IETF Logo Mail Archive

Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again)

Paul Wouters <paul@nohats.ca> Mon, 10 October 2016 15:33 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81D5B12971B; Mon, 10 Oct 2016 08:33:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.996
X-Spam-Level:
X-Spam-Status: No, score=-4.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-2.996] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3ugvnpKkDGOT; Mon, 10 Oct 2016 08:33:32 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F88D129715; Mon, 10 Oct 2016 08:33:32 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3st40B2Tgbz1HJ; Mon, 10 Oct 2016 17:33:30 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1476113610; bh=GyymlYO9vWhfnP2Bu0V2eC91dSAQdNsi3P89VFu+Gf0=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=CYdW3peqO7BzwTq+tB9TyZgJ8zT0cpHoym9GPtRA4PbffKEbUCn+4jkGhOHEhbO5D S0lR96mU6113QMPXpBQw+2IaUOBXVt1NZ2dR8vP/q4rkZOxj/DGzOFGlY9ske3mthq MMxlsoTN0WAKqcWNIpA2LafQnv/jAtV2672y07Po=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id x8nnBCBaOUxx; Mon, 10 Oct 2016 17:33:29 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 10 Oct 2016 17:33:29 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 98E4019C338; Mon, 10 Oct 2016 11:33:26 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.10.3 bofh.nohats.ca 98E4019C338
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 90ACA40D3581; Mon, 10 Oct 2016 11:33:26 -0400 (EDT)
Date: Mon, 10 Oct 2016 11:33:26 -0400
From: Paul Wouters <paul@nohats.ca>
To: "Dang, Quynh (Fed)" <quynh.dang@nist.gov>
In-Reply-To: <DM5PR09MB146726177114D0FD30F871C2F3DB0@DM5PR09MB1467.namprd09.prod.outlook.com>
Message-ID: <alpine.LRH.2.20.1610101127570.8682@bofh.nohats.ca>
References: <alpine.LRH.2.20.1610091711050.8864@bofh.nohats.ca> <DM5PR09MB146726177114D0FD30F871C2F3DB0@DM5PR09MB1467.namprd09.prod.outlook.com>
User-Agent: Alpine 2.20 (LRH 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/aUDSn2GXIU_Vb8DJEO3OFQeS2CA>
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>, "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Oct 2016 15:33:34 -0000

On Mon, 10 Oct 2016, Dang, Quynh (Fed) wrote:

> A conclusion of the paper was "Our results are yet another reminder that 1024-bit primes should be considered insecure for the security of cryptosystems based on the hardness of discrete
> logarithms. The discrete logarithm computation for our backdoored prime was only feasible because of the 1024-bit size, and the most effective protection against any backdoor of this
> type has always been to use key sizes for which any computation is infeasible. NIST recommended transitioning away from 1024-bit key sizes for DSA, RSA, and Diffie-Hellman in 2010 [6]."
> 
> NIST has been urging users to move away from groups with 1024- bit p and 160-bit q  for many years now. 

Sure.

> In our document, we stated that group generators "should" provide their seeds. The reason for having "should" instead of "shall (must)" was that anyone could run our suggested method to
> generate their own group. A user who generates his/her own group for her/his own application could have a choice of publishing the seed or not.  If a user had a contractor/third party to
> generate a group for him/her, he or she could ask for all documentation about the whole process. 

But why should I trust the RFC-5114 2048-bit MODP Group with 256-bit
Prime Order Subgroup? The problem of not knowing the seed remains the
same. We just think the NSA does not have a mathemathical advantage over
academia, but that's still a big unknown.

And for IKE, you cannot just generate your own groups.

Paul

v2.23.0 | Report a Bug | By Email