Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again)
John Mattsson <john.mattsson@ericsson.com> Wed, 19 October 2016 08:13 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D49512956F; Wed, 19 Oct 2016 01:13:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CKAM4LKduZPO; Wed, 19 Oct 2016 01:13:15 -0700 (PDT)
Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E88C129560; Wed, 19 Oct 2016 01:13:15 -0700 (PDT)
X-AuditID: c1b4fb3a-ab7ff7000000099a-62-58072b1920c0
Received: from ESESSHC014.ericsson.se (Unknown_Domain [153.88.183.60]) by (Symantec Mail Security) with SMTP id F9.C7.02458.91B27085; Wed, 19 Oct 2016 10:13:13 +0200 (CEST)
Received: from ESESSMB307.ericsson.se ([169.254.7.139]) by ESESSHC014.ericsson.se ([153.88.183.60]) with mapi id 14.03.0319.002; Wed, 19 Oct 2016 10:13:12 +0200
From: John Mattsson <john.mattsson@ericsson.com>
To: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Thread-Topic: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again)
Thread-Index: AQHSKduJ2W/sFWR35kmFUzWD99HoZqCvbiMA
Date: Wed, 19 Oct 2016 08:13:12 +0000
Message-ID: <D42CF6EE.53ACF%john.mattsson@ericsson.com>
References: <alpine.LRH.2.20.1610091711050.8864@bofh.nohats.ca> <D42AB86C.538C3%john.mattsson@ericsson.com> <CADZyTknqvF=zxW2thuN7mf_St2UmnWZzd8dVb5dWzDJ5=8tz5w@mail.gmail.com> <8C717FB2-DDC2-452E-AEC3-115B1E1397CF@gmail.com> <alpine.LRH.2.20.1610171206070.827@bofh.nohats.ca> <551e6c5c-0db7-62d5-da31-b99f26475010@bbn.com> <D42C37F3.53A00%john.mattsson@ericsson.com> <CAJU7zaKjy9g+UQmzP-LvV0X5myFES0eE9L=-sFYnjHcrW4+h9g@mail.gmail.com>
In-Reply-To: <CAJU7zaKjy9g+UQmzP-LvV0X5myFES0eE9L=-sFYnjHcrW4+h9g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.7.160722
x-originating-ip: [153.88.183.17]
Content-Type: text/plain; charset="utf-8"
Content-ID: <A137A203D8A03D41AB08E5809FDF2D73@ericsson.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrDIsWRmVeSWpSXmKPExsUyM2K7ja6kNnuEQcdkNYv9W16wWWyczWix dOduVov3ty4xWUzp72SyWHrsA5MDm8fU86EeO2fdZfeYvK2R0WPJkp9MHt/nMQWwRnHZpKTm ZJalFunbJXBlHOxdwVbQJl2x8td69gbGNVJdjJwcEgImEk9+zWUFsYUE1jNKTHzD38XIBWQv YZSYMe0zC0iCTcBAYu6eBjYQW0RAV2LbmzvMIEXMAjsYJXYc+QFWJCxgL7HnejszRJGDxKel e9khbCOJORtOgzWzCKhK3Ox7D2RzcPAKmEvMXxAPsewQs8SbNR/A6jkFAiUWdW0Fm8koICbx /dQaJhCbWUBc4taT+UwQVwtILNlznhnCFpV4+fgf2AeiAnoSzz4/ZweZLyGgKLG8Xw7EZBbQ lFi/Sx/CtJbo3CcJMVBRYkr3Q7ClvAKCEidnPmGZwCg+C8muWQjNsxCaZyFpnoWkeQEj6ypG 0eLU4uLcdCMjvdSizOTi4vw8vbzUkk2MwDg9uOW31Q7Gg88dDzEKcDAq8fAqJLNFCLEmlhVX 5h5ilOBgVhLhFdZgjxDiTUmsrEotyo8vKs1JLT7EKM3BoiTOa7byfriQQHpiSWp2ampBahFM lomDU6qB0UahTeR+nV/9IXWu1UfyIhUfzu9Yx9T7Ni399UPTuPWvd26dld/uV7y5duK9Gc/c pf3ivu8WkhLYlLd+bwQv35Kt0b1+6cvErFoEXnY1F4iLCuZv/rt8a/E8qfWnGx7YJK26MWdv 9qfty9ML2z+2/4/nW9audrucgSGspcF8WvRD0y8/WIULlViKMxINtZiLihMBxn1E0M8CAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/XULPwP866xHm4GG9Lq5i9VPq6DQ>
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>, Paul Wouters <paul@nohats.ca>, Security Area Advisory Group <saag@ietf.org>
Subject: Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Oct 2016 08:13:17 -0000
I have not read the paper in detail, but I agree with the high level conclusions. If it were not for quantum computers, I think IETF should move to curve25519 as quickly as possible. With quantum computers the picture is more complicated as ECC would anyway need to be replaced with PQC in the not to distant future. Cheers, John On 19/10/16 09:36, "n.mavrogiannopoulos@gmail.com on behalf of Nikos Mavrogiannopoulos" <n.mavrogiannopoulos@gmail.com on behalf of nmav@gnutls.org> wrote: >On Tue, Oct 18, 2016 at 8:46 PM, John Mattsson ><john.mattsson@ericsson.com> wrote: >> New paper “Measuring small subgroup attacks against Diffie-Hellman” >> https://eprint.iacr.org/2016/995.pdf >> “Cryptographic recommendations from standards committees are often too >> weak or vague” >> “However, the tangle of RFCs and standards attempting to define current >> best practices in key generation and parameter sizing do not paint a >>clear >> picture, and instead describe complex combinations of approaches and >> parameters, exposing the fragility of the cryptographic ecosystem. As a >> result, developers often forget or ignore edge cases, leaving many >> implementations of Diffie-Hellman too close to vulnerable" >> >> “As we show in this paper, finite-field based Diffie-Hellman has many >>edge >> cases that make its correct use difficult, and which occasionally arise >>as >> bugs at the protocol level.” >> >> “As a concrete recommendation, modern Diffie-Hellman implementations >> should prefer elliptic curve groups over safe curves with proper point >> validation.” > >I am not sure that the recommendations of this paper should be blindly >trusted. There are some inaccurate facts about a library I work on >[0], but a part of the abstract is also concerning: >"We examine over 20 open-source cryptographic libraries and >applications and observe that until January 2016, not a single one >validated subgroup orders by default." > >That's objectively accurate, but the authors do not attempt to find >out the actual issue behind it. Are all implementations bad, or there >are obstacles in doing that? I am aware that TLS client >implementations do not validate subgroup orders by default, because >the group information provided by TLS is not sufficient to validate >the subgroup order. It is simply impossible for them to do any >validation. > >regards, >Nikos > >[0]. >https://lists.gnupg.org/pipermail/gnutls-devel/2016-October/008198.html
- [saag] trapdoor'ed DH (and RFC-5114 again) Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Dang, Quynh (Fed)
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… John Mattsson
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Daniel Migault
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Yoav Nir
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Tero Kivinen
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Yoav Nir
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Peter Gutmann
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Yoav Nir
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Tero Kivinen
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Watson Ladd
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Stephen Kent
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… John Mattsson
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Nikos Mavrogiannopoulos
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… John Mattsson
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Peter Gutmann
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Antonio Sanso