IETF Logo Mail Archive

Re: [saag] Possible backdoor in RFC 5114

Tero Kivinen <kivinen@iki.fi> Fri, 07 October 2016 13:59 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8ECA51295FC for <saag@ietfa.amsl.com>; Fri, 7 Oct 2016 06:59:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eUzKYHCtgFmG for <saag@ietfa.amsl.com>; Fri, 7 Oct 2016 06:59:47 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C1461295EB for <saag@ietf.org>; Fri, 7 Oct 2016 06:59:44 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id u97DxW4d006174 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 7 Oct 2016 16:59:32 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id u97DxWpO020729; Fri, 7 Oct 2016 16:59:32 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <22519.43588.421250.807948@fireball.acr.fi>
Date: Fri, 07 Oct 2016 16:59:32 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
In-Reply-To: <bfa71c30-3ccc-1538-c682-33e14c910e21@cs.tcd.ie>
References: <CACsn0ck9u3ct3wD7xWXtDZ89Q1R6OKTQFMYuZ56_vY2ys+1=YQ@mail.gmail.com> <bfa71c30-3ccc-1538-c682-33e14c910e21@cs.tcd.ie>
X-Mailer: VM 8.2.0b under 24.5.1 (x86_64--netbsd)
X-Edit-Time: 12 min
X-Total-Time: 11 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/Onj21JeKIBgkmshV5m7b0VR03Pg>
Cc: "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] Possible backdoor in RFC 5114
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Oct 2016 13:59:49 -0000

Stephen Farrell writes:
> 
> So I'm not seeing anyone so far argue to not
> deprecate these somehow.
> 
> We could just make 5114 historic as Yoav suggests,
> or, if someone writes an I-D to explain why, we
> could obsolete 5114. (Such an I-D would presumably
> also say something about codepoints that point at
> 5114 from other registries.)
> 
> Assuming nobody shows up saying these are in
> fact in widespread use I'd be supportive of us
> getting rid of cruft.

I think the NIST ECP groups are quite widely supported, and used.
RFC5114 includes both Nist ECP Groups (192, 224, 256, 384 and 521) and
3 MODP groups.

In IPsec, ECP groups are widely used, those MODP groups with subgroup
are not. On the other hand I think only those 192, 256 and 521 bit
groups are really used, and those are defined also in RFC5903 (which
obsoleted original 4753 which had serious bug in it).

> So, someone wanna volunteer to write an I-D that'd
> obsolete 5114? If so, say so here.

Or parts of it or something. 

> Or, if you want me to start the "mark it historic"
> process (which doesn't need an I-D), please say
> so here. (Note that even though this doesn't need
> an I-D the status-change does get an IETF last
> call.)

Marking NIST ECP groups as historic might be preferrable for some
people, but it might be good idea to wait before we have curve25519
etc published as rfc for all protocols that 5114 covers before we go
that far. In IPsec the curve25519 etc are now in the IESG, I do not
know what is the status for other protocls (X.509, TLS, SSH, SMIME). 

> Or, if you wanna argue that none of the above are
> right, then please do that.

I have no idea why we would want to mark the document as historic, or
obsolete it, especially as it does define things that are in use (ECP
groups).

It does not give any recommendations for using those groups, for
example in IPsec we do have separate documents which gives those
recommendations and for the 256-bit ECP we are saying SHOULD, and for
the MODP groups defined in the 5114 we are saying SHOULD NOT.

That is much better way to define the recommendations and how those
groups should or should not be used.
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email