[saag] Provenance of Diffie-Hellman groups in RFC 5114

Tim Polk <wtpolk@gmail.com> Fri, 04 November 2016 15:11 UTC

Return-Path: <wtpolk@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 040E8129470 for <saag@ietfa.amsl.com>; Fri, 4 Nov 2016 08:11:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l-uvgTToeJgu for <saag@ietfa.amsl.com>; Fri, 4 Nov 2016 08:11:31 -0700 (PDT)
Received: from mail-yb0-x22c.google.com (mail-yb0-x22c.google.com [IPv6:2607:f8b0:4002:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48FEC1288B8 for <Saag@ietf.org>; Fri, 4 Nov 2016 08:11:28 -0700 (PDT)
Received: by mail-yb0-x22c.google.com with SMTP id v78so32471081ybe.3 for <Saag@ietf.org>; Fri, 04 Nov 2016 08:11:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=gff6EouO/3wks0nEgBsPUPYLCQhVbE63vKnrpAnCNcw=; b=NdN4KSzH/XUNzDA1f0O+UKBpclBAf5VkgT2MfW1tAiF7NLk52TdjfVZGyOuSQNWImA wQtopFV0jyUcEPhus3MSOAbtARmH1lWFa7j5emfNZuA0vIeiW0C7MFf6myp91YsvGA90 ryOaI8gTgjBmyT10BHjmDUkJnjFR6cac0jCQRGOlhFOluWBAcfCiihH6sS3bnWrhJWhi kYTcalVyiS949906ezuiOdiwI8zPFyH6GQ81ffLI3sKxM4akH+MZlpYEZcHqT5QJFfQJ KsOSLaqgOxBh4reUol74FlOPSJOW5CDuUPZXA7rX7vct0L/k0etWDMHTNyWUsPnRNMGb iJNg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=gff6EouO/3wks0nEgBsPUPYLCQhVbE63vKnrpAnCNcw=; b=UL3YLGIx3cGbeSzAFEENczuiOYjc25/ZREGIn/9lLL9sOXjWqiF8YvMAew/ajwKD7j z04Fz4KX5XvRzuf7tn5RWj/eC2gUMmwXL/PiWNApu+Q/juiaBmXRLFSsimVQ38OF61FJ rfdX02APWVSu9h7AHUzwm5zaRa/xHy+LavYUq85STVS8tRbhXbvcOvIeUWVZFYSsVPQh A3vBE56egCgvkctn6J6+R2d5infGQCzFWbqJjxMpN3MTm+tjbX3es77kquDirrGlGhYQ 99LBde4PEQukirfHEU7eg7QhUgPOGYHOI4VLZc8uOvN/nVrZAh8RHZg1dk4gQ1lKv+6c x+IQ==
X-Gm-Message-State: ABUngveYbjCv+jdSxs3Jc2kCZTjCi8RMng4c6Tk60GGFCPMKV1iPSe/pRkwgs0Sac3qHj0qzq0Hgq/xp3xbE3g==
X-Received: by 10.36.103.201 with SMTP id u192mr2116621itc.3.1478272287276; Fri, 04 Nov 2016 08:11:27 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.115.90 with HTTP; Fri, 4 Nov 2016 08:11:26 -0700 (PDT)
From: Tim Polk <wtpolk@gmail.com>
Date: Fri, 4 Nov 2016 11:11:26 -0400
Message-ID: <CAKMm44MyJyFjB-gtjhBNCvMwqRaHjMjj+YhAPC2Gpz5rdSvMug@mail.gmail.com>
To: Saag@ietf.org
Content-Type: multipart/alternative; boundary=001a114aa5469081bb05407b16d2
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/JTpnLmF7EpyWQlA_VVo0eyvF6ZQ>
X-Mailman-Approved-At: Tue, 08 Nov 2016 08:20:04 -0800
Subject: [saag] Provenance of Diffie-Hellman groups in RFC 5114
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Nov 2016 15:15:00 -0000

Folks,

The three Diffie-Hellman groups included in RFC 5114 were originally used
by NIST to create test vectors to validate implementations, nothing more,
and certainly not as a recommendation for people to use or adopt them
operationally.

    We were not at that time concerned about trap doors in test vectors
since we did not expect operational use of these groups.  For operational
use, traceability of generation is an important best practice.  After some
searching through our records and old source files, NIST cannot determine
specifically how these Diffie-Hellman domain parameters were generated,
although we think that they were generated internally at NIST.

    NIST sees no need to standardize or recommend these specific
Diffie-Hellman groups for any use other than testing.  We believe it is
important that the provenance of any critical domain parameters recommended
or required by a standard be fully explained.  Therefore it would be
appropriate for the IETF to remove or deprecate any inclusion of these
groups in an RFC.

    One final note: We suspect that these groups were included to provide
an option consistent with NIST SP 800-56A and simplify validation under
NIST's Cryptographic Module Validation Program.  However, NIST has accepted
other Diffie-Hellman groups, including several groups specified in IKE and
TLS, programmatically for some time.  Further,  an upcoming revision of
NIST SP 800-56A will formally approve the commonly-used groups specified in
IETF RFCs.  Vendors that wish to comply with IETF standards and validate
their module under CMVP can do so with the usual IETF groups.

Thanks,

Tim Polk