Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again)

"Dang, Quynh (Fed)" <quynh.dang@nist.gov> Mon, 10 October 2016 13:18 UTC

Return-Path: <quynh.dang@nist.gov>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCBEC129695; Mon, 10 Oct 2016 06:18:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H8_2Uu8QZIGO; Mon, 10 Oct 2016 06:18:01 -0700 (PDT)
Received: from gcc01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0121.outbound.protection.outlook.com [23.103.200.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0DE1129691; Mon, 10 Oct 2016 06:18:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=baB4jZYdUmXlF5QI+qELhIG8honQOMHPTpXF/p4G94U=; b=0RtdCqB0gVpPD3jh14TDibwkBoU+KgzMBLlmQKmchASq9f5i/zwD2Ktr1If3qykfiQ6IbeeHwbJP0awfoPFtBkV3QtpeeMNxbVNaTuMWlCnb48vlYBnb2p3ppEOSOzfLbFUK3+ZeBYgKYTAAyeb8VWr5YkdzEc8Nd6TMY9G9Gi4=
Received: from DM5PR09MB1467.namprd09.prod.outlook.com (10.173.171.21) by DM5PR09MB1467.namprd09.prod.outlook.com (10.173.171.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.659.11; Mon, 10 Oct 2016 13:18:00 +0000
Received: from DM5PR09MB1467.namprd09.prod.outlook.com ([10.173.171.21]) by DM5PR09MB1467.namprd09.prod.outlook.com ([10.173.171.21]) with mapi id 15.01.0659.020; Mon, 10 Oct 2016 13:18:00 +0000
From: "Dang, Quynh (Fed)" <quynh.dang@nist.gov>
To: "paul@nohats.ca" <paul@nohats.ca>, "ipsec@ietf.org WG" <ipsec@ietf.org>
Thread-Topic: [IPsec] trapdoor'ed DH (and RFC-5114 again)
Thread-Index: AQHSInPJr2kIoqyUikWZMRu8WhAVkaChpsd0
Date: Mon, 10 Oct 2016 13:18:00 +0000
Message-ID: <DM5PR09MB146726177114D0FD30F871C2F3DB0@DM5PR09MB1467.namprd09.prod.outlook.com>
References: <alpine.LRH.2.20.1610091711050.8864@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.20.1610091711050.8864@bofh.nohats.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=quynh.dang@nist.gov;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [129.6.222.157]
x-ms-office365-filtering-correlation-id: d0e508ed-f092-4dff-1977-08d3f10fdbdc
x-microsoft-exchange-diagnostics: 1; DM5PR09MB1467; 7:fSMgSVHOD2TeoAHiPWDYR9T1R20Y+ObI3kHbSPpZSVdqaNbpnqdJ2gfPWAuWie/FZSo1Q1AOXMbT4Rx1TBbyI5U6RF/q9v18tD7IlnOrFekRNkg0boOxoVg7GSgy3c6VZBdsGiCO6KMp+UiJlU0m28KV2/4+VfdFewQRzPqoDntgSaumeSDqLo7qqQzesPX+ipXS4GXyuayJ1WRkF7C9eR3y5Wx1GjiTIIlJNiz7i3RV/N3WeLEOxAqZ1NAyvRnuwS8RDoqfJmL6yAC2zBWhay8lFwU8WuW1J6+4EEdMhuuK8ANR1RrsFIhgh+L32+bmqy1gKi8td6IBmVWMpdrk8V4B+Irl7U87t5VRh+U9xak=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM5PR09MB1467;
x-ld-processed: 2ab5d82f-d8fa-4797-a93e-054655c61dec,ExtAddr
x-microsoft-antispam-prvs: <DM5PR09MB146760058C7BA4F0695889CFF3DB0@DM5PR09MB1467.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040176)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026); SRVR:DM5PR09MB1467; BCL:0; PCL:0; RULEID:; SRVR:DM5PR09MB1467;
x-forefront-prvs: 0091C8F1EB
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(199003)(189002)(377454003)(33656002)(77096005)(2501003)(8676002)(9686002)(16236675004)(2900100001)(15975445007)(101416001)(50986999)(54356999)(99286002)(81166006)(81156014)(189998001)(4326007)(19627405001)(76176999)(106116001)(97736004)(19625215002)(105586002)(106356001)(5001770100001)(74316002)(3900700001)(8936002)(87936001)(7736002)(2906002)(7846002)(10400500002)(7906003)(3660700001)(16297215004)(5002640100001)(19580395003)(68736007)(19580405001)(2950100002)(6116002)(3280700002)(6606003)(586003)(5660300001)(345774005)(86362001)(3846002)(76576001)(92566002)(11100500001)(19617315012)(66066001)(7696004)(102836003)(122556002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR09MB1467; H:DM5PR09MB1467.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM5PR09MB146726177114D0FD30F871C2F3DB0DM5PR09MB1467namp_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Oct 2016 13:18:00.1217 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR09MB1467
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/92M9ZFScRpFw9ZvAp3Ydwuxd398>
Cc: "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Oct 2016 13:18:05 -0000

Hi Paul,


Thank you for sharing the paper.


A conclusion of the paper was "Our results are yet another reminder that 1024-bit primes should be considered insecure for the security of cryptosystems based on the hardness of discrete logarithms. The discrete logarithm computation for our backdoored prime was only feasible because of the 1024-bit size, and the most effective protection against any backdoor of this type has always been to use key sizes for which any computation is infeasible. NIST recommended transitioning away from 1024-bit key sizes for DSA, RSA, and Diffie-Hellman in 2010 [6]."


NIST has been urging users to move away from groups with 1024- bit p and 160-bit q  for many years now.


In our document, we stated that group generators "should" provide their seeds. The reason for having "should" instead of "shall (must)" was that anyone could run our suggested method to generate their own group. A user who generates his/her own group for her/his own application could have a choice of publishing the seed or not.  If a user had a contractor/third party to generate a group for him/her, he or she could ask for all documentation about the whole process.


Quynh.


________________________________
From: IPsec <ipsec-bounces@ietf.org> on behalf of Paul Wouters <paul@nohats.ca>
Sent: Sunday, October 9, 2016 5:26 PM
To: ipsec@ietf.org WG
Cc: saag@ietf.org
Subject: [IPsec] trapdoor'ed DH (and RFC-5114 again)


Released a few days ago:

         http://eprint.iacr.org/2016/961

         A kilobit hidden SNFS discrete logarithm computation
         Joshua Fried and Pierrick Gaudry and Nadia Heninger and Emmanuel Thomé

         We perform a special number field sieve discrete logarithm
         computation in a 1024-bit prime field. To our knowledge, this
         is the first kilobit-sized discrete logarithm computation ever
         reported for prime fields. This computation took a little over
         two months of calendar time on an academic cluster using the
         open-source CADO-NFS software.

Basically, this paper shows how to make a DH group of 1024 modp
with a backdoor, in two months of academic computing resources,

The paper mentions 5114 a few times:

         RFC 5114 [33] specifies a number of groups for use with
         Diffie-Hellman, and states that the parameters were drawn
         from NIST test data, but neither the NIST test data [39] nor
         RFC 5114 itself contain the seeds used to generate the finite
         field parameters

And concludes:

         Both from this perspective, and from our more modern one, dismissing the
         risk of trapdoored primes in real usage appears to have been a mistake,
         as the apparent difficulties encountered by the trapdoor designer in 1992
         turn out to be easily circumvented. A more conservative design decision
         for FIPS 186 would have required mandatory seed publication instead of
         making it optional.  As a result, there are opaque, standardized 1024-bit
         and 2048-bit primes in wide use today that cannot be properly verified.

This is the strongest statement yet that I've seen to not trust any
of the RFC-5114 groups.

The latest 4307bis document has these groups (22-24) as SHOULD NOT,
stating:

         Group 22, 23 and 24 or 1024-bit MODP Group with 160-bit, and
         2048-bit MODP Group with 224-bit and 256-bit Prime Order Subgroup
         have small subgroups, which means that checks specified in the
         "Additional Diffie-Hellman Test for the IKEv2" [RFC6989] section
         2.2 first bullet point MUST be done when these groups are used.
         These groups are also not safe-primes.  The seeds for these groups
         have not been publicly released, resulting in reduced trust in
         these groups.  These groups were proposed as alternatives for
         group 2 and 14 but never saw wide deployment.  It is expected
         in the near future to be further downgraded to MUST NOT.

I'm proposing it is time to change this to MUST NOT for 4307bis.

Possibly, we should do this via SAAG in general, and then follow SAAG's
advise in IPSECME.

Is there _any_ reason why group 22-24 should not be MUST NOT ?

Paul

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec