Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again)
Nikos Mavrogiannopoulos <nmav@gnutls.org> Wed, 19 October 2016 07:36 UTC
Return-Path: <n.mavrogiannopoulos@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B88C1294A0; Wed, 19 Oct 2016 00:36:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mHLEFMja0WkS; Wed, 19 Oct 2016 00:36:42 -0700 (PDT)
Received: from mail-qk0-x22d.google.com (mail-qk0-x22d.google.com [IPv6:2607:f8b0:400d:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74014129545; Wed, 19 Oct 2016 00:36:42 -0700 (PDT)
Received: by mail-qk0-x22d.google.com with SMTP id z190so21325674qkc.2; Wed, 19 Oct 2016 00:36:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=HIxF59MK2DuOl4dxo3654M6kRnLRbR+P56SKo1VXaIs=; b=LokSx5uqt12inj+vhszxYr7IoGgaFrpjx5VCxuYQEeMdgxYPaB8kDzbXH+NqCsMK2r gxtIpZQw34513fOdaPpBI7S4cijY2UwWUf88iveLReSbdNH5IKr74mL/JfFXU1Ihppl0 S+wHBCn/J6Z1u5KqfwVxyPLoux+FuXa0QVrVzbhlhIwREtyQ0Szkh64z8Q+XNPcW5T03 +Uzw3IEqylwl6BoMJz9lkj3HHiuSjAc4DsbfhflGiG0FpJWV+hhuv9Ooq+eK/V7QfM2q 1OiN53IFHa8XaEXDFNG/t6mmrfbFXMHBK1ULCj/m1gAR/VbCc5bAhHXC/liH2FN0qjq9 TZ+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-transfer-encoding; bh=HIxF59MK2DuOl4dxo3654M6kRnLRbR+P56SKo1VXaIs=; b=O28B8W4eiY5DmPWUaooTeXO0AXTvIc0bUo0q59s1Oi6J21sxqWh0GyIEI5lhQR1U02 bQvAWV3MdNd5BKkp+zeBma5kuW4zxmDYCUca3afLgVYjkULfBKPs7B/0VBI6F4Hyg4bb hhWFZl7bO9NXW0qWzsA6latFGzZP/IL6Fg8h4V+C+DvlL3ieD040yFdLDdiBqJkLRcD0 UvvE9xAW9rMpM+hNmf7BXe5e0uZ5/Xtghiyp6cC+gUcpRRZSjGKy1m55iqOHbGh+W0W9 mDN5eaqy+CG33+GMuLMJRIU4LSQgNaBSCZByWmC/1c9lbLE4KxJflAE1SjAVUWUI1NPb Klzg==
X-Gm-Message-State: AA6/9RnWRbAwYWHnbq4fReX8XPecnDCqHg8PxkJ1eEWhx9qgZwJiq2C95iUFtUB3A39gfEJqLoJ2H1aTNTfhiA==
X-Received: by 10.55.183.2 with SMTP id h2mr4334386qkf.134.1476862601598; Wed, 19 Oct 2016 00:36:41 -0700 (PDT)
MIME-Version: 1.0
Sender: n.mavrogiannopoulos@gmail.com
Received: by 10.12.169.91 with HTTP; Wed, 19 Oct 2016 00:36:01 -0700 (PDT)
In-Reply-To: <D42C37F3.53A00%john.mattsson@ericsson.com>
References: <alpine.LRH.2.20.1610091711050.8864@bofh.nohats.ca> <D42AB86C.538C3%john.mattsson@ericsson.com> <CADZyTknqvF=zxW2thuN7mf_St2UmnWZzd8dVb5dWzDJ5=8tz5w@mail.gmail.com> <8C717FB2-DDC2-452E-AEC3-115B1E1397CF@gmail.com> <alpine.LRH.2.20.1610171206070.827@bofh.nohats.ca> <551e6c5c-0db7-62d5-da31-b99f26475010@bbn.com> <D42C37F3.53A00%john.mattsson@ericsson.com>
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Wed, 19 Oct 2016 09:36:01 +0200
X-Google-Sender-Auth: R-oj_nSECVGoukBoc0OGmWZmvDU
Message-ID: <CAJU7zaKjy9g+UQmzP-LvV0X5myFES0eE9L=-sFYnjHcrW4+h9g@mail.gmail.com>
To: John Mattsson <john.mattsson@ericsson.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/nKHJRCg8xoU7SKEzcWux1Gw_mK8>
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>, Paul Wouters <paul@nohats.ca>, Security Area Advisory Group <saag@ietf.org>
Subject: Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Oct 2016 07:36:44 -0000
On Tue, Oct 18, 2016 at 8:46 PM, John Mattsson <john.mattsson@ericsson.com> wrote: > New paper “Measuring small subgroup attacks against Diffie-Hellman” > https://eprint.iacr.org/2016/995.pdf > “Cryptographic recommendations from standards committees are often too > weak or vague” > “However, the tangle of RFCs and standards attempting to define current > best practices in key generation and parameter sizing do not paint a clear > picture, and instead describe complex combinations of approaches and > parameters, exposing the fragility of the cryptographic ecosystem. As a > result, developers often forget or ignore edge cases, leaving many > implementations of Diffie-Hellman too close to vulnerable" > > “As we show in this paper, finite-field based Diffie-Hellman has many edge > cases that make its correct use difficult, and which occasionally arise as > bugs at the protocol level.” > > “As a concrete recommendation, modern Diffie-Hellman implementations > should prefer elliptic curve groups over safe curves with proper point > validation.” I am not sure that the recommendations of this paper should be blindly trusted. There are some inaccurate facts about a library I work on [0], but a part of the abstract is also concerning: "We examine over 20 open-source cryptographic libraries and applications and observe that until January 2016, not a single one validated subgroup orders by default." That's objectively accurate, but the authors do not attempt to find out the actual issue behind it. Are all implementations bad, or there are obstacles in doing that? I am aware that TLS client implementations do not validate subgroup orders by default, because the group information provided by TLS is not sufficient to validate the subgroup order. It is simply impossible for them to do any validation. regards, Nikos [0]. https://lists.gnupg.org/pipermail/gnutls-devel/2016-October/008198.html
- [saag] trapdoor'ed DH (and RFC-5114 again) Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Dang, Quynh (Fed)
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… John Mattsson
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Daniel Migault
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Yoav Nir
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Tero Kivinen
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Yoav Nir
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Peter Gutmann
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Yoav Nir
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Tero Kivinen
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Watson Ladd
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Stephen Kent
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… John Mattsson
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Nikos Mavrogiannopoulos
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… John Mattsson
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Peter Gutmann
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Antonio Sanso