Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again)
Peter Gutmann <pgut001@cs.auckland.ac.nz> Thu, 20 October 2016 00:13 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63FD2129482; Wed, 19 Oct 2016 17:13:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.631
X-Spam-Level:
X-Spam-Status: No, score=-4.631 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.431] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fIILhSN-qSGf; Wed, 19 Oct 2016 17:13:53 -0700 (PDT)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13530129454; Wed, 19 Oct 2016 17:13:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1476922432; x=1508458432; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=7jnjkGM8SXztNQqASvFANc+VOjq3S978qdzlKjjG9Ug=; b=4jyXTUPD28MqkOHTzL+1tokb6qiHnKZ+C6/MmHtiwMbOXBmbqeTe4TaS 3lA9f2lSIM0f/TCaVRqDt4TziJfFOLuDWqDFHjMyMukbJc48UDwfjaaZF jDBCVmc3Ys+lOQn8/uXfTOcHFB57Qdxxo7gjXBQvd2Id4x80A8dP6IMO0 JtIUj/jA68xmhJSUvK0dqMeBd04r5pcsKC4eonTp21pUtQCmuitY/Aojz BBYDoMLsgXLW78G+y1kWEPW0dWzwctx2jr2GOUWt0Y/hWXoHwBx6hpapm 0wGtMYebvZufBJuer/js1X+OfKo/XdA9DzjRaXCMC8O4dl4lbAwq6UBpl w==;
X-IronPort-AV: E=Sophos;i="5.31,516,1473076800"; d="scan'208";a="111224825"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.2.3 - Outgoing - Outgoing
Received: from smtp.uoa.auckland.ac.nz (HELO uxcn13-ogg-b.UoA.auckland.ac.nz) ([10.6.2.3]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 20 Oct 2016 13:13:47 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-ogg-b.UoA.auckland.ac.nz (10.6.2.3) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Thu, 20 Oct 2016 13:13:47 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1178.000; Thu, 20 Oct 2016 13:13:47 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Nikos Mavrogiannopoulos <nmav@gnutls.org>, John Mattsson <john.mattsson@ericsson.com>
Thread-Topic: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again)
Thread-Index: AQHSKduZ6MYx3bG8KE+aYJga50a7EKCweBnM
Date: Thu, 20 Oct 2016 00:13:46 +0000
Message-ID: <1476922421060.41042@cs.auckland.ac.nz>
References: <alpine.LRH.2.20.1610091711050.8864@bofh.nohats.ca> <D42AB86C.538C3%john.mattsson@ericsson.com> <CADZyTknqvF=zxW2thuN7mf_St2UmnWZzd8dVb5dWzDJ5=8tz5w@mail.gmail.com> <8C717FB2-DDC2-452E-AEC3-115B1E1397CF@gmail.com> <alpine.LRH.2.20.1610171206070.827@bofh.nohats.ca> <551e6c5c-0db7-62d5-da31-b99f26475010@bbn.com> <D42C37F3.53A00%john.mattsson@ericsson.com>, <CAJU7zaKjy9g+UQmzP-LvV0X5myFES0eE9L=-sFYnjHcrW4+h9g@mail.gmail.com>
In-Reply-To: <CAJU7zaKjy9g+UQmzP-LvV0X5myFES0eE9L=-sFYnjHcrW4+h9g@mail.gmail.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/h7wqPyferVn-lAAf83H1XhZ9VdM>
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>, Paul Wouters <paul@nohats.ca>, Security Area Advisory Group <saag@ietf.org>
Subject: Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Oct 2016 00:13:57 -0000
Nikos Mavrogiannopoulos <nmav@gnutls.org> writes: >I am not sure that the recommendations of this paper should be blindly >trusted. There are some inaccurate facts about a library I work on [0], but a >part of the abstract is also concerning: "We examine over 20 open-source >cryptographic libraries and applications and observe that until January 2016, >not a single one validated subgroup orders by default." I've got some comments on it as well, are any of the authors on this list? There are no email addresses given in the paper and I'm not sure that I should be spamming them all, or at least the ones I know... in any case the comments may be of interest to others, so I've posted them here. Using shorter private exponents yields faster exponentiation times, and is a commonly implemented optimization. The justification for matching the order of the subgroup q to the exponent size rather than making subgroup order as large as possible is not documented anywhere in the standards documents. It's not in any standards doc, but it's in HAC AFAIK, and originally came from a paper by van Oorschot and Wiener. My code uses a curve-fitting mechanism to choose the appropriate-size exponent for a given prime (implementation provided by Colin Plumb many years ago). Calling it a quadratic curve calculation is probably over-selling it a bit, it's just a way of matching the exponent size to the prime size without having to include a large lookup table. For protocols like TLS and SSH that allow a server to unilaterally specify the group to use, this validation step is not possible for clients to perform for non-safe primes: there is no way for the server to communicate to the client the intended order of the group Actually it is for TLS, anything implementing the TLS-LTS draft [1] will communicate the group order and the client can then verify it. We observe that no implementation that we examined validated group order for subgroups of order larger than two That's kind of a tautology there, both TLS and SSH make this impossible to do. At the moment there's at least one implementation that does this, and possibly more (there are some proprietary vendor stacks doing -LTS, but since they're for embedded devices and tend to be as minimalistic as possible - the most popular ASN.1 library there is memcpy() - I wouldn't be surprised if they skipped this particular check). So there's a minimum of one, and a maximum of n. In addition, we observed that nearly every implementation uses short exponents by default, Yep, because they're the most efficient. This is what killed RFC 5114, they're the most inefficient (random) DH domain parameters ever published. Which, in the long run, was probably a good thing since it strongly discouraged their use. They have been widely implemented in IPsec and TLS Not in TLS they ain't, for the reason given above. I realise there are oddball implementations out there that use or enable their use, but I wouldn't say that counts as "widely used". This means a client has no feasible way to validate that the group sent by the server has the desired level of security or that a server’s key exchange value is in the correct group for a non-safe prime. See the previous note, TLS-LTS provides this capability. If you're using the RFC 3526 DH params then you can also pretty easily recreate q from them, so it's a simple change to apply this fix. (TLS-LTS also fixes a number of other issues in TLS 1.2 and earlier, it's not only the DH fix that's in there). TABLE II: TLS Library Behavior I assume this was the item that Nikos was grumbling about :-). The two issues are that the "Reuses exponent" entries are rather unclear and "Validates Subgroup" is somewhat tautological since standard TLS (without -LTS) doesn't allow you to do this, so the anwer is always "No". I assume for "Reuses exponent" the entry "Application dependent" means "it's not very clear from the code", because my code certainly never reuses DH exponents. However, to see that you need to know that although each DH instance uses an { x, y } pair that's fixed at the time of creation, no DH instance is ever reused in a TLS or SSH session, (Nikos, if you want to do the subgroup checking with GnuTLS and interop-test an implementation that provides subgroup info and does the required checking, let me know and I'll put up a server. Same for anyone else, e.g. the OpenSSL guys). implementations should follow the guidelines outlined in RFC 7919 for selecting finite field Diffie-Hellman primes Uh, no. 7919 is a my-way-or-the-highway spec, or more accurately my-way-or- no-way. You can't say "I'd like to do DH-2048" as with SSH, you can only use the one value that 7919 specifies and if either side chooses some other DH-2048 value you're required to fall back to RSA. When this was discussed on the TLS list, the general response, from those who commented, was that they weren't going to use it because of this and other problems it had. Some of these issues were brought up long ago (e.g. [2]), but ignored. So 7919 is pretty much a non-starter. implementations should prefer “safe” primes of documented provenance of at least 2048 bit This is unfortunately easier to recommend than to do. For example my code (and some other implementations I know of) recognise and fastpath known-good values like the RFC 3526 ones, but you can't restrict yourself to only using known-good values because too many sites use who-knows-what sort of values, and you'd lose the ability to connect to a significant chunk of the net if you get too exclusive. The real solution, and obviously I'm a bit biased here because I'm the author (but then it was also an obvious problem that needed fixing), is to use -LTS, which provides what you need to validate the DH parameters. Peter. [0] Not my footnote. [1] https://datatracker.ietf.org/doc/draft-gutmann-tls-lts. [2] https://www.ietf.org/mail-archive/web/tls/current/msg18697.html.
- [saag] trapdoor'ed DH (and RFC-5114 again) Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Dang, Quynh (Fed)
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… John Mattsson
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Daniel Migault
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Yoav Nir
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Tero Kivinen
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Yoav Nir
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Peter Gutmann
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Yoav Nir
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Tero Kivinen
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Watson Ladd
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Stephen Kent
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… John Mattsson
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Nikos Mavrogiannopoulos
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… John Mattsson
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Peter Gutmann
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Antonio Sanso