[IPsec] Yet another RFC-5114 attack
Paul Wouters <paul@nohats.ca> Tue, 18 October 2016 13:59 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B43F129652; Tue, 18 Oct 2016 06:59:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.431
X-Spam-Level:
X-Spam-Status: No, score=-2.431 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.431] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vR81q48XOYIz; Tue, 18 Oct 2016 06:59:57 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84EC61295B9; Tue, 18 Oct 2016 06:59:57 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3syxXT3QN7z3sH; Tue, 18 Oct 2016 15:59:53 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1476799193; bh=9cbKUN4mebjwxETfoj6knxzTT8JPSdVSaMj8iOcpyUY=; h=Date:From:To:Subject; b=YX6t5jBCshbExNj2QL1iQ1j4KdVwdVLFIg46kE0KCG5wzGnzZ3nU0jn661LbXdYgK Qwn1oL3VEAF7iisTQ915ib0917VuqshtYaDdUzj7XdF8QUA11aOt6Gt5Ek9BwEfYUk WVuj6zgEDwKwJcc3fFQ0SCPk9djO6Rp58oiod4SI=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id sKenIa_sPEmK; Tue, 18 Oct 2016 15:59:51 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 18 Oct 2016 15:59:51 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 4D0B812EAEE; Tue, 18 Oct 2016 09:59:49 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.10.3 bofh.nohats.ca 4D0B812EAEE
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 366DA47616DE; Tue, 18 Oct 2016 09:59:49 -0400 (EDT)
Date: Tue, 18 Oct 2016 09:59:49 -0400
From: Paul Wouters <paul@nohats.ca>
To: "ipsec@ietf.org WG" <ipsec@ietf.org>, Security Area Advisory Group <saag@ietf.org>
Message-ID: <alpine.LRH.2.20.1610180951020.18741@bofh.nohats.ca>
User-Agent: Alpine 2.20 (LRH 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/sTu2cUR4NtPuCVZW5YL9BJOfGM8>
Subject: [IPsec] Yet another RFC-5114 attack
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Oct 2016 13:59:59 -0000
https://eprint.iacr.org/2016/995.pdf Several recent standards, including NIST SP 800- 56A and RFC 5114, advocate the use of “DSA” parameters for Diffie-Hellman key exchange. While it is possible to use such parameters securely, additional validation checks are necessary to prevent well-known and potentially devastating attacks. In this paper, we observe that many Diffie-Hellman implementations do not properly validate key exchange inputs. Combined with other protocol properties and implementation choices, this can radically decrease security. We measure the prevalence of these parameter choices in the wild for HTTPS, POP3S, SMTP with STARTTLS, SSH, IKEv1, and IKEv2, finding millions of hosts using DSA and other non-“safe” primes for Diffie-Hellman key exchange, many of them in combination with potentially vulnerable behaviors. We examine over 20 open-source cryptographic libraries and applications and observe that until January 2016, not a single one validated subgroup orders by default. This paper also actually understood the difficulties of IKE scanning! And kudos to the authors for looking into so much deployment and open source software! Paul
- [IPsec] Yet another RFC-5114 attack Paul Wouters
- Re: [IPsec] [saag] Yet another RFC-5114 attack Peter Gutmann