IETF Logo Mail Archive

Re: [saag] Possible backdoor in RFC 5114

Yoav Nir <ynir.ietf@gmail.com> Wed, 29 March 2017 17:17 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F9A6129466 for <saag@ietfa.amsl.com>; Wed, 29 Mar 2017 10:17:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.698
X-Spam-Level:
X-Spam-Status: No, score=-1.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CRN4vywND1Zv for <saag@ietfa.amsl.com>; Wed, 29 Mar 2017 10:17:34 -0700 (PDT)
Received: from mail-it0-x22c.google.com (mail-it0-x22c.google.com [IPv6:2607:f8b0:4001:c0b::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 350EB12944F for <saag@ietf.org>; Wed, 29 Mar 2017 10:17:34 -0700 (PDT)
Received: by mail-it0-x22c.google.com with SMTP id e75so97816273itd.1 for <saag@ietf.org>; Wed, 29 Mar 2017 10:17:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=JmCYdbra6kF3+qg8b5pQJgMAvulLmUBqFZFPJXjWE44=; b=Bs72DGP8c9ZvGD2Tqvka1mHgHwd+/iICFOVbzTFjaDpqJmWPB2KpQF/gyh6cxcV2ro RF5PIln4laCBq/HKHJIWwiq/qkmovVcwlZKlwHG2cJrJHuI/hbAJoIK4vNIR2tHo73nl IoazAFeuWkLrgOE+TO6QvSBrltOtRqPmYD3wq+wSiENUm/ez2Z7A4SD7Veu9l4c8Kioy oiD571TvX1y/x/WVIiPycO1T02NAU8ycERUAmCuBscMfo6lfa6XLQlmGbwk+aCdfxZqm PsimKj1Z2+VMY8walDiIiWum7ONA7lrjvM1u6tVyopf8/NsrolagHeRnO19b5TH6IVD0 Ysxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=JmCYdbra6kF3+qg8b5pQJgMAvulLmUBqFZFPJXjWE44=; b=BwhbxJ9X2q0Irsnpz+mpC8adMZ4zeIuKIVzfx3rRAqia8fYg0ZVRIPH8fUVAXoN4zT ERNsDa2wEtNF68DuzYxMFEsh436MxMUr22hvCAjK8wfgkyiRruLiGiGeeIPt1N1Gf3OJ VgJtgPY+k4xl7geRkhR0Th1tOzCt2k7GWJtVzjX8NGQ5k+uL54OOMbK/+ENx4ampOK+B 5oyABJ7eVeebC5gOqjbtbP04icNQb7edFYWhDb8s2h9Dyg5MqRNLDQdIKdcQD4vWClQZ IGy0AUGkdxeL2/sm2x6ZMfUvF2B+87rpSQ8UBUldFDkoJcpq+54AycBLLAk8XOLUFzKR Llsg==
X-Gm-Message-State: AFeK/H1M3W4ocTw4MSmYqOqvNfrva0O61MeF7y8GrjBWaYnS8xL5CKOFrindanHtfaaK1g==
X-Received: by 10.36.23.84 with SMTP id 81mr1848545ith.14.1490807853566; Wed, 29 Mar 2017 10:17:33 -0700 (PDT)
Received: from t2001067c03700128b0793f6a25433c5b.v6.meeting.ietf.org (t2001067c03700128b0793f6a25433c5b.v6.meeting.ietf.org. [2001:67c:370:128:b079:3f6a:2543:3c5b]) by smtp.gmail.com with ESMTPSA id y7sm3607042itc.27.2017.03.29.10.17.32 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 29 Mar 2017 10:17:32 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <8B462FE6-E8CD-4E79-A15C-AE722CEF9C72@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_03996D0D-758D-49CB-959F-AF2CDBE37917"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Wed, 29 Mar 2017 12:17:31 -0500
In-Reply-To: <CABrd9SQH0zJu=Bz-2B61MXv3ENWce1NiFayMXUgseBYoJRB9Hw@mail.gmail.com>
Cc: Watson Ladd <watsonbladd@gmail.com>, Security Area Advisory Group <saag@ietf.org>, Tero Kivinen <kivinen@iki.fi>
To: Ben Laurie <benl@google.com>
References: <CACsn0ck9u3ct3wD7xWXtDZ89Q1R6OKTQFMYuZ56_vY2ys+1=YQ@mail.gmail.com> <bfa71c30-3ccc-1538-c682-33e14c910e21@cs.tcd.ie> <22519.43588.421250.807948@fireball.acr.fi> <CADF337F-88BC-4B9E-B05F-94F146CB068B@gmail.com> <CABrd9SRXO684K04jk002VoLgTnbE0AJNG2kH-h7KCMn8Hi9VvQ@mail.gmail.com> <CACsn0c=-+ywD4Xp=SrRm_8_q71kGsb_CML5-2D+WHi0XC8AXoQ@mail.gmail.com> <CACsn0cnSiY7y80U05KsPtmZfjQ1sAuvQ=J3hfPpoSMSs7WaaMA@mail.gmail.com> <CACsn0cnn2L4SMq4uA34QRfym=Hmr9VRreBjZzB8Sj4-dfsoW5A@mail.gmail.com> <CABrd9SQH0zJu=Bz-2B61MXv3ENWce1NiFayMXUgseBYoJRB9Hw@mail.gmail.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/mPbI_V1egozEQTHZLnsou16JgHQ>
Subject: Re: [saag] Possible backdoor in RFC 5114
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Mar 2017 17:17:36 -0000

> On 29 Mar 2017, at 11:50, Ben Laurie <benl@google.com> wrote:
> 
> 
> 
> On 22 March 2017 at 18:20, Watson Ladd <watsonbladd@gmail.com <mailto:watsonbladd@gmail.com>> wrote:
> 
> 
> On Mar 22, 2017 8:15 AM, "Ben Laurie" <benl@google.com <mailto:benl@google.com>> wrote:
> 
> 
> On 7 October 2016 at 16:56, Yoav Nir <ynir.ietf@gmail.com <mailto:ynir.ietf@gmail.com>> wrote:
> 
> > On 7 Oct 2016, at 16:59, Tero Kivinen <kivinen@iki.fi <mailto:kivinen@iki.fi>> wrote:
> >
> > Stephen Farrell writes:
> >>
> >> So I'm not seeing anyone so far argue to not
> >> deprecate these somehow.
> >>
> >> We could just make 5114 historic as Yoav suggests,
> >> or, if someone writes an I-D to explain why, we
> >> could obsolete 5114. (Such an I-D would presumably
> >> also say something about codepoints that point at
> >> 5114 from other registries.)
> >>
> >> Assuming nobody shows up saying these are in
> >> fact in widespread use I'd be supportive of us
> >> getting rid of cruft.
> >
> > I think the NIST ECP groups are quite widely supportd, and used.
> > RFC5114 includes both Nist ECP Groups (192, 224, 256, 384 and 521) and
> > 3 MODP groups.
> >
> > In IPsec, ECP groups are widely used, those MODP groups with subgroup
> > are not. On the other hand I think only those 192, 256 and 521 bit
> > groups are really used, and those are defined also in RFC5903 (which
> > obsoleted original 4753 which had serious bug in it).
> 
> 
> First, I think you meant 256, 384 and 521 bit, not the 192.
> 
> Second, 5114 did not fix the bug in 4753. It just referenced 4753 for formatting. You know this better than I do, but I don’t think the IANA registry ever referenced 5114 for these ECP groups.
> 
> So for the three useful groups in 5114 you didn’t need it (as 4753) already existed, and you don’t need it now, as 5903 exists. I don’t see anything standing in the way of moving to historic or obsoleting it.
> 
> Possibly I missed something here: why should we be any happier about 5903 than we are about 5114?
> 
> Can you prepare a backdoored elliptic curve that passes all acceptence critera?
> 
> No, but can the NSA?

I don’t know, but we can speculate all day about what the NSA can or cannot do, including wandless magic or generally solving the DLP. We can only make decisions on the basis of what we know or can reasonably project.

Yoav

v2.23.0 | Report a Bug | By Email