Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again)
John Mattsson <john.mattsson@ericsson.com> Mon, 17 October 2016 15:30 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DCD812952C; Mon, 17 Oct 2016 08:30:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mTFqmvSoCI_r; Mon, 17 Oct 2016 08:30:53 -0700 (PDT)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B835129864; Mon, 17 Oct 2016 08:30:53 -0700 (PDT)
X-AuditID: c1b4fb2d-5b107980000009f7-ac-5804eeabc8de
Received: from ESESSHC003.ericsson.se (Unknown_Domain [153.88.183.27]) by (Symantec Mail Security) with SMTP id B3.A2.02551.BAEE4085; Mon, 17 Oct 2016 17:30:51 +0200 (CEST)
Received: from ESESSMB307.ericsson.se ([169.254.7.139]) by ESESSHC003.ericsson.se ([153.88.183.27]) with mapi id 14.03.0319.002; Mon, 17 Oct 2016 17:30:50 +0200
From: John Mattsson <john.mattsson@ericsson.com>
To: Paul Wouters <paul@nohats.ca>, "ipsec@ietf.org WG" <ipsec@ietf.org>
Thread-Topic: [IPsec] trapdoor'ed DH (and RFC-5114 again)
Thread-Index: AQHSInPGicgFRx0r+0aIJTg4zs5+RKCs0pWA
Date: Mon, 17 Oct 2016 15:30:49 +0000
Message-ID: <D42AB86C.538C3%john.mattsson@ericsson.com>
References: <alpine.LRH.2.20.1610091711050.8864@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.20.1610091711050.8864@bofh.nohats.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.7.160722
x-originating-ip: [153.88.183.154]
Content-Type: text/plain; charset="utf-8"
Content-ID: <FABFC11E8512D9438EED1C095A608DEC@ericsson.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrEIsWRmVeSWpSXmKPExsUyM2K7tO7qdywRBncmKVjs3/KCzeL9rUtM FlP6O5kcmD2WLPnJ5PF9HlMAUxSXTUpqTmZZapG+XQJXRvu/x0wFGxQqDnetZ25gPCLfxcjJ ISFgIrH8w37WLkYuDiGB9YwSn+f9hnKWMEosPXmRHaSKTcBAYu6eBjYQW0TAXWLXjw5GEJtZ QFni7Z8nTCC2sICFRNf01ywQNZYSE+5tA4pzANlGEj2PxEHCLAKqEvc/fmEGsXkFzCV+dHwG Gy8kYC/xoW0RmM0p4CCx7dx6sBpGATGJ76fWMEGsEpe49WQ+E8TRAhJL9pxnhrBFJV4+/scK YosK6Ek8+/ycHSKuJLHo9mewE5gFNCXW79KHGGMtceD6VjYIW1FiSvdDdohzBCVOznzCMoFR fBaSbbMQumch6Z6FpHsWku4FjKyrGEWLU4uLc9ONjPVSizKTi4vz8/TyUks2MQJj7uCW37o7 GFe/djzEKMDBqMTDm3CTJUKINbGsuDL3EKMEB7OSCO/l+0Ah3pTEyqrUovz4otKc1OJDjNIc LErivGYr74cLCaQnlqRmp6YWpBbBZJk4OKUaGNdWH1oaWSx3f/5fQ8vFpV2FewM3Tr9r6clT 37b+uvyVP2XqPzVm7C26FPSkh0NwZ/Srt2EZ4ipXU+JO+QV3Rl8ucTAVT3leP/lum8TaiNAd UzMbVn5LuX77jrDDdjvd/KU/LqZ2zdxv3p8/6+jNGf8XP10jO+cK/yy//SoHD1hMDw6dvKr4 b5MSS3FGoqEWc1FxIgCbIIDltQIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/MViPmOkMbO2vNvofDRc9_kIlohk>
Cc: "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Oct 2016 15:30:55 -0000
> I'm proposing it is time to change this to MUST NOT for 4307bis. +1 On 09/10/16 23:26, "IPsec on behalf of Paul Wouters" <ipsec-bounces@ietf.org on behalf of paul@nohats.ca> wrote: > >Released a few days ago: > > http://eprint.iacr.org/2016/961 > > A kilobit hidden SNFS discrete logarithm computation > Joshua Fried and Pierrick Gaudry and Nadia Heninger and Emmanuel Thomé > > We perform a special number field sieve discrete logarithm > computation in a 1024-bit prime field. To our knowledge, this > is the first kilobit-sized discrete logarithm computation ever > reported for prime fields. This computation took a little over > two months of calendar time on an academic cluster using the > open-source CADO-NFS software. > >Basically, this paper shows how to make a DH group of 1024 modp >with a backdoor, in two months of academic computing resources, > >The paper mentions 5114 a few times: > > RFC 5114 [33] specifies a number of groups for use with > Diffie-Hellman, and states that the parameters were drawn > from NIST test data, but neither the NIST test data [39] nor > RFC 5114 itself contain the seeds used to generate the finite > field parameters > >And concludes: > > Both from this perspective, and from our more modern one, dismissing the > risk of trapdoored primes in real usage appears to have been a mistake, > as the apparent difficulties encountered by the trapdoor designer in >1992 > turn out to be easily circumvented. A more conservative design decision > for FIPS 186 would have required mandatory seed publication instead of > making it optional. As a result, there are opaque, standardized >1024-bit > and 2048-bit primes in wide use today that cannot be properly verified. > >This is the strongest statement yet that I've seen to not trust any >of the RFC-5114 groups. > >The latest 4307bis document has these groups (22-24) as SHOULD NOT, >stating: > > Group 22, 23 and 24 or 1024-bit MODP Group with 160-bit, and > 2048-bit MODP Group with 224-bit and 256-bit Prime Order Subgroup > have small subgroups, which means that checks specified in the > "Additional Diffie-Hellman Test for the IKEv2" [RFC6989] section > 2.2 first bullet point MUST be done when these groups are used. > These groups are also not safe-primes. The seeds for these groups > have not been publicly released, resulting in reduced trust in > these groups. These groups were proposed as alternatives for > group 2 and 14 but never saw wide deployment. It is expected > in the near future to be further downgraded to MUST NOT. > >I'm proposing it is time to change this to MUST NOT for 4307bis. > >Possibly, we should do this via SAAG in general, and then follow SAAG's >advise in IPSECME. > >Is there _any_ reason why group 22-24 should not be MUST NOT ? > >Paul > >_______________________________________________ >IPsec mailing list >IPsec@ietf.org >https://www.ietf.org/mailman/listinfo/ipsec
- [saag] trapdoor'ed DH (and RFC-5114 again) Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Dang, Quynh (Fed)
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… John Mattsson
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Daniel Migault
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Yoav Nir
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Tero Kivinen
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Yoav Nir
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Peter Gutmann
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Yoav Nir
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Tero Kivinen
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Watson Ladd
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Stephen Kent
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… John Mattsson
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Nikos Mavrogiannopoulos
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… John Mattsson
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Peter Gutmann
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Antonio Sanso