IETF Logo Mail Archive

Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again)

John Mattsson <john.mattsson@ericsson.com> Tue, 18 October 2016 18:47 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 261CB12970F; Tue, 18 Oct 2016 11:47:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ow-3dArfaL1A; Tue, 18 Oct 2016 11:47:16 -0700 (PDT)
Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F35C01294A4; Tue, 18 Oct 2016 11:47:15 -0700 (PDT)
X-AuditID: c1b4fb25-15fff7000000793b-2e-58066e310a27
Received: from ESESSHC016.ericsson.se (Unknown_Domain [153.88.183.66]) by (Symantec Mail Security) with SMTP id EA.EF.31035.13E66085; Tue, 18 Oct 2016 20:47:14 +0200 (CEST)
Received: from ESESSMB307.ericsson.se ([169.254.7.139]) by ESESSHC016.ericsson.se ([153.88.183.66]) with mapi id 14.03.0319.002; Tue, 18 Oct 2016 20:46:30 +0200
From: John Mattsson <john.mattsson@ericsson.com>
To: Stephen Kent <kent@bbn.com>, Paul Wouters <paul@nohats.ca>, Yoav Nir <ynir.ietf@gmail.com>
Thread-Topic: [IPsec] [saag] trapdoor'ed DH (and RFC-5114 again)
Thread-Index: AQHSKU6CHJtC8inrDUW+5swoRbNe7qCujeeA
Date: Tue, 18 Oct 2016 18:46:29 +0000
Message-ID: <D42C37F3.53A00%john.mattsson@ericsson.com>
References: <alpine.LRH.2.20.1610091711050.8864@bofh.nohats.ca> <D42AB86C.538C3%john.mattsson@ericsson.com> <CADZyTknqvF=zxW2thuN7mf_St2UmnWZzd8dVb5dWzDJ5=8tz5w@mail.gmail.com> <8C717FB2-DDC2-452E-AEC3-115B1E1397CF@gmail.com> <alpine.LRH.2.20.1610171206070.827@bofh.nohats.ca> <551e6c5c-0db7-62d5-da31-b99f26475010@bbn.com>
In-Reply-To: <551e6c5c-0db7-62d5-da31-b99f26475010@bbn.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.7.160722
x-originating-ip: [153.88.183.150]
Content-Type: text/plain; charset="utf-8"
Content-ID: <D04BB7592A8F6B48B008A2FAABD19266@ericsson.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrKIsWRmVeSWpSXmKPExsUyM2K7k65RHluEQedscYv9W16wWWyczWjx /tYlJosp/Z1MFkuPfWByYPWYej7UY+esu+weS5b8ZPL4Po8pgCWKyyYlNSezLLVI3y6BK+No 81X2gmlKFTvbchsYlyh2MXJySAiYSPTuPMvWxcjFISSwnlHixoxdjBDOEkaJyYeWsYBUsQkY SMzd08AGYosIJEicunCEGcRmFoiQmHV0DyOILSxgL/Hy2wyoGgeJSbMOskLYRhIbNn0Fs1kE VCWOXDgAZvMKmEss6VjCBLHsLJPE4ksrwZo5Bawl9iw/CraYUUBM4vupNUwQy8Qlbj2ZzwRx toDEkj3nmSFsUYmXj/+BDRUV0JN49vk5O0RcSWLF9ktAx3EA9WpKrN+lDzHGWmJdxw2o+xUl pnQ/ZIe4R1Di5MwnLBMYxWch2TYLoXsWku5ZSLpnIelewMi6ilG0OLU4KTfdyFgvtSgzubg4 P08vL7VkEyMwMg9u+a26g/HyG8dDjAIcjEo8vArJbBFCrIllxZW5hxglOJiVRHhvpQGFeFMS K6tSi/Lji0pzUosPMUpzsCiJ85qtvB8uJJCeWJKanZpakFoEk2Xi4JRqYAw76i2TnjH9XdrK ucrHpfYsuDjjeeTEgOMqFxZt6/YqTanc+PWy4ibmmPsT7C7qxt5pqK8T+ZbH0TH76LNrvo75 jwU7l12Ov7unJ+uopMziuXfM2FUyuK3MNgU8/Jdc9uH1B9ZO+WszU4P1rCPrk2d6q1sYsp1e 9LV2340bXXFl259uTp5YNl2JpTgj0VCLuag4EQCi4DoqyAIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/HUnpZB1HD7MXtQdP50O1MqoOxtg>
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>, Security Area Advisory Group <saag@ietf.org>
Subject: Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Oct 2016 18:47:18 -0000

New paper “Measuring small subgroup attacks against Diffie-Hellman”

https://eprint.iacr.org/2016/995.pdf


“Cryptographic recommendations from standards committees are often too
weak or vague”

“However, the tangle of RFCs and standards attempting to define current
best practices in key generation and parameter sizing do not paint a clear
picture, and instead describe complex combinations of approaches and
parameters, exposing the fragility of the cryptographic ecosystem. As a
result, developers often forget or ignore edge cases, leaving many
implementations of Diffie-Hellman too close to vulnerable"

“As we show in this paper, finite-field based Diffie-Hellman has many edge
cases that make its correct use difficult, and which occasionally arise as
bugs at the protocol level.”

“As a concrete recommendation, modern Diffie-Hellman implementations
should prefer elliptic curve groups over safe curves with proper point
validation.”

/John


On 18/10/16 16:47, "IPsec on behalf of Stephen Kent"
<ipsec-bounces@ietf.org on behalf of kent@bbn.com> wrote:

>Paul,
>
>It's  been over 8 years since this RFC was published, and I have not
>looked at it since then. My recollection is that we wrote 5114 because
>an IPsec developer approached me and said that he wanted to support
>these groups in a product. He said that he wanted test vectors for the
>groups, consistent with what we have done for many other algs. I
>persuaded Matt to generate the RFC because it was a relatively easy task
>a good way for Matt to get acquainted with the RFC process.
>
>As to your question, I have no info about how the NIST DH values were
>generated. However, I do agree with Yoav and Tero that it seems unduly
>prejudicial to declare these to be a MUST NOT. The fact that one can
>generate trap-doored DH values that cannot be detected is not the same
>as having proof that a given set of values have been generated in that
>fashion. Moreover, if one interprets a MUST NOT in this context to mean
>that an implementation supporting any of these groups is non-compliant,
>then that unfairly penalizes existing implementations, as Tero noted.
>Moreover, if the concern raised by the paper (which I have read) is with
>MODP groups of size 1024 (or smaller), only 1 of the groups in 5114 fits
>that criteria (section 2.1).
>
>I have not tracked the status of these NIST groups re evaluation
>criteria like FIPS 140-2. If these groups are approved for use in
>products evaluated under that FIPS (I don't know if they are),
>deprecating them creates a possible conundrum for vendors who want to
>comply with RFCs and with FIPS evaluation criteria. Thus I suggest a
>less dramatic response than declaring all of the groups in 5114 to be
>MUST NOT.
>
>I'm not a vendor of any crypto products (these days), and I've never
>been a crypto mathematician. So my views are based only on what I recall
>about the creation of 5114 and about IETF crytpo standards practices in
>general.
>
>Steve
>
>_______________________________________________
>IPsec mailing list
>IPsec@ietf.org
>https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email