IETF Logo Mail Archive

[saag] trapdoor'ed DH (and RFC-5114 again)

Paul Wouters <paul@nohats.ca> Sun, 09 October 2016 21:26 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7B3E127735; Sun, 9 Oct 2016 14:26:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.996
X-Spam-Level:
X-Spam-Status: No, score=-4.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-2.996] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8iosN7fncc_B; Sun, 9 Oct 2016 14:26:11 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1FC2120726; Sun, 9 Oct 2016 14:26:10 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3ssbsW2wbVz37R; Sun, 9 Oct 2016 23:26:07 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1476048367; bh=KCWs2n+3PH62jgm+SZTNK28s2vkQamtEBeKJNebH1FM=; h=Date:From:To:cc:Subject; b=qngpQN8eT+MBlxdTbcmWGkTU651cr50NwVYn+clIBnX5zJsuDht96+ckbHLu4FEmZ qNIk6poa/TsJ5jo5JJOotCChCoTA9cz++pk0WN8vrIP/oUnFEIkBr2+l64w3F/KAh2 dU5Y1u9TkdDMlMwp672OLpponCLe0bs3Tb11ybbw=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id KaP8RvndbxbF; Sun, 9 Oct 2016 23:26:05 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Sun, 9 Oct 2016 23:26:05 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 82F505C837; Sun, 9 Oct 2016 17:26:02 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.10.3 bofh.nohats.ca 82F505C837
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 6CC0E406A900; Sun, 9 Oct 2016 17:26:02 -0400 (EDT)
Date: Sun, 09 Oct 2016 17:26:02 -0400
From: Paul Wouters <paul@nohats.ca>
To: "ipsec@ietf.org WG" <ipsec@ietf.org>
Message-ID: <alpine.LRH.2.20.1610091711050.8864@bofh.nohats.ca>
User-Agent: Alpine 2.20 (LRH 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="ISO-8859-15"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/l-LXRcfRuellCDoJNIGK9WhasQk>
Cc: saag@ietf.org
Subject: [saag] trapdoor'ed DH (and RFC-5114 again)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Oct 2016 21:26:13 -0000

Released a few days ago:

 	http://eprint.iacr.org/2016/961

 	A kilobit hidden SNFS discrete logarithm computation
 	Joshua Fried and Pierrick Gaudry and Nadia Heninger and Emmanuel Thomé

 	We perform a special number field sieve discrete logarithm
 	computation in a 1024-bit prime field. To our knowledge, this
 	is the first kilobit-sized discrete logarithm computation ever
 	reported for prime fields. This computation took a little over
 	two months of calendar time on an academic cluster using the
 	open-source CADO-NFS software.

Basically, this paper shows how to make a DH group of 1024 modp
with a backdoor, in two months of academic computing resources,

The paper mentions 5114 a few times:

 	RFC 5114 [33] specifies a number of groups for use with
 	Diffie-Hellman, and states that the parameters were drawn
 	from NIST test data, but neither the NIST test data [39] nor
 	RFC 5114 itself contain the seeds used to generate the finite
 	field parameters

And concludes:

 	Both from this perspective, and from our more modern one, dismissing the
 	risk of trapdoored primes in real usage appears to have been a mistake,
 	as the apparent difficulties encountered by the trapdoor designer in 1992
 	turn out to be easily circumvented. A more conservative design decision
 	for FIPS 186 would have required mandatory seed publication instead of
 	making it optional.  As a result, there are opaque, standardized 1024-bit
 	and 2048-bit primes in wide use today that cannot be properly verified.

This is the strongest statement yet that I've seen to not trust any
of the RFC-5114 groups.

The latest 4307bis document has these groups (22-24) as SHOULD NOT,
stating:

 	Group 22, 23 and 24 or 1024-bit MODP Group with 160-bit, and
 	2048-bit MODP Group with 224-bit and 256-bit Prime Order Subgroup
 	have small subgroups, which means that checks specified in the
 	"Additional Diffie-Hellman Test for the IKEv2" [RFC6989] section
 	2.2 first bullet point MUST be done when these groups are used.
 	These groups are also not safe-primes.	The seeds for these groups
 	have not been publicly released, resulting in reduced trust in
 	these groups.  These groups were proposed as alternatives for
 	group 2 and 14 but never saw wide deployment.  It is expected
 	in the near future to be further downgraded to MUST NOT.

I'm proposing it is time to change this to MUST NOT for 4307bis.

Possibly, we should do this via SAAG in general, and then follow SAAG's
advise in IPSECME.

Is there _any_ reason why group 22-24 should not be MUST NOT ?

Paul

v2.23.0 | Report a Bug | By Email