Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again)
Daniel Migault <daniel.migault@ericsson.com> Mon, 17 October 2016 15:54 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5491129883; Mon, 17 Oct 2016 08:54:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Level:
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nTQz8u1tWcWj; Mon, 17 Oct 2016 08:54:22 -0700 (PDT)
Received: from mail-it0-x234.google.com (mail-it0-x234.google.com [IPv6:2607:f8b0:4001:c0b::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 458551295B1; Mon, 17 Oct 2016 08:54:21 -0700 (PDT)
Received: by mail-it0-x234.google.com with SMTP id 4so54784434itv.0; Mon, 17 Oct 2016 08:54:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=jASj6BiLK9m1/kugc2btQsvRkMBemNYRfscQHniTBYA=; b=Bx+jnFlyv0UcWaM+gvr0EJz2/Lj1YXNvbmQyVeCBvaAYtp/670lWYKNoHs/IkdMzVR ZBU4OzZJOPWkGUBKRy8uqgPzyEk+OXWKHv6hDggqlC3WVh4dM2Od0KeC5/rhdkeeRIhY e68b7WQA6Jo01YgLIVwBjGwQdTbajDTuryqbR/XFXgHmI/ByPrDdpauMOhhs12UHMgur 4DQc3HBwufC2663sWEXux6Iy61ZcnvVw0E11hAEDzV8A7PkNBOuX/iFSln16Rm+oZBbH K9N3/TTpS439vr1Wgk2oNNPKjEtbPlaaRCGw3AsUv7sGK2oEZ2+ac2sXe4/MbYPJGq94 OZ5A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=jASj6BiLK9m1/kugc2btQsvRkMBemNYRfscQHniTBYA=; b=YBi+vaikM0X8QBN8cWBT1jxdRUeNgd6JrQv6gOdnAAzkOtYE8i1nrisuUXAig5xxv3 qaEGf8K+kVV3o5XY2wGJbyLUZff4pkaTftfiXLVBoYf+u4UKs75e8s2UuhNiEGOQI1QG EiK9vIVmR11ob4CfzClvjhKlYVfXM+gYv/XPvx0UX6yW4XyiofrFV6yb+Ax9svWWJ6nF DZwQdyspFpTv7bqoZG1uIONgJog6PK+lkuHwbEPCwbUewMrAZWzEkABOyQLlhZ8brdAu 7KOhqPcrYJzWEnEGrLbr/yunB0VNxftfbYKPXztQyF2oBK6BhB87YUp6XJGXP4g6RYsj H1CQ==
X-Gm-Message-State: AA6/9RnEfWM/9llKKreZBLgSbthjIWPHD7carEZJWe/INy8MyloqktKxE2ge7mYkHZULcGTALIBRaXPiXOHlSQ==
X-Received: by 10.36.254.200 with SMTP id w191mr9913833ith.101.1476719660461; Mon, 17 Oct 2016 08:54:20 -0700 (PDT)
MIME-Version: 1.0
Sender: mglt.ietf@gmail.com
Received: by 10.107.188.4 with HTTP; Mon, 17 Oct 2016 08:54:19 -0700 (PDT)
In-Reply-To: <D42AB86C.538C3%john.mattsson@ericsson.com>
References: <alpine.LRH.2.20.1610091711050.8864@bofh.nohats.ca> <D42AB86C.538C3%john.mattsson@ericsson.com>
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Mon, 17 Oct 2016 11:54:19 -0400
X-Google-Sender-Auth: gLMcNedO7nuRXi1KTa6eaA-Ihd0
Message-ID: <CADZyTknqvF=zxW2thuN7mf_St2UmnWZzd8dVb5dWzDJ5=8tz5w@mail.gmail.com>
To: John Mattsson <john.mattsson@ericsson.com>
Content-Type: multipart/alternative; boundary="94eb2c03473ecb737b053f1196a6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/d1LD4gN1j3LO_SYVkic-z4wlCd8>
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>, Paul Wouters <paul@nohats.ca>, "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Oct 2016 15:54:27 -0000
In fact is there anyone opposing their status becomes MUST NOT in rfc4307bis. On Mon, Oct 17, 2016 at 11:30 AM, John Mattsson <john.mattsson@ericsson.com> wrote: > > I'm proposing it is time to change this to MUST NOT for 4307bis. > > > > +1 > > On 09/10/16 23:26, "IPsec on behalf of Paul Wouters" > <ipsec-bounces@ietf.org on behalf of paul@nohats.ca> wrote: > > > > >Released a few days ago: > > > > http://eprint.iacr.org/2016/961 > > > > A kilobit hidden SNFS discrete logarithm computation > > Joshua Fried and Pierrick Gaudry and Nadia Heninger and Emmanuel > Thomé > > > > We perform a special number field sieve discrete logarithm > > computation in a 1024-bit prime field. To our knowledge, this > > is the first kilobit-sized discrete logarithm computation ever > > reported for prime fields. This computation took a little over > > two months of calendar time on an academic cluster using the > > open-source CADO-NFS software. > > > >Basically, this paper shows how to make a DH group of 1024 modp > >with a backdoor, in two months of academic computing resources, > > > >The paper mentions 5114 a few times: > > > > RFC 5114 [33] specifies a number of groups for use with > > Diffie-Hellman, and states that the parameters were drawn > > from NIST test data, but neither the NIST test data [39] nor > > RFC 5114 itself contain the seeds used to generate the finite > > field parameters > > > >And concludes: > > > > Both from this perspective, and from our more modern one, > dismissing the > > risk of trapdoored primes in real usage appears to have been a > mistake, > > as the apparent difficulties encountered by the trapdoor designer > in > >1992 > > turn out to be easily circumvented. A more conservative design > decision > > for FIPS 186 would have required mandatory seed publication > instead of > > making it optional. As a result, there are opaque, standardized > >1024-bit > > and 2048-bit primes in wide use today that cannot be properly > verified. > > > >This is the strongest statement yet that I've seen to not trust any > >of the RFC-5114 groups. > > > >The latest 4307bis document has these groups (22-24) as SHOULD NOT, > >stating: > > > > Group 22, 23 and 24 or 1024-bit MODP Group with 160-bit, and > > 2048-bit MODP Group with 224-bit and 256-bit Prime Order Subgroup > > have small subgroups, which means that checks specified in the > > "Additional Diffie-Hellman Test for the IKEv2" [RFC6989] section > > 2.2 first bullet point MUST be done when these groups are used. > > These groups are also not safe-primes. The seeds for these groups > > have not been publicly released, resulting in reduced trust in > > these groups. These groups were proposed as alternatives for > > group 2 and 14 but never saw wide deployment. It is expected > > in the near future to be further downgraded to MUST NOT. > > > >I'm proposing it is time to change this to MUST NOT for 4307bis. > > > >Possibly, we should do this via SAAG in general, and then follow SAAG's > >advise in IPSECME. > > > >Is there _any_ reason why group 22-24 should not be MUST NOT ? > > > >Paul > > > >_______________________________________________ > >IPsec mailing list > >IPsec@ietf.org > >https://www.ietf.org/mailman/listinfo/ipsec > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag >
- [saag] trapdoor'ed DH (and RFC-5114 again) Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Dang, Quynh (Fed)
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… John Mattsson
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Daniel Migault
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Yoav Nir
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Tero Kivinen
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Yoav Nir
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Peter Gutmann
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Yoav Nir
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Tero Kivinen
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Watson Ladd
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Stephen Kent
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… John Mattsson
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Nikos Mavrogiannopoulos
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… John Mattsson
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Peter Gutmann
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Antonio Sanso