IETF Logo Mail Archive

Re: [saag] Possible backdoor in RFC 5114

Watson Ladd <watsonbladd@gmail.com> Fri, 07 October 2016 21:50 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AF3D1293F3 for <saag@ietfa.amsl.com>; Fri, 7 Oct 2016 14:50:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WKj2Y334dXHA for <saag@ietfa.amsl.com>; Fri, 7 Oct 2016 14:50:08 -0700 (PDT)
Received: from mail-ua0-x233.google.com (mail-ua0-x233.google.com [IPv6:2607:f8b0:400c:c08::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 338581293DF for <saag@ietf.org>; Fri, 7 Oct 2016 14:50:08 -0700 (PDT)
Received: by mail-ua0-x233.google.com with SMTP id p102so55167549uap.0 for <saag@ietf.org>; Fri, 07 Oct 2016 14:50:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=OKv+/M7pOghnf861EfLJocpk7SEqdBgssz2ChPC7j+0=; b=TjIBSxSY9z6uZIpmsLXMUwu6gAwMfEL7wMHj6SRNOxzTWbjqmCl3axbsqmyJizlbuq GLxig0dHSVl5XcJqoE66BBiknQwDcTaC/si9+jk7rHBlhaIDlXWqwg+eUZH3X8mA9i7j QFU17UIGEv+650F++/uPsyCW0hMscSEiteAs4t5UYpe9kcjDDlAHGm5tVffOrBxr0NOW 5Z/z/fLVjviihrEa/PMFgVJ93aqIBp6HcgyJmm7bJy6Ox8RJKDdHpISuHURh43XMgydf g0WFBgWztsT/3mMjZTu3Dpy8nOtB2tNS7XGRGpfpvQBYNFkhszOjXGuI1RPOEcvGAjw5 l8AQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=OKv+/M7pOghnf861EfLJocpk7SEqdBgssz2ChPC7j+0=; b=guP505xg/L4h7LOAUl4XquspOQ4oLMpRGfa52yBj9DA337Prx+EkBvIJ8eZoO3T0on 8MlCoIAnSejqZ8riL6uyjjEhYltMJXNLVSg45LuWcwUTX3/bgPzd6TIVyK7p8FQajiCE 1dqbqRGLPRnzTP8JCxwwujAKYVvf5GEP3xkJ4qqTbolHp3satYPZewgCoh6armREKZMN o1bSGzsc/qE5BIDSnFkNCl/Aj6KwHVb2Ued21oNy9X5hvXqpQHIwB3OG1XJU7ZRLEPeB Xi8gh6yn2Bw7zqJfYaPtFlrERlK5T+birtZM5T/5cCnWIePTV9dSNqVAETW1A/8YEiO+ q+cQ==
X-Gm-Message-State: AA6/9RkB4IUP7+9cHyQ5VcsEKOAaqNqF4cwjrdIaHK9/3iB+jWJg/eEGuY4STPYj0vC7YSX35zUn8/H9nTFmqQ==
X-Received: by 10.159.40.137 with SMTP id d9mr9387761uad.115.1475877007301; Fri, 07 Oct 2016 14:50:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.159.37.41 with HTTP; Fri, 7 Oct 2016 14:50:06 -0700 (PDT)
In-Reply-To: <75a7525e2d954da192e056ff32c632ca@XCH-ALN-010.cisco.com>
References: <CACsn0ck9u3ct3wD7xWXtDZ89Q1R6OKTQFMYuZ56_vY2ys+1=YQ@mail.gmail.com> <bfa71c30-3ccc-1538-c682-33e14c910e21@cs.tcd.ie> <22519.43588.421250.807948@fireball.acr.fi> <75a7525e2d954da192e056ff32c632ca@XCH-ALN-010.cisco.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Fri, 07 Oct 2016 14:50:06 -0700
Message-ID: <CACsn0cnag=PYkETG9gNUim6cd9k1NK8UAhJa7BU7Vtb3H54YjA@mail.gmail.com>
To: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/lVYmBWrsZoyoFQl8dUiFe4bfMHY>
Cc: "saag@ietf.org" <saag@ietf.org>, Tero Kivinen <kivinen@iki.fi>
Subject: Re: [saag] Possible backdoor in RFC 5114
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Oct 2016 21:50:11 -0000

On Fri, Oct 7, 2016 at 2:12 PM, Panos Kampanakis (pkampana)
<pkampana@cisco.com> wrote:
>> I have no idea why we would want to mark the document as historic, or obsolete it, especially as it does define things that are in use (ECP groups).
>> It does not give any recommendations for using those groups, for example in IPsec we do have separate documents which gives those recommendations and for the 256-bit ECP we are saying SHOULD, and for the MODP groups defined in the 5114 we are saying SHOULD NOT.
>> That is much better way to define the recommendations and how those groups should or should not be used.

The IANA registry cites 5903, not 5114, for these groups, so
historifying 5114 would have no effect. I'm not entirely sure what
historifying does to registries in terms of marking DO NOT USE: maybe
a separate draft is required. I am not a process expert. Furthermore
in at least some cases the IKE registries get used by people hunting
for DH parameters. Do we need a draft here? What should that look
like?

It's not SHOULD NOT. It's "using these groups even outside of IKE will
result in pwnage". Do you agree we need a stronger warning about known
bad cryptographic constructions? What do you think that should look
like?

>
> Agreed. The ECP groups are widely used in IKE. "Historifying" will not add value especially before a 25519 group is defined.
> Panos
>
>
>
> -----Original Message-----
> From: saag [mailto:saag-bounces@ietf.org] On Behalf Of Tero Kivinen
> Sent: Friday, October 07, 2016 10:00 AM
> To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
> Cc: saag@ietf.org
> Subject: Re: [saag] Possible backdoor in RFC 5114
>
> Stephen Farrell writes:
>>
>> So I'm not seeing anyone so far argue to not deprecate these somehow.
>>
>> We could just make 5114 historic as Yoav suggests, or, if someone
>> writes an I-D to explain why, we could obsolete 5114. (Such an I-D
>> would presumably also say something about codepoints that point at
>> 5114 from other registries.)
>>
>> Assuming nobody shows up saying these are in fact in widespread use
>> I'd be supportive of us getting rid of cruft.
>
> I think the NIST ECP groups are quite widely supported, and used.
> RFC5114 includes both Nist ECP Groups (192, 224, 256, 384 and 521) and
> 3 MODP groups.
>
> In IPsec, ECP groups are widely used, those MODP groups with subgroup are not. On the other hand I think only those 192, 256 and 521 bit groups are really used, and those are defined also in RFC5903 (which obsoleted original 4753 which had serious bug in it).
>
>> So, someone wanna volunteer to write an I-D that'd obsolete 5114? If
>> so, say so here.
>
> Or parts of it or something.
>
>> Or, if you want me to start the "mark it historic"
>> process (which doesn't need an I-D), please say so here. (Note that
>> even though this doesn't need an I-D the status-change does get an
>> IETF last
>> call.)
>
> Marking NIST ECP groups as historic might be preferrable for some people, but it might be good idea to wait before we have curve25519 etc published as rfc for all protocols that 5114 covers before we go that far. In IPsec the curve25519 etc are now in the IESG, I do not know what is the status for other protocls (X.509, TLS, SSH, SMIME).
>
>> Or, if you wanna argue that none of the above are right, then please
>> do that.
>
> I have no idea why we would want to mark the document as historic, or obsolete it, especially as it does define things that are in use (ECP groups).
>
> It does not give any recommendations for using those groups, for example in IPsec we do have separate documents which gives those recommendations and for the 256-bit ECP we are saying SHOULD, and for the MODP groups defined in the 5114 we are saying SHOULD NOT.
>
> That is much better way to define the recommendations and how those groups should or should not be used.
> --
> kivinen@iki.fi
>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag



-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.

v2.23.0 | Report a Bug | By Email