Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again)
Paul Wouters <paul@nohats.ca> Mon, 17 October 2016 16:19 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 332981298BD; Mon, 17 Oct 2016 09:19:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.431
X-Spam-Level:
X-Spam-Status: No, score=-2.431 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.431] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kc8VW-tjYgt1; Mon, 17 Oct 2016 09:19:35 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE9011298B7; Mon, 17 Oct 2016 09:19:34 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3syNh44ZChz3Yt; Mon, 17 Oct 2016 18:19:32 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1476721172; bh=6TUKiCH8pES+vr+948o0XR2Nz1mleXLEEQyDTonH4TY=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=Ns7z33VgkFZBuVQuHTJUqcqMJeu8rZrHnlPZU6jfTD2fZXc+I6GoYmmeXlGddsFW8 m50B40imzYHb4CeLMaQMecBxwYEp7kavGNFX6NU7OV4m7l5jZrreXNZk1om3bqJTil PJgk/rcxDLJXIH8GTjYM+G4WkeVYckKcnsSiJPMM=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id FY58Ssjx8pBd; Mon, 17 Oct 2016 18:19:29 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 17 Oct 2016 18:19:29 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id E28FE4533F1; Mon, 17 Oct 2016 12:19:26 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.10.3 bofh.nohats.ca E28FE4533F1
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id DA03C4163767; Mon, 17 Oct 2016 12:19:26 -0400 (EDT)
Date: Mon, 17 Oct 2016 12:19:26 -0400
From: Paul Wouters <paul@nohats.ca>
To: Yoav Nir <ynir.ietf@gmail.com>, Stephen Kent <kent@bbn.com>
In-Reply-To: <8C717FB2-DDC2-452E-AEC3-115B1E1397CF@gmail.com>
Message-ID: <alpine.LRH.2.20.1610171206070.827@bofh.nohats.ca>
References: <alpine.LRH.2.20.1610091711050.8864@bofh.nohats.ca> <D42AB86C.538C3%john.mattsson@ericsson.com> <CADZyTknqvF=zxW2thuN7mf_St2UmnWZzd8dVb5dWzDJ5=8tz5w@mail.gmail.com> <8C717FB2-DDC2-452E-AEC3-115B1E1397CF@gmail.com>
User-Agent: Alpine 2.20 (LRH 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/fg5thHyqBLcN05NMbEHLnrPSRP0>
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>, Security Area Advisory Group <saag@ietf.org>
Subject: Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Oct 2016 16:19:42 -0000
On Mon, 17 Oct 2016, Yoav Nir wrote:
> I’m not entirely comfortable with calling something a MUST NOT when all we have is conjecture,
It's a little more than conjecture.
1) It has been proven that malicious 1024 bit DH values can be generated
by academia that cannot be independantly discovered. Therefore any
nationstate with access to the same theory and more CPU power could
have done this years ago.
2) We have the RFC 5114 values who'se original authors/sponsors are not
disclosing how these were generated.
1) + 2) means we cannot know if these values were trapdoor'ed.
If BBN/NIST/NSA wants to share how they seeded these values, we can all
publicly decide if we can keep using these or not. Without such
information, it just becomes an unnecessary risk to take.
Adding Steve Kent, co-author of RFC-5114, to the CC: so that he has
the opportunity to share what he knows about the origins of these
values and their seeds.
> but I have no love and no need of those DH groups.
> I don’t believe anyone else depends on these groups (at least in IPsec), so I’m fine with such a change.
Thanks,
Paul
> Yoav
>
> On 17 Oct 2016, at 18:54, Daniel Migault <daniel.migault@ericsson.com> wrote:
>
> In fact is there anyone opposing their status becomes MUST NOT in rfc4307bis.
>
> On Mon, Oct 17, 2016 at 11:30 AM, John Mattsson <john.mattsson@ericsson.com> wrote:
> > I'm proposing it is time to change this to MUST NOT for 4307bis.
>
>
>
> +1
>
> On 09/10/16 23:26, "IPsec on behalf of Paul Wouters"
> <ipsec-bounces@ietf.org on behalf of paul@nohats.ca> wrote:
>
> >
> >Released a few days ago:
> >
> > http://eprint.iacr.org/2016/961
> >
> > A kilobit hidden SNFS discrete logarithm computation
> > Joshua Fried and Pierrick Gaudry and Nadia Heninger and Emmanuel Thomé
> >
> > We perform a special number field sieve discrete logarithm
> > computation in a 1024-bit prime field. To our knowledge, this
> > is the first kilobit-sized discrete logarithm computation ever
> > reported for prime fields. This computation took a little over
> > two months of calendar time on an academic cluster using the
> > open-source CADO-NFS software.
> >
> >Basically, this paper shows how to make a DH group of 1024 modp
> >with a backdoor, in two months of academic computing resources,
> >
> >The paper mentions 5114 a few times:
> >
> > RFC 5114 [33] specifies a number of groups for use with
> > Diffie-Hellman, and states that the parameters were drawn
> > from NIST test data, but neither the NIST test data [39] nor
> > RFC 5114 itself contain the seeds used to generate the finite
> > field parameters
> >
> >And concludes:
> >
> > Both from this perspective, and from our more modern one, dismissing the
> > risk of trapdoored primes in real usage appears to have been a mistake,
> > as the apparent difficulties encountered by the trapdoor designer in
> >1992
> > turn out to be easily circumvented. A more conservative design decision
> > for FIPS 186 would have required mandatory seed publication instead of
> > making it optional. As a result, there are opaque, standardized
> >1024-bit
> > and 2048-bit primes in wide use today that cannot be properly verified.
> >
> >This is the strongest statement yet that I've seen to not trust any
> >of the RFC-5114 groups.
> >
> >The latest 4307bis document has these groups (22-24) as SHOULD NOT,
> >stating:
> >
> > Group 22, 23 and 24 or 1024-bit MODP Group with 160-bit, and
> > 2048-bit MODP Group with 224-bit and 256-bit Prime Order Subgroup
> > have small subgroups, which means that checks specified in the
> > "Additional Diffie-Hellman Test for the IKEv2" [RFC6989] section
> > 2.2 first bullet point MUST be done when these groups are used.
> > These groups are also not safe-primes. The seeds for these groups
> > have not been publicly released, resulting in reduced trust in
> > these groups. These groups were proposed as alternatives for
> > group 2 and 14 but never saw wide deployment. It is expected
> > in the near future to be further downgraded to MUST NOT.
> >
> >I'm proposing it is time to change this to MUST NOT for 4307bis.
> >
> >Possibly, we should do this via SAAG in general, and then follow SAAG's
> >advise in IPSECME.
> >
> >Is there _any_ reason why group 22-24 should not be MUST NOT ?
> >
> >Paul
> >
> >_______________________________________________
> >IPsec mailing list
> >IPsec@ietf.org
> >https://www.ietf.org/mailman/listinfo/ipsec
>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
>
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>
>
>
>
- [saag] trapdoor'ed DH (and RFC-5114 again) Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Dang, Quynh (Fed)
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… John Mattsson
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Daniel Migault
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Yoav Nir
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Tero Kivinen
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Yoav Nir
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Peter Gutmann
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Yoav Nir
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Tero Kivinen
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Watson Ladd
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Stephen Kent
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… John Mattsson
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Nikos Mavrogiannopoulos
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… John Mattsson
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Peter Gutmann
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Antonio Sanso