Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again)
Tero Kivinen <kivinen@iki.fi> Tue, 18 October 2016 10:33 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D8AC1295F0; Tue, 18 Oct 2016 03:33:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 995m5imHtauK; Tue, 18 Oct 2016 03:33:35 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 806B9129421; Tue, 18 Oct 2016 03:33:35 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id u9IAXTj8010256 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 18 Oct 2016 13:33:29 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id u9IAXSoR020344; Tue, 18 Oct 2016 13:33:28 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID: <22533.64120.595277.953942@fireball.acr.fi>
Date: Tue, 18 Oct 2016 13:33:28 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <8C717FB2-DDC2-452E-AEC3-115B1E1397CF@gmail.com>
References: <alpine.LRH.2.20.1610091711050.8864@bofh.nohats.ca> <D42AB86C.538C3%john.mattsson@ericsson.com> <CADZyTknqvF=zxW2thuN7mf_St2UmnWZzd8dVb5dWzDJ5=8tz5w@mail.gmail.com> <8C717FB2-DDC2-452E-AEC3-115B1E1397CF@gmail.com>
X-Mailer: VM 8.2.0b under 24.5.1 (x86_64--netbsd)
X-Edit-Time: 13 min
X-Total-Time: 34 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/a7DZ8XQEnU2WKtcIMusHn5Fhcqg>
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>, Paul Wouters <paul@nohats.ca>, Security Area Advisory Group <saag@ietf.org>
Subject: Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Oct 2016 10:33:37 -0000
Yoav Nir writes: > I’m not entirely comfortable with calling something a MUST NOT when all we > have is conjecture, but I have no love and no need of those DH groups. Same here, and it also makes it so that we cannot say our implementation is conforming rfc4307bis, even when we do already have support for AES, SHA2, 2048-bit DH, i.e. all the mandatory to implement algorithms in the new document, but we do also have code to propose the RFC5114 MODP groups, if user configures them to be used. Changing that is of course is very easy to do in implementation, but before this is deployed etc will take some time, and there is change, that some customer has explictly configure RFC5114 2048-bit MODP group in use, and by removing that we suddenly break their existing configuration. It is always annoying to explain to customer why we explictly broke their existing configurations unless there is real security reason for it. Looking that the paper, this only applies to the 1024-bit MODP group in RFC5114, even the paper says that 2048-bit MODP groups are safe, even if they would have same backdoor. We are already downgrading normal 1024-bit MODP group to SHOULD NOT, and this would make it two reasons to make RFC5114 1024-bit MODP group to SHOULD NOT (too short, and might be backdoored), so perhaps the compromize can be to make RFC5114 1024-bit MODP group number 22 to MUST NOT, and keep the groups 23-24 as SHOULD NOTs. Anyways we need to modify the rfc4307bis text and add reference to this paper, as one more reason why groups 22-24 MUST NOT/SHOULD NOT be used. > I don’t believe anyone else depends on these groups (at least in > IPsec), so I’m fine with such a change. I do not think people depend on them, but I assume there is quite a lot of implementations there that can be configured to use them if explictly asked, thus making them MUST NOT will make it so that those implementations will not be conforming rfc4307bis. -- kivinen@iki.fi
- [saag] trapdoor'ed DH (and RFC-5114 again) Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Dang, Quynh (Fed)
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… John Mattsson
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Daniel Migault
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Yoav Nir
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Tero Kivinen
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Yoav Nir
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Peter Gutmann
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Yoav Nir
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Tero Kivinen
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Watson Ladd
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Stephen Kent
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… John Mattsson
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Nikos Mavrogiannopoulos
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… John Mattsson
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Peter Gutmann
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Antonio Sanso