IETF Logo Mail Archive

Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again)

Antonio Sanso <asanso@adobe.com> Thu, 20 October 2016 08:18 UTC

Return-Path: <asanso@adobe.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E69CF129540; Thu, 20 Oct 2016 01:18:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.022
X-Spam-Level:
X-Spam-Status: No, score=-2.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=adobe.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g10qeixSSvZe; Thu, 20 Oct 2016 01:18:22 -0700 (PDT)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0046.outbound.protection.outlook.com [104.47.36.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72AD11293F8; Thu, 20 Oct 2016 01:18:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adobe.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=69sN8xMJZa4DZG4UdYegRQzbD5+VqRpyXmStJS2cfoM=; b=VJQVpoS8goSec1ZmOIHFj+1nBoneI9dLek/Nrv6UusU52TfTYC5aPtnFOL0lousZa9OypCpdzbk8bBI0O/bf1nmywA7nCqH9sXJ303j2XV53Da6+KOzvlD35gy5Rt26sXoKGJf28tweFKtLeWmvvMrU2ID3uZo4wEOkTriRABIA=
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com (10.161.203.148) by BY1PR0201MB1032.namprd02.prod.outlook.com (10.161.203.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.659.11; Thu, 20 Oct 2016 08:18:20 +0000
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) by BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) with mapi id 15.01.0659.025; Thu, 20 Oct 2016 08:18:20 +0000
From: Antonio Sanso <asanso@adobe.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Thread-Topic: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again)
Thread-Index: AQHSKduU/0Rej7lBOUG2WHjBaRnjnaCwee4AgACHZ4A=
Date: Thu, 20 Oct 2016 08:18:19 +0000
Message-ID: <EF9F6447-E81A-49E7-8DD7-F68BECE3029D@adobe.com>
References: <alpine.LRH.2.20.1610091711050.8864@bofh.nohats.ca> <D42AB86C.538C3%john.mattsson@ericsson.com> <CADZyTknqvF=zxW2thuN7mf_St2UmnWZzd8dVb5dWzDJ5=8tz5w@mail.gmail.com> <8C717FB2-DDC2-452E-AEC3-115B1E1397CF@gmail.com> <alpine.LRH.2.20.1610171206070.827@bofh.nohats.ca> <551e6c5c-0db7-62d5-da31-b99f26475010@bbn.com> <D42C37F3.53A00%john.mattsson@ericsson.com>, <CAJU7zaKjy9g+UQmzP-LvV0X5myFES0eE9L=-sFYnjHcrW4+h9g@mail.gmail.com> <1476922421060.41042@cs.auckland.ac.nz>
In-Reply-To: <1476922421060.41042@cs.auckland.ac.nz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=asanso@adobe.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [192.147.117.11]
x-ms-office365-filtering-correlation-id: 2d3ae1db-f52a-46c8-543a-08d3f8c1a6e3
x-microsoft-exchange-diagnostics: 1; BY1PR0201MB1032; 7:yxAExWYBdOpewbOWilnZG8EBuofEDfEYVpw4y9xe0oEyigbjplt8jQ/B9z+ylP+fgao3zrjr81Qqbqqd1d8EqesR9kjug+QHKjE4csyGXjhaR1XEZP35ICqRPqYqnc05ubkWfwufKiVwv+ZGrBlMn7xHH4yLYn8g0JKfdjcr13yBi2RALbayjDOIBX36Cw/oOGkZImHOqKh7CyT2gTh0VkI3VWvh70aydq5DDVJpQnqMbsSRZHoJAsHLJwWWpFyimFIQXBu0v+Vl0kR9RGxHZcaH4MeyZ4sbUYvdglzMgCP8g+tnJn58LSvgV1meWufPZLWI60Hb7gC4Hzx0pga3/B9oR1mtHyQU0t9bJvKBDGM=; 20:n6hb/0sZMR6IJAVp9COONLCFx9/uy4lfH4WSu2Bc9rQmS9BV/+q1qjjLyyEYFKSVyWlMYwdKkECqYYtUwdfgn9e7Qdhh7vLCbkHKDWqDdR/d5U8OtD2MN/+UgBjmq1qUGL+GJRWhf6+PQCeV2HCM6JDpAeJ91W4RKX/54YK+mlI=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY1PR0201MB1032;
x-microsoft-antispam-prvs: <BY1PR0201MB1032D804048475329D332350D9D50@BY1PR0201MB1032.namprd02.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(190756311086443)(158342451672863)(278428928389397)(120809045254105)(192374486261705)(21532816269658);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040176)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(61426038)(61427038); SRVR:BY1PR0201MB1032; BCL:0; PCL:0; RULEID:; SRVR:BY1PR0201MB1032;
x-forefront-prvs: 01018CB5B3
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(189002)(377454003)(24454002)(199003)(586003)(101416001)(3846002)(8676002)(87936001)(10090500001)(5002640100001)(77096005)(15975445007)(7736002)(81156014)(7846002)(54356999)(33656002)(92566002)(6916009)(5660300001)(50986999)(305945005)(3660700001)(2950100002)(93886004)(122556002)(3280700002)(106116001)(105586002)(36756003)(76176999)(19580405001)(81166006)(83716003)(8936002)(106356001)(19580395003)(66066001)(6116002)(102836003)(97736004)(99286002)(189998001)(68736007)(4326007)(86362001)(2906002)(2900100001)(82746002)(10400500002)(110136003)(11100500001)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY1PR0201MB1032; H:BY1PR0201MB1030.namprd02.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: adobe.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <659BC7680B462945945A8A276F19C0A7@namprd02.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: adobe.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Oct 2016 08:18:19.9492 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: fa7b1b5a-7b34-4387-94ae-d2c178decee1
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0201MB1032
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/y-mclSzHfyfyPc7h-r01RLbQUtw>
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>, Paul Wouters <paul@nohats.ca>, Security Area Advisory Group <saag@ietf.org>
Subject: Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Oct 2016 08:18:26 -0000

hi Peter, (one of the authors here)
thanks a lot for you comments.
As for the case with Nikos we take on board and well appreciate comments/feedbacks.
Will pass the message.

Thanks a lot and regards

antonio

On Oct 20, 2016, at 2:13 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:

> Nikos Mavrogiannopoulos <nmav@gnutls.org> writes:
> 
>> I am not sure that the recommendations of this paper should be blindly
>> trusted. There are some inaccurate facts about a library I work on [0], but a
>> part of the abstract is also concerning: "We examine over 20 open-source
>> cryptographic libraries and applications and observe that until January 2016,
>> not a single one validated subgroup orders by default."
> 
> I've got some comments on it as well, are any of the authors on this list?
> There are no email addresses given in the paper and I'm not sure that I should
> be spamming them all, or at least the ones I know... in any case the comments
> may be of interest to others, so I've posted them here.
> 
>  Using shorter private exponents yields faster exponentiation times, and is a
>  commonly implemented optimization. The justification for matching the order
>  of the subgroup q to the exponent size rather than making subgroup order as
>  large as possible is not documented anywhere in the standards documents.
> 
> It's not in any standards doc, but it's in HAC AFAIK, and originally came from
> a paper by van Oorschot and Wiener.  My code uses a curve-fitting mechanism to
> choose the appropriate-size exponent for a given prime (implementation
> provided by Colin Plumb many years ago).  Calling it a quadratic curve
> calculation is probably over-selling it a bit, it's just a way of matching the
> exponent size to the prime size without having to include a large lookup
> table.
> 
>  For protocols like TLS and SSH that allow a server to unilaterally specify
>  the group to use, this validation step is not possible for clients to
>  perform for non-safe primes: there is no way for the server to communicate
>  to the client the intended order of the group
> 
> Actually it is for TLS, anything implementing the TLS-LTS draft [1] will
> communicate the group order and the client can then verify it.
> 
>  We observe that no implementation that we examined validated group order for
>  subgroups of order larger than two
> 
> That's kind of a tautology there, both TLS and SSH make this impossible to do.
> At the moment there's at least one implementation that does this, and possibly
> more (there are some proprietary vendor stacks doing -LTS, but since they're
> for embedded devices and tend to be as minimalistic as possible - the most
> popular ASN.1 library there is memcpy() - I wouldn't be surprised if they
> skipped this particular check).  So there's a minimum of one, and a maximum of
> n.
> 
>  In addition, we observed that nearly every implementation uses short
>  exponents by default,
> 
> Yep, because they're the most efficient.  This is what killed RFC 5114,
> they're the most inefficient (random) DH domain parameters ever published.
> Which, in the long run, was probably a good thing since it strongly
> discouraged their use.
> 
>  They have been widely implemented in IPsec and TLS
> 
> Not in TLS they ain't, for the reason given above.  I realise there are
> oddball implementations out there that use or enable their use, but I wouldn't
> say that counts as "widely used".
> 
>  This means a client has no feasible way to validate that the group sent by
>  the server has the desired level of security or that a server’s key exchange
>  value is in the correct group for a non-safe prime.
> 
> See the previous note, TLS-LTS provides this capability.  If you're using the
> RFC 3526 DH params then you can also pretty easily recreate q from them, so
> it's a simple change to apply this fix.
> 
> (TLS-LTS also fixes a number of other issues in TLS 1.2 and earlier, it's not
> only the DH fix that's in there).
> 
>  TABLE II: TLS Library Behavior
> 
> I assume this was the item that Nikos was grumbling about :-).  The two issues
> are that the "Reuses exponent" entries are rather unclear and "Validates
> Subgroup" is somewhat tautological since standard TLS (without -LTS) doesn't
> allow you to do this, so the anwer is always "No".  I assume for "Reuses
> exponent" the entry "Application dependent" means "it's not very clear from
> the code", because my code certainly never reuses DH exponents.  However, to
> see that you need to know that although each DH instance uses an { x, y } pair
> that's fixed at the time of creation, no DH instance is ever reused in a TLS
> or SSH session,
> 
> (Nikos, if you want to do the subgroup checking with GnuTLS and interop-test
> an implementation that provides subgroup info and does the required checking,
> let me know and I'll put up a server.  Same for anyone else, e.g. the OpenSSL
> guys).
> 
>  implementations should follow the guidelines outlined in RFC 7919 for
>  selecting finite field Diffie-Hellman primes
> 
> Uh, no.  7919 is a my-way-or-the-highway spec, or more accurately my-way-or-
> no-way.  You can't say "I'd like to do DH-2048" as with SSH, you can only use
> the one value that 7919 specifies and if either side chooses some other
> DH-2048 value you're required to fall back to RSA.  When this was discussed on
> the TLS list, the general response, from those who commented, was that they
> weren't going to use it because of this and other problems it had.  Some of
> these issues were brought up long ago (e.g. [2]), but ignored.  So 7919 is
> pretty much a non-starter.
> 
>  implementations should prefer “safe” primes of documented provenance of at
>  least 2048 bit
> 
> This is unfortunately easier to recommend than to do.  For example my code
> (and some other implementations I know of) recognise and fastpath known-good
> values like the RFC 3526 ones, but you can't restrict yourself to only using
> known-good values because too many sites use who-knows-what sort of values,
> and you'd lose the ability to connect to a significant chunk of the net if you
> get too exclusive.
> 
> The real solution, and obviously I'm a bit biased here because I'm the author
> (but then it was also an obvious problem that needed fixing), is to use -LTS,
> which provides what you need to validate the DH parameters.
> 
> Peter.
> 
> [0] Not my footnote.
> [1] https://datatracker.ietf.org/doc/draft-gutmann-tls-lts.
> [2] https://www.ietf.org/mail-archive/web/tls/current/msg18697.html.
> 
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag

v2.23.0 | Report a Bug | By Email