[IPsec] Draft-ietf-ipsecme-dh-checks-01.txt
Tero Kivinen <kivinen@iki.fi> Tue, 02 April 2013 11:45 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4650821F97D1 for <ipsec@ietfa.amsl.com>; Tue, 2 Apr 2013 04:45:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.598
X-Spam-Level:
X-Spam-Status: No, score=-102.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, OBSCURED_EMAIL=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gcK337X-ArEK for <ipsec@ietfa.amsl.com>; Tue, 2 Apr 2013 04:45:36 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) by ietfa.amsl.com (Postfix) with ESMTP id 7280021F97CF for <ipsec@ietf.org>; Tue, 2 Apr 2013 04:45:35 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.5/8.14.5) with ESMTP id r32BjWcd022927 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ipsec@ietf.org>; Tue, 2 Apr 2013 14:45:32 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.5/8.12.11) id r32BjWHH026953; Tue, 2 Apr 2013 14:45:32 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <20826.50396.636689.934107@fireball.kivinen.iki.fi>
Date: Tue, 02 Apr 2013 14:45:32 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: ipsec@ietf.org
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 7 min
X-Total-Time: 12 min
Subject: [IPsec] Draft-ietf-ipsecme-dh-checks-01.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2013 11:45:37 -0000
Btw, I have had some discussion about the MODP Diffie-Hellman groups used in the IKE in the IEEE 802.11ai mailing list, and during that discussion I did notice one more pieces of text I had completely forgotten. The RFC2412 which defines the original Diffie-Hellman MODP groups used in the IKE has following text: ---------------------------------------------------------------------- 5. Security Implementation Notes Timing attacks that are capable of recovering the exponent value used in Diffie-Hellman calculations have been described by Paul Kocher [Kocher]. In order to nullify the attack, implementors must take pains to obscure the sequence of operations involved in carrying out modular exponentiations. A "blinding factor" can accomplish this goal. A group element, r, is chosen at random. When an exponent x is chosen, the value r^(-x) is also calculated. Then, when calculating (g^y)^x, the implementation will calculate this sequence: A = (rg^y) B = A^x = (rg^y)^x = (r^x)(g^(xy)) C = B*r^(-x) = (r^x)(r^-(x))(g^(xy)) = g^(xy) The blinding factor is only necessary if the exponent x is used more than 100 times (estimate by Richard Schroeppel). ---------------------------------------------------------------------- This directly relates to the exponent reuse case, and thats why I think it might be good idea to include pointer to that in the dh-checks draft too. Especially to point out that if exponent x is reused too often this kind of blinding factor is needed. Btw, Appendix E in RFC2412 also tells how those MODP groups are generated just in case someone has missed that and is interested in it... -- kivinen@iki.fi
- [IPsec] Draft-ietf-ipsecme-dh-checks-01.txt Tero Kivinen