IETF Logo Mail Archive

Re: [saag] Possible backdoor in RFC 5114

"Dang, Quynh (Fed)" <quynh.dang@nist.gov> Sat, 08 October 2016 14:40 UTC

Return-Path: <quynh.dang@nist.gov>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEAE91295C6 for <saag@ietfa.amsl.com>; Sat, 8 Oct 2016 07:40:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OH9p6GD8s05g for <saag@ietfa.amsl.com>; Sat, 8 Oct 2016 07:40:30 -0700 (PDT)
Received: from gcc01-dm2-obe.outbound.protection.outlook.com (mail-dm2gcc01on0135.outbound.protection.outlook.com [23.103.201.135]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D19312958A for <saag@ietf.org>; Sat, 8 Oct 2016 07:40:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=poCF9sOtuDcMtbsC4r7gWhx0Mts0ktEckHnt+MkS2wo=; b=z/uH2khnbCeO42bNdiPzYxdSff6Yvv3jtfzosxeLXg/qcVz2MG/fVkGzdd7KJR12cNkOr66DrAXNR+AitH7z7v1/1tQTXTyuPM1HBOw+W8drdqpfwDJOkxBclTmlBYbHj7V9OloPPgVh7EZ9YSjEOS+CDxTSxEOGJfDsV4J5yjs=
Received: from CY4PR09MB1464.namprd09.prod.outlook.com (10.173.191.22) by CY4PR09MB1462.namprd09.prod.outlook.com (10.173.191.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.649.16; Sat, 8 Oct 2016 14:40:28 +0000
Received: from CY4PR09MB1464.namprd09.prod.outlook.com ([10.173.191.22]) by CY4PR09MB1464.namprd09.prod.outlook.com ([10.173.191.22]) with mapi id 15.01.0649.027; Sat, 8 Oct 2016 14:40:28 +0000
From: "Dang, Quynh (Fed)" <quynh.dang@nist.gov>
To: Watson Ladd <watsonbladd@gmail.com>
Thread-Topic: [saag] Possible backdoor in RFC 5114
Thread-Index: AQHSH+pIM2MogzBmCUCWoaV9y3sEjKCeftTtgAATiwCAAAwj3w==
Date: Sat, 08 Oct 2016 14:40:28 +0000
Message-ID: <CY4PR09MB146483906EC10E70A59AD7FDF3D90@CY4PR09MB1464.namprd09.prod.outlook.com>
References: <CACsn0ck9u3ct3wD7xWXtDZ89Q1R6OKTQFMYuZ56_vY2ys+1=YQ@mail.gmail.com> <CY4PR09MB14647B46781F1AB1E6B00043F3D90@CY4PR09MB1464.namprd09.prod.outlook.com>, <CACsn0c=o9NoYLGhQx__C4izGRPSzo6aRBJk-2d5R9FxKcf--qg@mail.gmail.com>
In-Reply-To: <CACsn0c=o9NoYLGhQx__C4izGRPSzo6aRBJk-2d5R9FxKcf--qg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=quynh.dang@nist.gov;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [129.6.220.249]
x-ms-office365-filtering-correlation-id: e63659e6-da33-4b37-a87a-08d3ef890c64
x-microsoft-exchange-diagnostics: 1; CY4PR09MB1462; 7:olLcU51TzB0HJ173a/730JP27UtEaVjGM9InpK4ZLFttUp65ylAB7oLpHItKju76nq1MFMWmZbcm4LWDOTr/OjXFBAHUY4LGaQkN5Sjy5g2aILvyWursR78lD6Q7QW8F/VoftCBbl02FH6fJu1KrGqFBb3hhQTjHA2dY153y0cDf5qklnkZbEmbFQHNA0RKuEUriaHtekJTN9YyJlDa0YYiBn2KO1FNNFP+OH4YFIe/QWm0JZrdLVhoz7vLD7RqZnVZkCF5WPbHSHMamH/+PwvApUP/QTu6Xk26xDb+HYqPu/bto2BOc9j6zTP+VmVFjBYyWxQxVeReiGDSvuqqYQg==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY4PR09MB1462;
x-microsoft-antispam-prvs: <CY4PR09MB14626DC32CE931B26834E724F3D90@CY4PR09MB1462.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(65766998875637)(192374486261705)(157189615257929)(266576461109395);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040176)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026); SRVR:CY4PR09MB1462; BCL:0; PCL:0; RULEID:; SRVR:CY4PR09MB1462;
x-forefront-prvs: 008960E8EC
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(199003)(24454002)(377454003)(189002)(5002640100001)(16297215004)(10400500002)(76576001)(7696004)(16236675004)(110136003)(33656002)(3280700002)(15975445007)(7736002)(7846002)(7906003)(74316002)(2900100001)(11100500001)(87936001)(92566002)(5660300001)(1411001)(77096005)(3660700001)(19617315012)(3900700001)(50986999)(122556002)(3846002)(6116002)(102836003)(76176999)(54356999)(19625215002)(19627405001)(189998001)(2950100002)(97736004)(81156014)(8676002)(81166006)(66066001)(101416001)(586003)(106356001)(19580395003)(86362001)(8936002)(2906002)(68736007)(19580405001)(9686002)(99286002)(106116001)(6916009)(4326007)(105586002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR09MB1462; H:CY4PR09MB1464.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR09MB146483906EC10E70A59AD7FDF3D90CY4PR09MB1464namp_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Oct 2016 14:40:28.5452 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR09MB1462
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/0p4Tacw-WJEtiR7dPaZkeCl1OHM>
Cc: "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] Possible backdoor in RFC 5114
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Oct 2016 14:40:33 -0000

Assuming the curves generator was a bad guy and he/she could do 2^80 computations (not simple computations: running the specified routine to find primes numbers which means he/she got to do more than 2^80 times of the routine by a factor) at that time in 1997, the class of weak curves must have been about 2^169 in 1997, only known to the NSA and have never been discovered by the public from 1997 until now.


Also, some of the curves are used for top secret security level information. If it was the case that the NSA knew the curves were weak curves, would they take that risky action by assuming that the rest of the world would not find that out for at least 20 years later.


Quynh.

________________________________
From: Watson Ladd <watsonbladd@gmail.com>
Sent: Saturday, October 8, 2016 9:37:24 AM
To: Dang, Quynh (Fed)
Cc: saag@ietf.org
Subject: Re: [saag] Possible backdoor in RFC 5114


On Oct 8, 2016 5:30 AM, "Dang, Quynh (Fed)" <quynh.dang@nist.gov<mailto:quynh.dang@nist.gov>> wrote:
>
> Watson and all,
>
> This paper would be a good (re)read: http://www.math.uwaterloo.ca/~ajmeneze/publications/pqc.pdf.

>From which you would have us conclude what?

The backdoor of Gordon in Diffie-Hellman is well-known.  There is no way to know if these primes are backdoored.

>
> Quynh.
>
> ________________________________________
> From: saag <saag-bounces@ietf.org<mailto:saag-bounces@ietf.org>> on behalf of Watson Ladd <watsonbladd@gmail.com<mailto:watsonbladd@gmail.com>>
> Sent: Thursday, October 6, 2016 11:56 AM
> To: saag@ietf.org<mailto:saag@ietf.org>
> Subject: [saag] Possible backdoor in RFC 5114
>
> https://tools.ietf.org/html/rfc5114
>
> Let's review some publicly known facts:
>
> 1) BBN is a defense contractor
>
> 2) The NSA subverts crypto standards
>
> 3) It is possible to design primes so the discrete log problem is easy
>
> 4) The primes in RFC 5114 are not generated in verifiable manner: it
> is possible they
> are hidden SNFS primes.
>
> At minimum we should obsolete RFC 5114 in favor of primes generated in
> a verifiable manner. The fact that there already were primes for IKE
> use makes me wonder why this was even needed in the first place.
>
> Sincerely,
> Watson
>
> _______________________________________________
> saag mailing list
> saag@ietf.org<mailto:saag@ietf.org>
> https://www.ietf.org/mailman/listinfo/saag

v2.23.0 | Report a Bug | By Email