Re: [saag] Possible backdoor in RFC 5114
Yoav Nir <ynir.ietf@gmail.com> Thu, 06 October 2016 16:29 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C727F12971F for <saag@ietfa.amsl.com>; Thu, 6 Oct 2016 09:29:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E6okLIeYKSsn for <saag@ietfa.amsl.com>; Thu, 6 Oct 2016 09:29:04 -0700 (PDT)
Received: from mail-wm0-x22a.google.com (mail-wm0-x22a.google.com [IPv6:2a00:1450:400c:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBBBC1296CF for <saag@ietf.org>; Thu, 6 Oct 2016 09:29:03 -0700 (PDT)
Received: by mail-wm0-x22a.google.com with SMTP id b201so58190209wmb.0 for <saag@ietf.org>; Thu, 06 Oct 2016 09:29:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=VC9gcTZRQhab4narhMGWRHIHO4KvLGpa+MHzL4VVJQQ=; b=vfyJTfcCUB8rd04PX7yYykvSO48QvvQJhi1bMxyUl83Bk3nnUeNQXkKiTw8Scb2s0M aqSjoo7uGvNFPNcwh6QjQFOGlbyIGUjWTk8kj2nlPQkBH0WHnqhuv4k/o1+AGuh8G1Sa UEPfCgFL+SbXutVAunUFay3Z/YKweDVpHS4j39f1Is3WkAKUjVqbNPpH9ESQJqpYFFnz Znl6LLcNC6Tl4TNNFkG8as54NtCTMTVZpee5NdKWJ0zlv1n710t2HPy+em0y8Fj2r6iI fVEKyP7AmpHTPrVWXcBoiF9rh7xzbw68uih6dWBN0qMt+UZG/1aqkKCPkfOhhkLIJlQt MOtw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=VC9gcTZRQhab4narhMGWRHIHO4KvLGpa+MHzL4VVJQQ=; b=DM5Sf7piCGODl+Lx46RPYh/XhGs4S+nDiruc1MCqaqCs7sHKKYp3qEB9fbmHGZRC8I uRWTdpqq1qEhOZXTm9Vs5GL77Ctjfxbu89F60adLBmFKPfRCs3kxQnek9urvnO5NiJIV ZG3EnG6b9+DqaLohTBd/BhalgZmeTzxWVgyaDqQ9Pt1SmX5jrF6y6CWMX5HOund7KZDN m/wyTMX2cuQTaJa3XuJ2WIFIphk/x1L7v6/NbCz0hDTZHu9MsSJaj3Val0PclF7DtdUN V1T+c0t9c3a6Ki1X0E9b2+5LHDG9+TmMU3g3uB2e66qLM8W0cnZPE600QHhxYioo589C eUYQ==
X-Gm-Message-State: AA6/9Rn+SmT6Nyt8egeylEpMhUnkr0BZ+uWl+8nvlJlaN2jxqJ9SRjE7AnSlbPa8VlZQ5w==
X-Received: by 10.28.232.84 with SMTP id f81mr16608266wmh.39.1475771341584; Thu, 06 Oct 2016 09:29:01 -0700 (PDT)
Received: from [172.24.248.104] (dyn32-131.checkpoint.com. [194.29.32.131]) by smtp.gmail.com with ESMTPSA id e1sm36075821wma.9.2016.10.06.09.29.00 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 06 Oct 2016 09:29:01 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <37739375-AD0C-4CF2-B8B9-F61B89692135@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_AE24CD56-AF7D-40F3-957D-66328E53D8EF"
Mime-Version: 1.0 (Mac OS X Mail 10.0 \(3226\))
Date: Thu, 06 Oct 2016 19:28:57 +0300
In-Reply-To: <CACsn0ck9u3ct3wD7xWXtDZ89Q1R6OKTQFMYuZ56_vY2ys+1=YQ@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
References: <CACsn0ck9u3ct3wD7xWXtDZ89Q1R6OKTQFMYuZ56_vY2ys+1=YQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3226)
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/fq_OslKs5spW7DizIWPdgXP-8Rs>
Cc: Security Area Advisory Group <saag@ietf.org>
Subject: Re: [saag] Possible backdoor in RFC 5114
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Oct 2016 16:29:06 -0000
Hi, Watson. On 6 Oct 2016, at 18:56, Watson Ladd <watsonbladd@gmail.com> wrote: > https://tools.ietf.org/html/rfc5114 > > Let's review some publicly known facts: > > 1) BBN is a defense contractor > > 2) The NSA subverts crypto standards > > 3) It is possible to design primes so the discrete log problem is easy > > 4) The primes in RFC 5114 are not generated in verifiable manner: it > is possible they > are hidden SNFS primes. > > At minimum we should obsolete RFC 5114 in favor of primes generated in > a verifiable manner. The fact that there already were primes for IKE > use makes me wonder why this was even needed in the first place. > RFC 5114 is an Informational document published by two employees (at the time) of BBN as individuals. As the boilerplate says, “it does not specify an Internet standard of any kind”. IANA numbers have been assigned to them for IKE, but they have not seen widespread use. In TLS they are all but unknown, and recent work is deprecating the use of DHE with explicit parameters anyway. The soon-to-be published successor to RFC 4307 (algorithm guidance for IKE - [1]) makes them “SHOULD NOT”. It has never been explained in what way a 2048-bit MODP Group with 224-bit Prime Order Subgroup is better than a 2048-bit MODP Group without one. Consequently everyone uses the regular 2048-bit MODP from RFC 3526 ([2]) if they’re not using ECDHE groups. The RFC is effectively not in use. I don’t see any value in obsoleting it by writing a new RFC with more MODP groups that nobody wants. We could move it to Historic. Yoav [1] https://tools.ietf.org/html/draft-ietf-ipsecme-rfc4307bis-14 <https://tools.ietf.org/html/draft-ietf-ipsecme-rfc4307bis-14> [2] https://tools.ietf.org/html/rfc3526 <https://tools.ietf.org/html/rfc3526>
- [saag] Possible backdoor in RFC 5114 Watson Ladd
- Re: [saag] Possible backdoor in RFC 5114 Jeffrey Walton
- Re: [saag] Possible backdoor in RFC 5114 Yoav Nir
- Re: [saag] Possible backdoor in RFC 5114 Jeffrey Walton
- Re: [saag] Possible backdoor in RFC 5114 Watson Ladd
- Re: [saag] Possible backdoor in RFC 5114 Viktor Dukhovni
- Re: [saag] Possible backdoor in RFC 5114 Peter Gutmann
- Re: [saag] Possible backdoor in RFC 5114 Jeremy Harris
- Re: [saag] Possible backdoor in RFC 5114 Stephen Farrell
- Re: [saag] Possible backdoor in RFC 5114 Tero Kivinen
- Re: [saag] Possible backdoor in RFC 5114 Yoav Nir
- Re: [saag] Possible backdoor in RFC 5114 Panos Kampanakis (pkampana)
- Re: [saag] Possible backdoor in RFC 5114 Watson Ladd
- Re: [saag] Possible backdoor in RFC 5114 Dang, Quynh (Fed)
- Re: [saag] Possible backdoor in RFC 5114 Watson Ladd
- Re: [saag] Possible backdoor in RFC 5114 Dang, Quynh (Fed)
- Re: [saag] Possible backdoor in RFC 5114 Watson Ladd
- Re: [saag] Possible backdoor in RFC 5114 Tero Kivinen
- Re: [saag] Possible backdoor in RFC 5114 Tero Kivinen
- Re: [saag] Possible backdoor in RFC 5114 Mark D. Baushke
- Re: [saag] Possible backdoor in RFC 5114 Peter Gutmann
- Re: [saag] Possible backdoor in RFC 5114 Antonio Sanso
- Re: [saag] Possible backdoor in RFC 5114 Tony Finch
- Re: [saag] Possible backdoor in RFC 5114 Yoav Nir
- Re: [saag] Possible backdoor in RFC 5114 Antonio Sanso
- Re: [saag] Possible backdoor in RFC 5114 Ben Laurie
- Re: [saag] Possible backdoor in RFC 5114 Watson Ladd
- Re: [saag] Possible backdoor in RFC 5114 Ben Laurie
- Re: [saag] Possible backdoor in RFC 5114 Yoav Nir
- Re: [saag] Possible backdoor in RFC 5114 Ben Laurie
- Re: [saag] Possible backdoor in RFC 5114 Watson Ladd
- Re: [saag] Possible backdoor in RFC 5114 Ben Laurie