IETF Logo Mail Archive

Re: [saag] Possible backdoor in RFC 5114

"Panos Kampanakis (pkampana)" <pkampana@cisco.com> Fri, 07 October 2016 21:12 UTC

Return-Path: <pkampana@cisco.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4142412971B for <saag@ietfa.amsl.com>; Fri, 7 Oct 2016 14:12:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.517
X-Spam-Level:
X-Spam-Status: No, score=-17.517 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jgjr_PDhmFis for <saag@ietfa.amsl.com>; Fri, 7 Oct 2016 14:12:22 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F09581296C2 for <saag@ietf.org>; Fri, 7 Oct 2016 14:12:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3352; q=dns/txt; s=iport; t=1475874741; x=1477084341; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=RmaioDVsE9ybv8n/267UAqXq6vn9esqkmfkliR7XVAY=; b=eYFTKIEjdP2UFgzFqHKmEPXtiGAf9zO9wBBzp/3QXCZHUy/AEMCx//Jz uqWN6mxetHy+evfRj1r8PrrIFMcPkDVkjh/HPaLOr4r35f7lno/U8EgM3 wTKY7u3+2FF8loqT2WT83R3DveRiVjCGm0TBh6VSZk12DRR2g0D24FVvW k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AYAQA/D/hX/49dJa1cGQEBAQEBAQEBAQEBBwEBAQEBgz0BAQEBAR5XfAeNLJZ/lCyCCxsLhXoCgX84FAECAQEBAQEBAV4nhGEBAQEDAQEBATc0CwUHBAIBCBEEAQEfCQcnCxQJCAIEAQ0FCIhACA7AGAEBAQEBAQEBAQEBAQEBAQEBAQEBARgFhjyEVYE8iGoFmX8Bj3OBdYRniR+Md4N+AR42S4JrHIFTcocPgQABAQE
X-IronPort-AV: E=Sophos;i="5.31,456,1473120000"; d="scan'208";a="155679075"
Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by rcdn-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Oct 2016 21:12:21 +0000
Received: from XCH-RCD-006.cisco.com (xch-rcd-006.cisco.com [173.37.102.16]) by rcdn-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id u97LCKnC000720 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 7 Oct 2016 21:12:21 GMT
Received: from xch-aln-010.cisco.com (173.36.7.20) by XCH-RCD-006.cisco.com (173.37.102.16) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Fri, 7 Oct 2016 16:12:20 -0500
Received: from xch-aln-010.cisco.com ([173.36.7.20]) by XCH-ALN-010.cisco.com ([173.36.7.20]) with mapi id 15.00.1210.000; Fri, 7 Oct 2016 16:12:20 -0500
From: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
To: Tero Kivinen <kivinen@iki.fi>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Thread-Topic: [saag] Possible backdoor in RFC 5114
Thread-Index: AQHSIKMXG3N0BgRdDE+CK2NUlU6XTKCdfB8A
Date: Fri, 07 Oct 2016 21:12:20 +0000
Message-ID: <75a7525e2d954da192e056ff32c632ca@XCH-ALN-010.cisco.com>
References: <CACsn0ck9u3ct3wD7xWXtDZ89Q1R6OKTQFMYuZ56_vY2ys+1=YQ@mail.gmail.com> <bfa71c30-3ccc-1538-c682-33e14c910e21@cs.tcd.ie> <22519.43588.421250.807948@fireball.acr.fi>
In-Reply-To: <22519.43588.421250.807948@fireball.acr.fi>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.116.108.7]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/-hqvMiGHabBWJ34tRiJyqsiWA_g>
Cc: "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] Possible backdoor in RFC 5114
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Oct 2016 21:12:24 -0000

> I have no idea why we would want to mark the document as historic, or obsolete it, especially as it does define things that are in use (ECP groups).
> It does not give any recommendations for using those groups, for example in IPsec we do have separate documents which gives those recommendations and for the 256-bit ECP we are saying SHOULD, and for the MODP groups defined in the 5114 we are saying SHOULD NOT.
> That is much better way to define the recommendations and how those groups should or should not be used.

Agreed. The ECP groups are widely used in IKE. "Historifying" will not add value especially before a 25519 group is defined.
Panos



-----Original Message-----
From: saag [mailto:saag-bounces@ietf.org] On Behalf Of Tero Kivinen
Sent: Friday, October 07, 2016 10:00 AM
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: saag@ietf.org
Subject: Re: [saag] Possible backdoor in RFC 5114

Stephen Farrell writes:
> 
> So I'm not seeing anyone so far argue to not deprecate these somehow.
> 
> We could just make 5114 historic as Yoav suggests, or, if someone 
> writes an I-D to explain why, we could obsolete 5114. (Such an I-D 
> would presumably also say something about codepoints that point at
> 5114 from other registries.)
> 
> Assuming nobody shows up saying these are in fact in widespread use 
> I'd be supportive of us getting rid of cruft.

I think the NIST ECP groups are quite widely supported, and used.
RFC5114 includes both Nist ECP Groups (192, 224, 256, 384 and 521) and
3 MODP groups.

In IPsec, ECP groups are widely used, those MODP groups with subgroup are not. On the other hand I think only those 192, 256 and 521 bit groups are really used, and those are defined also in RFC5903 (which obsoleted original 4753 which had serious bug in it).

> So, someone wanna volunteer to write an I-D that'd obsolete 5114? If 
> so, say so here.

Or parts of it or something. 

> Or, if you want me to start the "mark it historic"
> process (which doesn't need an I-D), please say so here. (Note that 
> even though this doesn't need an I-D the status-change does get an 
> IETF last
> call.)

Marking NIST ECP groups as historic might be preferrable for some people, but it might be good idea to wait before we have curve25519 etc published as rfc for all protocols that 5114 covers before we go that far. In IPsec the curve25519 etc are now in the IESG, I do not know what is the status for other protocls (X.509, TLS, SSH, SMIME). 

> Or, if you wanna argue that none of the above are right, then please 
> do that.

I have no idea why we would want to mark the document as historic, or obsolete it, especially as it does define things that are in use (ECP groups).

It does not give any recommendations for using those groups, for example in IPsec we do have separate documents which gives those recommendations and for the 256-bit ECP we are saying SHOULD, and for the MODP groups defined in the 5114 we are saying SHOULD NOT.

That is much better way to define the recommendations and how those groups should or should not be used.
--
kivinen@iki.fi

_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

v2.23.0 | Report a Bug | By Email