IETF Logo Mail Archive

Re: [saag] Possible backdoor in RFC 5114

Watson Ladd <watsonbladd@gmail.com> Sat, 08 October 2016 16:05 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70957129471 for <saag@ietfa.amsl.com>; Sat, 8 Oct 2016 09:05:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 47wCPgco1G47 for <saag@ietfa.amsl.com>; Sat, 8 Oct 2016 09:05:08 -0700 (PDT)
Received: from mail-qk0-x241.google.com (mail-qk0-x241.google.com [IPv6:2607:f8b0:400d:c09::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B13A51295CA for <saag@ietf.org>; Sat, 8 Oct 2016 08:59:27 -0700 (PDT)
Received: by mail-qk0-x241.google.com with SMTP id z190so4156185qkc.3 for <saag@ietf.org>; Sat, 08 Oct 2016 08:59:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=tLxFQDCMWPOD/CDhK+HMLlWDtBK0wnZYKsufT4NYlSI=; b=J2SDXvEaNk1pGLxOs6EnkEY4q2q7/MyKv4Xq+i0rh3zQ5Su1fhufERCGN68gOeXs/7 YKAiUMbkAVRO5sm2PsCsP+0EBHZrDIpsEL3hEBOXy4E6kEgxAP9Ny9xHJtZGnGDEaXFM YPinFvutl6KVcPEDbJDPD0XCc9pTPCqbV98YiNOO9BEm28+xy3WvVVUy1tlKfZsNYEaJ vKhLutjzVC8G83aioyB8jtOsMtRtjau+i5rC5v2WJd6PFdjdKsXu/YKugF0EixepDDfb EFGvvruNITt7i/6RxGtuQpQR/Ylw7zGib5845ZdJfByW73iD4Axl3jgpWejxG2XCEu0m TO6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=tLxFQDCMWPOD/CDhK+HMLlWDtBK0wnZYKsufT4NYlSI=; b=H+1/ZQzLdRoA6UxTl/UhQJN9H6ytyZY3z9j7foR2JCCEIDPLxcEvoB7prXsIWyKy2U RoaTAUWhagESoXu7ScWE261m63na7uDHLbzkGbIA/OMJlajgPloKi15FEv2f5lCOrjAh jIU0az0ppHqH7cOXThBeOXPRiCJR+0zsLsnvlwb3hfkybBwA5/L1M9akWuodjgkJD5TM oUGvkLwgkFUjJfOJF7cJ4krVF10tvxq/G0Ky1cm/nbq5iV2VrBJsz36x8egEZ4Lyw2tm DfC0goDTlL/j22waSaPerpaCN4T5UH7mjA9bAwgfoTOh2hIyiKqDzv4yqJTL2bKu6Ai3 3NtQ==
X-Gm-Message-State: AA6/9Rn3k2OGe0u5Tk3n+deEmcbuNoT8uOl3TQKMbzLPq0ajm8jKgOk3wC8QMzgxhwPDFtikuN7o3cb4ePFQKw==
X-Received: by 10.55.20.155 with SMTP id 27mr26725217qku.179.1475942366668; Sat, 08 Oct 2016 08:59:26 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.171.87 with HTTP; Sat, 8 Oct 2016 08:59:25 -0700 (PDT)
Received: by 10.12.171.87 with HTTP; Sat, 8 Oct 2016 08:59:25 -0700 (PDT)
In-Reply-To: <CY4PR09MB146483906EC10E70A59AD7FDF3D90@CY4PR09MB1464.namprd09.prod.outlook.com>
References: <CACsn0ck9u3ct3wD7xWXtDZ89Q1R6OKTQFMYuZ56_vY2ys+1=YQ@mail.gmail.com> <CY4PR09MB14647B46781F1AB1E6B00043F3D90@CY4PR09MB1464.namprd09.prod.outlook.com> <CACsn0c=o9NoYLGhQx__C4izGRPSzo6aRBJk-2d5R9FxKcf--qg@mail.gmail.com> <CY4PR09MB146483906EC10E70A59AD7FDF3D90@CY4PR09MB1464.namprd09.prod.outlook.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Sat, 08 Oct 2016 08:59:25 -0700
Message-ID: <CACsn0c=EBRytv9WHbUhmJCmhkYZNqsnRP49aqAVHLOpAa7N8Hg@mail.gmail.com>
To: "Dang, Quynh" <quynh.dang@nist.gov>
Content-Type: multipart/alternative; boundary="001a1145effe79705d053e5c9ca9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/58WshRSj-23Wn3zmU5YsQDGp-EA>
Cc: saag@ietf.org
Subject: Re: [saag] Possible backdoor in RFC 5114
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Oct 2016 16:05:10 -0000

On Oct 8, 2016 7:40 AM, "Dang, Quynh (Fed)" <quynh.dang@nist.gov> wrote:
>
> Assuming the curves generator was a bad guy and he/she could do 2^80
computations (not simple computations: running the specified routine to
find primes numbers which means he/she got to do more than 2^80 times of
the routine by a factor) at that time in 1997, the class of weak curves
must have been about 2^169 in 1997, only known to the NSA and have never
been discovered by the public from 1997 until now.
>
>
> Also, some of the curves are used for top secret security level
information. If it was the case that the NSA knew the curves were weak
curves, would they take that risky action by assuming that the rest of the
world would not find that out for at least 20 years later.

Am I discussing ECC? No.

>
>
> Quynh.
>
> ________________________________
> From: Watson Ladd <watsonbladd@gmail.com>
> Sent: Saturday, October 8, 2016 9:37:24 AM
> To: Dang, Quynh (Fed)
> Cc: saag@ietf.org
> Subject: Re: [saag] Possible backdoor in RFC 5114
>
>
> On Oct 8, 2016 5:30 AM, "Dang, Quynh (Fed)" <quynh.dang@nist.gov> wrote:
> >
> > Watson and all,
> >
> > This paper would be a good (re)read:
http://www.math.uwaterloo.ca/~ajmeneze/publications/pqc.pdf.
>
> From which you would have us conclude what?
>
> The backdoor of Gordon in Diffie-Hellman is well-known.  There is no way
to know if these primes are backdoored.
>
> >
> > Quynh.
> >
> > ________________________________________
> > From: saag <saag-bounces@ietf.org> on behalf of Watson Ladd <
watsonbladd@gmail.com>
> > Sent: Thursday, October 6, 2016 11:56 AM
> > To: saag@ietf.org
> > Subject: [saag] Possible backdoor in RFC 5114
> >
> > https://tools.ietf.org/html/rfc5114
> >
> > Let's review some publicly known facts:
> >
> > 1) BBN is a defense contractor
> >
> > 2) The NSA subverts crypto standards
> >
> > 3) It is possible to design primes so the discrete log problem is easy
> >
> > 4) The primes in RFC 5114 are not generated in verifiable manner: it
> > is possible they
> > are hidden SNFS primes.
> >
> > At minimum we should obsolete RFC 5114 in favor of primes generated in
> > a verifiable manner. The fact that there already were primes for IKE
> > use makes me wonder why this was even needed in the first place.
> >
> > Sincerely,
> > Watson
> >
> > _______________________________________________
> > saag mailing list
> > saag@ietf.org
> > https://www.ietf.org/mailman/listinfo/saag

v2.23.0 | Report a Bug | By Email