IETF Logo Mail Archive

Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again)

Daniel Migault <daniel.migault@ericsson.com> Mon, 17 October 2016 15:54 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5491129883; Mon, 17 Oct 2016 08:54:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Level:
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nTQz8u1tWcWj; Mon, 17 Oct 2016 08:54:22 -0700 (PDT)
Received: from mail-it0-x234.google.com (mail-it0-x234.google.com [IPv6:2607:f8b0:4001:c0b::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 458551295B1; Mon, 17 Oct 2016 08:54:21 -0700 (PDT)
Received: by mail-it0-x234.google.com with SMTP id 4so54784434itv.0; Mon, 17 Oct 2016 08:54:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=jASj6BiLK9m1/kugc2btQsvRkMBemNYRfscQHniTBYA=; b=Bx+jnFlyv0UcWaM+gvr0EJz2/Lj1YXNvbmQyVeCBvaAYtp/670lWYKNoHs/IkdMzVR ZBU4OzZJOPWkGUBKRy8uqgPzyEk+OXWKHv6hDggqlC3WVh4dM2Od0KeC5/rhdkeeRIhY e68b7WQA6Jo01YgLIVwBjGwQdTbajDTuryqbR/XFXgHmI/ByPrDdpauMOhhs12UHMgur 4DQc3HBwufC2663sWEXux6Iy61ZcnvVw0E11hAEDzV8A7PkNBOuX/iFSln16Rm+oZBbH K9N3/TTpS439vr1Wgk2oNNPKjEtbPlaaRCGw3AsUv7sGK2oEZ2+ac2sXe4/MbYPJGq94 OZ5A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=jASj6BiLK9m1/kugc2btQsvRkMBemNYRfscQHniTBYA=; b=YBi+vaikM0X8QBN8cWBT1jxdRUeNgd6JrQv6gOdnAAzkOtYE8i1nrisuUXAig5xxv3 qaEGf8K+kVV3o5XY2wGJbyLUZff4pkaTftfiXLVBoYf+u4UKs75e8s2UuhNiEGOQI1QG EiK9vIVmR11ob4CfzClvjhKlYVfXM+gYv/XPvx0UX6yW4XyiofrFV6yb+Ax9svWWJ6nF DZwQdyspFpTv7bqoZG1uIONgJog6PK+lkuHwbEPCwbUewMrAZWzEkABOyQLlhZ8brdAu 7KOhqPcrYJzWEnEGrLbr/yunB0VNxftfbYKPXztQyF2oBK6BhB87YUp6XJGXP4g6RYsj H1CQ==
X-Gm-Message-State: AA6/9RnEfWM/9llKKreZBLgSbthjIWPHD7carEZJWe/INy8MyloqktKxE2ge7mYkHZULcGTALIBRaXPiXOHlSQ==
X-Received: by 10.36.254.200 with SMTP id w191mr9913833ith.101.1476719660461; Mon, 17 Oct 2016 08:54:20 -0700 (PDT)
MIME-Version: 1.0
Sender: mglt.ietf@gmail.com
Received: by 10.107.188.4 with HTTP; Mon, 17 Oct 2016 08:54:19 -0700 (PDT)
In-Reply-To: <D42AB86C.538C3%john.mattsson@ericsson.com>
References: <alpine.LRH.2.20.1610091711050.8864@bofh.nohats.ca> <D42AB86C.538C3%john.mattsson@ericsson.com>
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Mon, 17 Oct 2016 11:54:19 -0400
X-Google-Sender-Auth: gLMcNedO7nuRXi1KTa6eaA-Ihd0
Message-ID: <CADZyTknqvF=zxW2thuN7mf_St2UmnWZzd8dVb5dWzDJ5=8tz5w@mail.gmail.com>
To: John Mattsson <john.mattsson@ericsson.com>
Content-Type: multipart/alternative; boundary="94eb2c03473ecb737b053f1196a6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/d1LD4gN1j3LO_SYVkic-z4wlCd8>
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>, Paul Wouters <paul@nohats.ca>, "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Oct 2016 15:54:27 -0000

In fact is there anyone opposing their status becomes MUST NOT in
rfc4307bis.

On Mon, Oct 17, 2016 at 11:30 AM, John Mattsson <john.mattsson@ericsson.com>
wrote:

> > I'm proposing it is time to change this to MUST NOT for 4307bis.
>
>
>
> +1
>
> On 09/10/16 23:26, "IPsec on behalf of Paul Wouters"
> <ipsec-bounces@ietf.org on behalf of paul@nohats.ca> wrote:
>
> >
> >Released a few days ago:
> >
> >       http://eprint.iacr.org/2016/961
> >
> >       A kilobit hidden SNFS discrete logarithm computation
> >       Joshua Fried and Pierrick Gaudry and Nadia Heninger and Emmanuel
> Thomé
> >
> >       We perform a special number field sieve discrete logarithm
> >       computation in a 1024-bit prime field. To our knowledge, this
> >       is the first kilobit-sized discrete logarithm computation ever
> >       reported for prime fields. This computation took a little over
> >       two months of calendar time on an academic cluster using the
> >       open-source CADO-NFS software.
> >
> >Basically, this paper shows how to make a DH group of 1024 modp
> >with a backdoor, in two months of academic computing resources,
> >
> >The paper mentions 5114 a few times:
> >
> >       RFC 5114 [33] specifies a number of groups for use with
> >       Diffie-Hellman, and states that the parameters were drawn
> >       from NIST test data, but neither the NIST test data [39] nor
> >       RFC 5114 itself contain the seeds used to generate the finite
> >       field parameters
> >
> >And concludes:
> >
> >       Both from this perspective, and from our more modern one,
> dismissing the
> >       risk of trapdoored primes in real usage appears to have been a
> mistake,
> >       as the apparent difficulties encountered by the trapdoor designer
> in
> >1992
> >       turn out to be easily circumvented. A more conservative design
> decision
> >       for FIPS 186 would have required mandatory seed publication
> instead of
> >       making it optional.  As a result, there are opaque, standardized
> >1024-bit
> >       and 2048-bit primes in wide use today that cannot be properly
> verified.
> >
> >This is the strongest statement yet that I've seen to not trust any
> >of the RFC-5114 groups.
> >
> >The latest 4307bis document has these groups (22-24) as SHOULD NOT,
> >stating:
> >
> >       Group 22, 23 and 24 or 1024-bit MODP Group with 160-bit, and
> >       2048-bit MODP Group with 224-bit and 256-bit Prime Order Subgroup
> >       have small subgroups, which means that checks specified in the
> >       "Additional Diffie-Hellman Test for the IKEv2" [RFC6989] section
> >       2.2 first bullet point MUST be done when these groups are used.
> >       These groups are also not safe-primes.  The seeds for these groups
> >       have not been publicly released, resulting in reduced trust in
> >       these groups.  These groups were proposed as alternatives for
> >       group 2 and 14 but never saw wide deployment.  It is expected
> >       in the near future to be further downgraded to MUST NOT.
> >
> >I'm proposing it is time to change this to MUST NOT for 4307bis.
> >
> >Possibly, we should do this via SAAG in general, and then follow SAAG's
> >advise in IPSECME.
> >
> >Is there _any_ reason why group 22-24 should not be MUST NOT ?
> >
> >Paul
> >
> >_______________________________________________
> >IPsec mailing list
> >IPsec@ietf.org
> >https://www.ietf.org/mailman/listinfo/ipsec
>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
>

v2.23.0 | Report a Bug | By Email