IETF Logo Mail Archive

Re: [saag] Possible backdoor in RFC 5114

Ben Laurie <benl@google.com> Thu, 30 March 2017 12:30 UTC

Return-Path: <benl@google.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E6F11294E4 for <saag@ietfa.amsl.com>; Thu, 30 Mar 2017 05:30:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mQyQTeD9AG9s for <saag@ietfa.amsl.com>; Thu, 30 Mar 2017 05:30:19 -0700 (PDT)
Received: from mail-vk0-x22c.google.com (mail-vk0-x22c.google.com [IPv6:2607:f8b0:400c:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 843C5129692 for <saag@ietf.org>; Thu, 30 Mar 2017 05:30:19 -0700 (PDT)
Received: by mail-vk0-x22c.google.com with SMTP id z204so52069244vkd.1 for <saag@ietf.org>; Thu, 30 Mar 2017 05:30:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=nPh6Yb++ajmfFol1eTM0SNg+vMDFKwRbitJp6WPX9dA=; b=QpFF7/CBJ19ck1RghQLUV96uUxb/pzjrNBttrRcogzmtYE6rG6h8v3TI7/kOcMtCKh X/IYwsce8V1wewFwiGc5pxB2E0ictvltn0L1i1mkKMCpMauTIe22f6QIObGOjex5dPI5 KNCObNqc2TLmYHMeNos7AXgwvn7i9J019J3xYVBqRgmjehBejOvAcwZ7G9N1WTbFUd4Y KxGS2gg0ctS8zP64Letg7bNkCfCPXRnLVCLtUEaII0u0oWFXQklYhIv2PoCX9GfeJJ7k ijU6at7rIkv+Evc9Eax7jch1m74duwkp7F2CoLzrx0FXrGfJsqgWJh+4+5DjsYfvdDli PJIA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=nPh6Yb++ajmfFol1eTM0SNg+vMDFKwRbitJp6WPX9dA=; b=sjOHMV9IgnDdvNeb7kUQBscdRWIhp+HJlT1DHSZx0R91Z6jHWXxIVi9BOENLSoJdcZ urE8Bwvm41HxJtp10Hmz3+Q6CqLaE3T9A2jWaiyLIbwNEOc2k1fQZoKGmCnXJqZ3y5YZ jZx4qgiqCOW2RKglDXkN7KWkfeU8HNz2QLNDLlYSc1m87h2hlNl5P3MecY0vZVmr+uVH EpMkVQjkbLHodiEsFWHUStVGBfAx6uggedp1QyMw/ntsQtEMi1/eM9aTGaygEzZ+CV3y EKjzSs8w771YesulAq+1RuuBnfd8dUcOvdVmdKJ9r2QgYOa95ha5TGjH8smXlVLJozby /zaA==
X-Gm-Message-State: AFeK/H0vX/A9U3iGiCrgoXONjEbQ9kkEdKnb7IFfu9Q+vuJObBGTUzSGEIEi4caC+7zzHJNHaLH22wOMS7AIOotY
X-Received: by 10.31.235.198 with SMTP id j189mr2658783vkh.75.1490877018353; Thu, 30 Mar 2017 05:30:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.110.201 with HTTP; Thu, 30 Mar 2017 05:30:17 -0700 (PDT)
In-Reply-To: <CACsn0c==PxBx_FLcih-i=OM=2U5HOhesPo87OeKURhuJXnZ6DQ@mail.gmail.com>
References: <CACsn0ck9u3ct3wD7xWXtDZ89Q1R6OKTQFMYuZ56_vY2ys+1=YQ@mail.gmail.com> <bfa71c30-3ccc-1538-c682-33e14c910e21@cs.tcd.ie> <22519.43588.421250.807948@fireball.acr.fi> <CADF337F-88BC-4B9E-B05F-94F146CB068B@gmail.com> <CABrd9SRXO684K04jk002VoLgTnbE0AJNG2kH-h7KCMn8Hi9VvQ@mail.gmail.com> <CACsn0c=-+ywD4Xp=SrRm_8_q71kGsb_CML5-2D+WHi0XC8AXoQ@mail.gmail.com> <CACsn0cnSiY7y80U05KsPtmZfjQ1sAuvQ=J3hfPpoSMSs7WaaMA@mail.gmail.com> <CACsn0cnn2L4SMq4uA34QRfym=Hmr9VRreBjZzB8Sj4-dfsoW5A@mail.gmail.com> <CABrd9SQH0zJu=Bz-2B61MXv3ENWce1NiFayMXUgseBYoJRB9Hw@mail.gmail.com> <8B462FE6-E8CD-4E79-A15C-AE722CEF9C72@gmail.com> <CAG5KPzwr-=2SbSYiKRqGq=k_NwitXYLAiSUMobV1XXAkunYWaA@mail.gmail.com> <CACsn0c==PxBx_FLcih-i=OM=2U5HOhesPo87OeKURhuJXnZ6DQ@mail.gmail.com>
From: Ben Laurie <benl@google.com>
Date: Thu, 30 Mar 2017 13:30:17 +0100
Message-ID: <CABrd9SSELwKV1-e-8gAk1=79Y_WBvQS4cV8LAZysvvsom-Lt7g@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Cc: Ben Laurie <ben@links.org>, Security Area Advisory Group <saag@ietf.org>, Tero Kivinen <kivinen@iki.fi>
Content-Type: multipart/alternative; boundary="94eb2c0929c815a304054bf1db21"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/AWyCgOy9cfLyK_eE78JtB9JMj3g>
Subject: Re: [saag] Possible backdoor in RFC 5114
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Mar 2017 12:30:22 -0000

On 29 March 2017 at 22:52, Watson Ladd <watsonbladd@gmail.com> wrote:

> On Wed, Mar 29, 2017 at 12:26 PM, Ben Laurie <ben@links.org> wrote:
> > On 29 March 2017 at 18:17, Yoav Nir <ynir.ietf@gmail.com> wrote:
> >>
> >> On 29 Mar 2017, at 11:50, Ben Laurie <benl@google.com> wrote:
> >>
> >>
> >>
> >> On 22 March 2017 at 18:20, Watson Ladd <watsonbladd@gmail.com> wrote:
> >>>
> >>>
> >>>
> >>> On Mar 22, 2017 8:15 AM, "Ben Laurie" <benl@google.com> wrote:
> >>>
> >>>
> >>>
> >>> On 7 October 2016 at 16:56, Yoav Nir <ynir.ietf@gmail.com> wrote:
> >>>>
> >>>>
> >>>> > On 7 Oct 2016, at 16:59, Tero Kivinen <kivinen@iki.fi> wrote:
> >>>> >
> >>>> > Stephen Farrell writes:
> >>>> >>
> >>>> >> So I'm not seeing anyone so far argue to not
> >>>> >> deprecate these somehow.
> >>>> >>
> >>>> >> We could just make 5114 historic as Yoav suggests,
> >>>> >> or, if someone writes an I-D to explain why, we
> >>>> >> could obsolete 5114. (Such an I-D would presumably
> >>>> >> also say something about codepoints that point at
> >>>> >> 5114 from other registries.)
> >>>> >>
> >>>> >> Assuming nobody shows up saying these are in
> >>>> >> fact in widespread use I'd be supportive of us
> >>>> >> getting rid of cruft.
> >>>> >
> >>>> > I think the NIST ECP groups are quite widely supportd, and used.
> >>>> > RFC5114 includes both Nist ECP Groups (192, 224, 256, 384 and 521)
> and
> >>>> > 3 MODP groups.
> >>>> >
> >>>> > In IPsec, ECP groups are widely used, those MODP groups with
> subgroup
> >>>> > are not. On the other hand I think only those 192, 256 and 521 bit
> >>>> > groups are really used, and those are defined also in RFC5903 (which
> >>>> > obsoleted original 4753 which had serious bug in it).
> >>>>
> >>>>
> >>>> First, I think you meant 256, 384 and 521 bit, not the 192.
> >>>>
> >>>> Second, 5114 did not fix the bug in 4753. It just referenced 4753 for
> >>>> formatting. You know this better than I do, but I don’t think the IANA
> >>>> registry ever referenced 5114 for these ECP groups.
> >>>>
> >>>> So for the three useful groups in 5114 you didn’t need it (as 4753)
> >>>> already existed, and you don’t need it now, as 5903 exists. I don’t
> see
> >>>> anything standing in the way of moving to historic or obsoleting it.
> >>>
> >>>
> >>> Possibly I missed something here: why should we be any happier about
> 5903
> >>> than we are about 5114?
> >>>
> >>>
> >>> Can you prepare a backdoored elliptic curve that passes all acceptence
> >>> critera?
> >>
> >>
> >> No, but can the NSA?
> >>
> >>
> >> I don’t know, but we can speculate all day about what the NSA can or
> cannot
> >> do, including wandless magic or generally solving the DLP. We can only
> make
> >> decisions on the basis of what we know or can reasonably project.
> >
> > But isn't that the point of nothing up my sleeve numbers? Which 5903
> > doesn't use...
>
> Ben:
> Do you understand the difference between an attack that has been
> demonstrated to be possible, and one that we have no idea how to do?
>

Indeed I do.


>
> I'm forced to assume not from the contents of the thread. Futhermore,
> the alternative is to go to the MODP groups which do not have this
> backdoor possibility if you really think the NSA is a few decades
> ahead in number theory.
>

Hasn't it been repeatedly demonstrated that the NSA is ahead?

What I'm saying is why should we trust parameters generated by an opaque
process by someone who has been shown to misbehave in the generation of
such parameters? Particularly if there's a way to generate appropriate
parameters that is not opaque? Perhaps I'm missing something (but I am not
missing that we don't currently know how to exploit the opaque process, I
get that)?


>
> Sincerely,
> Watson Ladd
> >
> > _______________________________________________
> > saag mailing list
> > saag@ietf.org
> > https://www.ietf.org/mailman/listinfo/saag
>
>
>
> --
> "Man is born free, but everywhere he is in chains".
> --Rousseau.
>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
>

v2.23.0 | Report a Bug | By Email