Re: [IPsec] NUDGE: WG Last Call for draft-ietf-ipsecme-dh-checks

Tero Kivinen <kivinen@iki.fi> Tue, 09 April 2013 13:07 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0417321F9138 for <ipsec@ietfa.amsl.com>; Tue, 9 Apr 2013 06:07:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mK-i1wSlPoHs for <ipsec@ietfa.amsl.com>; Tue, 9 Apr 2013 06:07:19 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by ietfa.amsl.com (Postfix) with ESMTP id D875C21F89CF for <ipsec@ietf.org>; Tue, 9 Apr 2013 06:07:18 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.5/8.14.5) with ESMTP id r39D5sZc019880 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 9 Apr 2013 16:05:54 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.5/8.12.11) id r39D5rqS025781; Tue, 9 Apr 2013 16:05:53 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <20836.4657.322399.281541@fireball.kivinen.iki.fi>
Date: Tue, 9 Apr 2013 16:05:53 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
In-Reply-To: <A113ACFD9DF8B04F96395BDEACB34042090604F1@xmb-rcd-x04.cisco.com>
References: <9F821C79-A855-4060-A356-ED8E5C50048B@vpnc.org> <51634894.1030306@brainhub.org> <A113ACFD9DF8B04F96395BDEACB34042090604F1@xmb-rcd-x04.cisco.com>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 3 min
X-Total-Time: 3 min
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, Andrey Jivsov <openpgp@brainhub.org>
Subject: Re: [IPsec] NUDGE: WG Last Call for draft-ietf-ipsecme-dh-checks
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Apr 2013 13:07:20 -0000

Scott Fluhrer (sfluhrer) writes:
> Now, there are q-1 different primitive elements; that's more than we
> could reasonably list.  We could specify a test to reject primitive
> elements; however, that test isn't cheap (it can be done cheaper
> than the full r**q==1 test, nevertheless, not cheaply.  In addition,
> an attacker injecting a primitive element could use it to deduce the
> lsbit of the private exponent; however that cannot deduce any more
> than that.  I don't believe that the expense of the full test is
> worth protecting one bit of the exponent. 

Hmm... there is text in the RFC2412 about this I think:
----------------------------------------------------------------------
   Because these two primes are congruent to 7 (mod 8), 2 is a quadratic
   residue of each prime.  All powers of 2 will also be quadratic
   residues.  This prevents an opponent from learning the low order bit
   of the Diffie-Hellman exponent (AKA the subgroup confinement
   problem).  Using 2 as a generator is efficient for some modular
   exponentiation algorithms.  [Note that 2 is technically not a
   generator in the number theory sense, because it omits half of the
   possible residues mod P.  From a cryptographic viewpoint, this is a
   virtue.]
----------------------------------------------------------------------

I assume this the same thing you are talking about i.e. opponent
learning the low order bit of the DH exponent, and RFC2412 claims that
the nature of the primes that attack is not possible. Right?
-- 
kivinen@iki.fi