com> wrote:

>  ** **
>
> ** **
>
> *From:* ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] *On Behalf
> Of *Hugo Krawczyk
> *Sent:* Monday, December 10, 2012 2:50 PM
> *To:* Yaron Sheffer
> *Cc:* IPsecme WG
> *Subject:* Re: [IPsec] New draft on IKE Diffie-Hellman checks****
>
> ** **
>
> The tests in sections 2.1 and 2.3 are cheap and can serve as sanity checks
> for an implementation as stated in the draft, even if DH is not reused.
>
> On the other hand, the test in 2.2 is expensive, equivalent to a group
> exponentiation, and therefore should not be recommended without DH re-use
> (in which case the test is an expensive waste).
>
> Actually, the right recommendation (or MUST) for 2.2 groups is NOT to
> reuse DH values.
> Indeed, the reason to reuse DH is to save an exponentiation but if you do
> so you pay with an extra exponentiation for the membership test. Moreover,
> while the exponentiation you are saving can be performed offline (before
> the run of the IKE session), the group membership test is online, so either
> way it makes no sense to reuse the DH exponents.****
>
> I cannot disagree with anything you say.  However, the real reason the 2.2
> groups (22, 23, 24) exist is the other MODP groups do not conform to NIST
> SP 800-56A (see section 5.5.1.1).  And, SP 800-56A also mandates the checks
> we recommend (section 5.6.2.4).****
>
> That is, if you are implementing (say) group 24 specifically for
> conformance reasons, you’re going to do that test anyways (yes, it may be
> an expensive waste for cryptographical reasons, however, it isn’t for
> conformance reasons).  In that scenario, DH reuse does make sense (because
> not doing DH reuse doesn’t let you eliminate the test).****
>
> I would agree that maybe we need to extend the draft to discuss these
> noncryptographical issues.****
>
> ** **
>
>
> By the way, if you forbid re-use, you need to actually mandate fresh
> exponents with each session (otherwise, an implementation maybe tempted to
> avoid re-use by using g^x, g^{x+1}, g^{x+2}, etc.)
>
> Hugo****
>
> On Mon, Dec 10, 2012 at 1:43 PM, Yaron Sheffer <yaronf.ietf@gmail.com>
> wrote:****
>
> Hi,
>
> following the recent discussion on the mailing list, Scott Fluhrer and
> myself just published a draft that updates RFC 5996 by adding the required
> recipient-side tests for ECDH. Please see
> http://www.ietf.org/internet-drafts/draft-sheffer-ipsecme-dh-checks-00.txt
> .
>
> We have not addressed the issues raised by Dan and Tero regarding
> inconsistencies between various RFCs that define ECDH groups for IKE. I
> personally deem these issues to be out of scope of the current document.
>
> Comments are very welcome.
>
> Thanks,
>     Yaron
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec****
>
> ** **
>