Re: [saag] Possible backdoor in RFC 5114

Ben Laurie <benl@google.com> Wed, 22 March 2017 15:15 UTC

Return-Path: <benl@google.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E9FC129492 for <saag@ietfa.amsl.com>; Wed, 22 Mar 2017 08:15:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OLgK3K79J9rI for <saag@ietfa.amsl.com>; Wed, 22 Mar 2017 08:14:58 -0700 (PDT)
Received: from mail-vk0-x235.google.com (mail-vk0-x235.google.com [IPv6:2607:f8b0:400c:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7BD1E126C22 for <saag@ietf.org>; Wed, 22 Mar 2017 08:14:58 -0700 (PDT)
Received: by mail-vk0-x235.google.com with SMTP id d188so127307326vka.0 for <saag@ietf.org>; Wed, 22 Mar 2017 08:14:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=hK530WMAATVpiLvlHWpo88SMDT8afx474dwh2Wn2BTk=; b=QSGm/Xr+HAEggd6tBKEgZSnLBdY9W/P5nsgupgWB6r0ewTHynWOwg9axoj1/mLJCNN Ub+emhthy8phjL0sUtsJ3jq6Zr8xjv41wdpm0HmqyOOnxYzRDC6PtFVomvTqTNlyn/H3 1roK7rSPFvLZFRhRwFy3ulG7gckYTNiumxD/FTyQOi2ajWkHQUD7gY4Etpjsmocr72ks QnFEkQ+XXnCViR1582koAmbHfFxIBXtAoNDg2w6/ilcxcohKSTUaNEkD5lEOVf/tcLjo zZ4WNk+tAvLtY6aK50hx1SeH6C659+7soXzOsFn13wHmAv1oGL8gAtPD588D9BcC57dw Gorg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=hK530WMAATVpiLvlHWpo88SMDT8afx474dwh2Wn2BTk=; b=f0I1qyLQvS6pPm79VwMfh7YWVdksEw+6kUbNo1r2+CpoYF4D2lvScJj921GbcuUF4L qtwcS8toskT8+/AZtVCH9qK1SsMXbNch26jzO7N4XGQZjXniaH4nxasq3Rqv/pEPlLJ0 9L0SZrUkQFqU78jcsDMGDLpFmMwHlAryVTiD1uM3c+8FsN+1bD1AOnqp4of0zbiOALPU 6KZWnVnV0WpkZubBwaB1UkR6EAltwebb+jaVHzimARPTLRIPXjSGb0o313cGjXqMAd9B CpFGt0cIfY2BEqqtf/79ig0FoNUSX7nHfonKHZI4YLn+yhZxKl0nbanPbeDaSVa86qYC N8ug==
X-Gm-Message-State: AFeK/H0WCMroTngnb7bLd/ZX54PTLX5I7I1lcSYbDTmaZ4BeXM6s0z/2Rfdeg7+zge6vzeNbPJAxKVSjE7UH1Qop
X-Received: by 10.31.110.138 with SMTP id j132mr13237788vkc.103.1490195697311; Wed, 22 Mar 2017 08:14:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.174.73 with HTTP; Wed, 22 Mar 2017 08:14:56 -0700 (PDT)
In-Reply-To: <CADF337F-88BC-4B9E-B05F-94F146CB068B@gmail.com>
References: <CACsn0ck9u3ct3wD7xWXtDZ89Q1R6OKTQFMYuZ56_vY2ys+1=YQ@mail.gmail.com> <bfa71c30-3ccc-1538-c682-33e14c910e21@cs.tcd.ie> <22519.43588.421250.807948@fireball.acr.fi> <CADF337F-88BC-4B9E-B05F-94F146CB068B@gmail.com>
From: Ben Laurie <benl@google.com>
Date: Wed, 22 Mar 2017 15:14:56 +0000
Message-ID: <CABrd9SRXO684K04jk002VoLgTnbE0AJNG2kH-h7KCMn8Hi9VvQ@mail.gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Cc: Tero Kivinen <kivinen@iki.fi>, Security Area Advisory Group <saag@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c14a23a2f8354054b533901"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/FndeQPp8zqHThOoimgu4006F9hg>
Subject: Re: [saag] Possible backdoor in RFC 5114
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Mar 2017 15:15:00 -0000

On 7 October 2016 at 16:56, Yoav Nir <ynir.ietf@gmail.com> wrote:

>
> > On 7 Oct 2016, at 16:59, Tero Kivinen <kivinen@iki.fi> wrote:
> >
> > Stephen Farrell writes:
> >>
> >> So I'm not seeing anyone so far argue to not
> >> deprecate these somehow.
> >>
> >> We could just make 5114 historic as Yoav suggests,
> >> or, if someone writes an I-D to explain why, we
> >> could obsolete 5114. (Such an I-D would presumably
> >> also say something about codepoints that point at
> >> 5114 from other registries.)
> >>
> >> Assuming nobody shows up saying these are in
> >> fact in widespread use I'd be supportive of us
> >> getting rid of cruft.
> >
> > I think the NIST ECP groups are quite widely supportd, and used.
> > RFC5114 includes both Nist ECP Groups (192, 224, 256, 384 and 521) and
> > 3 MODP groups.
> >
> > In IPsec, ECP groups are widely used, those MODP groups with subgroup
> > are not. On the other hand I think only those 192, 256 and 521 bit
> > groups are really used, and those are defined also in RFC5903 (which
> > obsoleted original 4753 which had serious bug in it).
>
>
> First, I think you meant 256, 384 and 521 bit, not the 192.
>
> Second, 5114 did not fix the bug in 4753. It just referenced 4753 for
> formatting. You know this better than I do, but I don’t think the IANA
> registry ever referenced 5114 for these ECP groups.
>
> So for the three useful groups in 5114 you didn’t need it (as 4753)
> already existed, and you don’t need it now, as 5903 exists. I don’t see
> anything standing in the way of moving to historic or obsoleting it.
>

Possibly I missed something here: why should we be any happier about 5903
than we are about 5114?