Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again)
Yoav Nir <ynir.ietf@gmail.com> Mon, 17 October 2016 16:05 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F55112962F; Mon, 17 Oct 2016 09:05:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5XpHvHhB66OY; Mon, 17 Oct 2016 09:05:23 -0700 (PDT)
Received: from mail-vk0-x22d.google.com (mail-vk0-x22d.google.com [IPv6:2607:f8b0:400c:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89A801294BB; Mon, 17 Oct 2016 09:05:23 -0700 (PDT)
Received: by mail-vk0-x22d.google.com with SMTP id 2so182025679vkb.3; Mon, 17 Oct 2016 09:05:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=JLpv+h0dfj0KdiZ6VhOkZP7YYZSx42POxmRvfjxveME=; b=o6hcg8VdhEGQOGZVtAfzVOW5RPKLb+nIrDXbtmY9CbxCYO1W8fEJdT2XGVzNHccH87 nBFHeLkWGhs/BrdkgUH2i8d3o5a1ImjyTSWGYlKe3wZNLqnwqXQrOB96kkNBCAfzl+MT O+TXyFOj9M8IZl3QtpJRoHxOsmeUIgHQCPAAv/DAZLeQapf619nxADD1RX3NUPY7DoRB sWnpdMJ+HW7Bbsi0e2a3c0zFkpzrt2OEfJSjDCXR21P2eLz9yK6TkspO2i8Gfc1qpoDv Het4O7e8tyogzrQbvET8dRKs7IA9R8bCAiQjXn3YLZrR7944KRwcYJgUgjUds5KJkYpy dU7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=JLpv+h0dfj0KdiZ6VhOkZP7YYZSx42POxmRvfjxveME=; b=Xp7SnNKixo27qydqoT+SMCiwBotel1G2b3QeDHERLSvt0i9fztKYA+1ebsKJ0Lo5hi TkVAJgvoJozx1Fzb5hIoN4QV0FiuexkI17BoN/1w5MDJNA1fmJEk+6gwh06tJfYM9Bjq E/21XsRZ7vwGvYg2hDEJwxzagyDgQnrt7kPTlsr1uDpsfvqaclfkF1+/YGGzwsFa5DoG hntLZG2ACmM9Om3NzB37XDe4Ycq5flHuGEA8hdl0JbAEzOGm8wC1AQRE/qfX05YN7HL+ cR+0/Rnulk1jS/Broo9+ej5ZrOxbME8AeQZ6b6BEIDAvgHjvvSAu5frpVhlv9d8YCMcl w7EA==
X-Gm-Message-State: AA6/9RlxwrMsKXCETCCvSBM4R16sH7RG7phlzBoSR3uh7mi7RVRnXil7HnKrDCqOsPKO3Q==
X-Received: by 10.194.113.35 with SMTP id iv3mr11384928wjb.169.1476720322535; Mon, 17 Oct 2016 09:05:22 -0700 (PDT)
Received: from [192.168.1.13] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id n5sm54012058wjv.35.2016.10.17.09.05.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 17 Oct 2016 09:05:21 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <8C717FB2-DDC2-452E-AEC3-115B1E1397CF@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_78200560-BB3F-48D5-886E-80A7CC99F720"
Mime-Version: 1.0 (Mac OS X Mail 10.0 \(3226\))
Date: Mon, 17 Oct 2016 19:05:18 +0300
In-Reply-To: <CADZyTknqvF=zxW2thuN7mf_St2UmnWZzd8dVb5dWzDJ5=8tz5w@mail.gmail.com>
To: Daniel Migault <daniel.migault@ericsson.com>
References: <alpine.LRH.2.20.1610091711050.8864@bofh.nohats.ca> <D42AB86C.538C3%john.mattsson@ericsson.com> <CADZyTknqvF=zxW2thuN7mf_St2UmnWZzd8dVb5dWzDJ5=8tz5w@mail.gmail.com>
X-Mailer: Apple Mail (2.3226)
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/3bCx6A-JvgtWUpJe1grc07xYZDw>
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>, Paul Wouters <paul@nohats.ca>, Security Area Advisory Group <saag@ietf.org>
Subject: Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Oct 2016 16:05:26 -0000
I’m not entirely comfortable with calling something a MUST NOT when all we have is conjecture, but I have no love and no need of those DH groups. I don’t believe anyone else depends on these groups (at least in IPsec), so I’m fine with such a change. Yoav > On 17 Oct 2016, at 18:54, Daniel Migault <daniel.migault@ericsson.com> wrote: > > In fact is there anyone opposing their status becomes MUST NOT in rfc4307bis. > > On Mon, Oct 17, 2016 at 11:30 AM, John Mattsson <john.mattsson@ericsson.com <mailto:john.mattsson@ericsson.com>> wrote: > > I'm proposing it is time to change this to MUST NOT for 4307bis. > > > > +1 > > On 09/10/16 23:26, "IPsec on behalf of Paul Wouters" > <ipsec-bounces@ietf.org <mailto:ipsec-bounces@ietf.org> on behalf of paul@nohats.ca <mailto:paul@nohats.ca>> wrote: > > > > >Released a few days ago: > > > > http://eprint.iacr.org/2016/961 <http://eprint.iacr.org/2016/961> > > > > A kilobit hidden SNFS discrete logarithm computation > > Joshua Fried and Pierrick Gaudry and Nadia Heninger and Emmanuel Thomé > > > > We perform a special number field sieve discrete logarithm > > computation in a 1024-bit prime field. To our knowledge, this > > is the first kilobit-sized discrete logarithm computation ever > > reported for prime fields. This computation took a little over > > two months of calendar time on an academic cluster using the > > open-source CADO-NFS software. > > > >Basically, this paper shows how to make a DH group of 1024 modp > >with a backdoor, in two months of academic computing resources, > > > >The paper mentions 5114 a few times: > > > > RFC 5114 [33] specifies a number of groups for use with > > Diffie-Hellman, and states that the parameters were drawn > > from NIST test data, but neither the NIST test data [39] nor > > RFC 5114 itself contain the seeds used to generate the finite > > field parameters > > > >And concludes: > > > > Both from this perspective, and from our more modern one, dismissing the > > risk of trapdoored primes in real usage appears to have been a mistake, > > as the apparent difficulties encountered by the trapdoor designer in > >1992 > > turn out to be easily circumvented. A more conservative design decision > > for FIPS 186 would have required mandatory seed publication instead of > > making it optional. As a result, there are opaque, standardized > >1024-bit > > and 2048-bit primes in wide use today that cannot be properly verified. > > > >This is the strongest statement yet that I've seen to not trust any > >of the RFC-5114 groups. > > > >The latest 4307bis document has these groups (22-24) as SHOULD NOT, > >stating: > > > > Group 22, 23 and 24 or 1024-bit MODP Group with 160-bit, and > > 2048-bit MODP Group with 224-bit and 256-bit Prime Order Subgroup > > have small subgroups, which means that checks specified in the > > "Additional Diffie-Hellman Test for the IKEv2" [RFC6989] section > > 2.2 first bullet point MUST be done when these groups are used. > > These groups are also not safe-primes. The seeds for these groups > > have not been publicly released, resulting in reduced trust in > > these groups. These groups were proposed as alternatives for > > group 2 and 14 but never saw wide deployment. It is expected > > in the near future to be further downgraded to MUST NOT. > > > >I'm proposing it is time to change this to MUST NOT for 4307bis. > > > >Possibly, we should do this via SAAG in general, and then follow SAAG's > >advise in IPSECME. > > > >Is there _any_ reason why group 22-24 should not be MUST NOT ? > > > >Paul > > > >_______________________________________________ > >IPsec mailing list > >IPsec@ietf.org <mailto:IPsec@ietf.org> > >https://www.ietf.org/mailman/listinfo/ipsec <https://www.ietf.org/mailman/listinfo/ipsec> > > _______________________________________________ > saag mailing list > saag@ietf.org <mailto:saag@ietf.org> > https://www.ietf.org/mailman/listinfo/saag <https://www.ietf.org/mailman/listinfo/saag> > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- [saag] trapdoor'ed DH (and RFC-5114 again) Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Dang, Quynh (Fed)
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… John Mattsson
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Daniel Migault
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Yoav Nir
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Tero Kivinen
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Yoav Nir
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Peter Gutmann
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Yoav Nir
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Tero Kivinen
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Watson Ladd
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Stephen Kent
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… John Mattsson
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Nikos Mavrogiannopoulos
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… John Mattsson
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Peter Gutmann
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Antonio Sanso