IETF Logo Mail Archive

Re: [saag] Possible backdoor in RFC 5114

Ben Laurie <ben@links.org> Wed, 29 March 2017 18:26 UTC

Return-Path: <benlaurie@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75DE912940F for <saag@ietfa.amsl.com>; Wed, 29 Mar 2017 11:26:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.701
X-Spam-Level:
X-Spam-Status: No, score=-1.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.197, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ke04Zl4sNdid for <saag@ietfa.amsl.com>; Wed, 29 Mar 2017 11:26:32 -0700 (PDT)
Received: from mail-wr0-x22c.google.com (mail-wr0-x22c.google.com [IPv6:2a00:1450:400c:c0c::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 226D1129455 for <saag@ietf.org>; Wed, 29 Mar 2017 11:26:27 -0700 (PDT)
Received: by mail-wr0-x22c.google.com with SMTP id w11so26324826wrc.3 for <saag@ietf.org>; Wed, 29 Mar 2017 11:26:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=0UQx1k0L6l+XjLJMU56zVqSL/lcQu8yDZOnIIcpIjSw=; b=WNS+sdlgIExxIF84yIN0ddVN33B99r6rLj+QdlePXqDxSzWN6lnRS7MlVQ6lZQyJ6o 8R1lnC2KduKjgvU5p0MilA58foq1p4TGF8HY7AX4hvZqi5SH9Se4XT2Aqj1eYHbeAmyH cShyP0J2SHw8b3ioVGNVKz3z6exfKXZ10rh0tgxBkPVS7cH0ZBgmKSiOSWU3ZtXz5s/5 lBkU1BaNZnpP62cMm519I/JmCM1f+qXmbPKSUklFcmlrm3enzevsrXENgFOTWq20pXxP V/YODuwZA+tkgTZiygPzCZ0xZrGX2upe9+FSyk0Ms0vQDR6QeP3AHZGWg6DD/dasOtB9 pTeA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-transfer-encoding; bh=0UQx1k0L6l+XjLJMU56zVqSL/lcQu8yDZOnIIcpIjSw=; b=Hwrvy6t6AwTgKhU9OeWGHx8ASer4ZQaR9HnqMSEKKvRqOxrmSgObI0VqBt6jf03LUU QBNZSSOM5a2ZJPRcIGZo9WrRy3TULzA/HjXFscgkWCQRImPI49gbG0+37TlbTR7T75gC Wwn4HBV3j4hG5W6GBAbE3j0RlQSzhN1sIZxb4PbBI/ErZIVgXDAnXUVYWwYH2bAjJNXz r0ZCR53YqEDYNJzBlPKB8RlP5Eqh7UHw+DEvJra4xzjTqU4lKSTp0siLVjuN8TMFOpfV 8TlwE7spz6lYgMQ2xIqa746P/ZT9fvakd3dDoQL9FrWjcPa4hAN/YDoO/KnyPidlxXSW q57Q==
X-Gm-Message-State: AFeK/H1P2J+eWz2DPU6N35Qww5qkcc6kDcTgmTdsWtcn5mHJcHGcRSPOvWEC18+8P7hTnm8dj47NhmJWO2/+fQ==
X-Received: by 10.28.66.211 with SMTP id k80mr1984889wmi.5.1490811985525; Wed, 29 Mar 2017 11:26:25 -0700 (PDT)
MIME-Version: 1.0
Sender: benlaurie@gmail.com
Received: by 10.28.166.208 with HTTP; Wed, 29 Mar 2017 11:26:24 -0700 (PDT)
In-Reply-To: <8B462FE6-E8CD-4E79-A15C-AE722CEF9C72@gmail.com>
References: <CACsn0ck9u3ct3wD7xWXtDZ89Q1R6OKTQFMYuZ56_vY2ys+1=YQ@mail.gmail.com> <bfa71c30-3ccc-1538-c682-33e14c910e21@cs.tcd.ie> <22519.43588.421250.807948@fireball.acr.fi> <CADF337F-88BC-4B9E-B05F-94F146CB068B@gmail.com> <CABrd9SRXO684K04jk002VoLgTnbE0AJNG2kH-h7KCMn8Hi9VvQ@mail.gmail.com> <CACsn0c=-+ywD4Xp=SrRm_8_q71kGsb_CML5-2D+WHi0XC8AXoQ@mail.gmail.com> <CACsn0cnSiY7y80U05KsPtmZfjQ1sAuvQ=J3hfPpoSMSs7WaaMA@mail.gmail.com> <CACsn0cnn2L4SMq4uA34QRfym=Hmr9VRreBjZzB8Sj4-dfsoW5A@mail.gmail.com> <CABrd9SQH0zJu=Bz-2B61MXv3ENWce1NiFayMXUgseBYoJRB9Hw@mail.gmail.com> <8B462FE6-E8CD-4E79-A15C-AE722CEF9C72@gmail.com>
From: Ben Laurie <ben@links.org>
Date: Wed, 29 Mar 2017 19:26:24 +0100
X-Google-Sender-Auth: -7dbv9g7F9Uu1CEh6wTcsZKxA_M
Message-ID: <CAG5KPzwr-=2SbSYiKRqGq=k_NwitXYLAiSUMobV1XXAkunYWaA@mail.gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Cc: Ben Laurie <benl@google.com>, Security Area Advisory Group <saag@ietf.org>, Tero Kivinen <kivinen@iki.fi>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/R3MJV-86iD9P87rKhOLkPJDqBEI>
Subject: Re: [saag] Possible backdoor in RFC 5114
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Mar 2017 18:26:34 -0000

On 29 March 2017 at 18:17, Yoav Nir <ynir.ietf@gmail.com> wrote:
>
> On 29 Mar 2017, at 11:50, Ben Laurie <benl@google.com> wrote:
>
>
>
> On 22 March 2017 at 18:20, Watson Ladd <watsonbladd@gmail.com> wrote:
>>
>>
>>
>> On Mar 22, 2017 8:15 AM, "Ben Laurie" <benl@google.com> wrote:
>>
>>
>>
>> On 7 October 2016 at 16:56, Yoav Nir <ynir.ietf@gmail.com> wrote:
>>>
>>>
>>> > On 7 Oct 2016, at 16:59, Tero Kivinen <kivinen@iki.fi> wrote:
>>> >
>>> > Stephen Farrell writes:
>>> >>
>>> >> So I'm not seeing anyone so far argue to not
>>> >> deprecate these somehow.
>>> >>
>>> >> We could just make 5114 historic as Yoav suggests,
>>> >> or, if someone writes an I-D to explain why, we
>>> >> could obsolete 5114. (Such an I-D would presumably
>>> >> also say something about codepoints that point at
>>> >> 5114 from other registries.)
>>> >>
>>> >> Assuming nobody shows up saying these are in
>>> >> fact in widespread use I'd be supportive of us
>>> >> getting rid of cruft.
>>> >
>>> > I think the NIST ECP groups are quite widely supportd, and used.
>>> > RFC5114 includes both Nist ECP Groups (192, 224, 256, 384 and 521) and
>>> > 3 MODP groups.
>>> >
>>> > In IPsec, ECP groups are widely used, those MODP groups with subgroup
>>> > are not. On the other hand I think only those 192, 256 and 521 bit
>>> > groups are really used, and those are defined also in RFC5903 (which
>>> > obsoleted original 4753 which had serious bug in it).
>>>
>>>
>>> First, I think you meant 256, 384 and 521 bit, not the 192.
>>>
>>> Second, 5114 did not fix the bug in 4753. It just referenced 4753 for
>>> formatting. You know this better than I do, but I don’t think the IANA
>>> registry ever referenced 5114 for these ECP groups.
>>>
>>> So for the three useful groups in 5114 you didn’t need it (as 4753)
>>> already existed, and you don’t need it now, as 5903 exists. I don’t see
>>> anything standing in the way of moving to historic or obsoleting it.
>>
>>
>> Possibly I missed something here: why should we be any happier about 5903
>> than we are about 5114?
>>
>>
>> Can you prepare a backdoored elliptic curve that passes all acceptence
>> critera?
>
>
> No, but can the NSA?
>
>
> I don’t know, but we can speculate all day about what the NSA can or cannot
> do, including wandless magic or generally solving the DLP. We can only make
> decisions on the basis of what we know or can reasonably project.

But isn't that the point of nothing up my sleeve numbers? Which 5903
doesn't use...

v2.23.0 | Report a Bug | By Email