Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again)
Antonio Sanso <asanso@adobe.com> Thu, 20 October 2016 08:18 UTC
Return-Path: <asanso@adobe.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E69CF129540; Thu, 20 Oct 2016 01:18:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.022
X-Spam-Level:
X-Spam-Status: No, score=-2.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=adobe.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g10qeixSSvZe; Thu, 20 Oct 2016 01:18:22 -0700 (PDT)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0046.outbound.protection.outlook.com [104.47.36.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72AD11293F8; Thu, 20 Oct 2016 01:18:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adobe.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=69sN8xMJZa4DZG4UdYegRQzbD5+VqRpyXmStJS2cfoM=; b=VJQVpoS8goSec1ZmOIHFj+1nBoneI9dLek/Nrv6UusU52TfTYC5aPtnFOL0lousZa9OypCpdzbk8bBI0O/bf1nmywA7nCqH9sXJ303j2XV53Da6+KOzvlD35gy5Rt26sXoKGJf28tweFKtLeWmvvMrU2ID3uZo4wEOkTriRABIA=
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com (10.161.203.148) by BY1PR0201MB1032.namprd02.prod.outlook.com (10.161.203.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.659.11; Thu, 20 Oct 2016 08:18:20 +0000
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) by BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) with mapi id 15.01.0659.025; Thu, 20 Oct 2016 08:18:20 +0000
From: Antonio Sanso <asanso@adobe.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Thread-Topic: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again)
Thread-Index: AQHSKduU/0Rej7lBOUG2WHjBaRnjnaCwee4AgACHZ4A=
Date: Thu, 20 Oct 2016 08:18:19 +0000
Message-ID: <EF9F6447-E81A-49E7-8DD7-F68BECE3029D@adobe.com>
References: <alpine.LRH.2.20.1610091711050.8864@bofh.nohats.ca> <D42AB86C.538C3%john.mattsson@ericsson.com> <CADZyTknqvF=zxW2thuN7mf_St2UmnWZzd8dVb5dWzDJ5=8tz5w@mail.gmail.com> <8C717FB2-DDC2-452E-AEC3-115B1E1397CF@gmail.com> <alpine.LRH.2.20.1610171206070.827@bofh.nohats.ca> <551e6c5c-0db7-62d5-da31-b99f26475010@bbn.com> <D42C37F3.53A00%john.mattsson@ericsson.com>, <CAJU7zaKjy9g+UQmzP-LvV0X5myFES0eE9L=-sFYnjHcrW4+h9g@mail.gmail.com> <1476922421060.41042@cs.auckland.ac.nz>
In-Reply-To: <1476922421060.41042@cs.auckland.ac.nz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=asanso@adobe.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [192.147.117.11]
x-ms-office365-filtering-correlation-id: 2d3ae1db-f52a-46c8-543a-08d3f8c1a6e3
x-microsoft-exchange-diagnostics: 1; BY1PR0201MB1032; 7:yxAExWYBdOpewbOWilnZG8EBuofEDfEYVpw4y9xe0oEyigbjplt8jQ/B9z+ylP+fgao3zrjr81Qqbqqd1d8EqesR9kjug+QHKjE4csyGXjhaR1XEZP35ICqRPqYqnc05ubkWfwufKiVwv+ZGrBlMn7xHH4yLYn8g0JKfdjcr13yBi2RALbayjDOIBX36Cw/oOGkZImHOqKh7CyT2gTh0VkI3VWvh70aydq5DDVJpQnqMbsSRZHoJAsHLJwWWpFyimFIQXBu0v+Vl0kR9RGxHZcaH4MeyZ4sbUYvdglzMgCP8g+tnJn58LSvgV1meWufPZLWI60Hb7gC4Hzx0pga3/B9oR1mtHyQU0t9bJvKBDGM=; 20:n6hb/0sZMR6IJAVp9COONLCFx9/uy4lfH4WSu2Bc9rQmS9BV/+q1qjjLyyEYFKSVyWlMYwdKkECqYYtUwdfgn9e7Qdhh7vLCbkHKDWqDdR/d5U8OtD2MN/+UgBjmq1qUGL+GJRWhf6+PQCeV2HCM6JDpAeJ91W4RKX/54YK+mlI=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY1PR0201MB1032;
x-microsoft-antispam-prvs: <BY1PR0201MB1032D804048475329D332350D9D50@BY1PR0201MB1032.namprd02.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(190756311086443)(158342451672863)(278428928389397)(120809045254105)(192374486261705)(21532816269658);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040176)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(61426038)(61427038); SRVR:BY1PR0201MB1032; BCL:0; PCL:0; RULEID:; SRVR:BY1PR0201MB1032;
x-forefront-prvs: 01018CB5B3
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(189002)(377454003)(24454002)(199003)(586003)(101416001)(3846002)(8676002)(87936001)(10090500001)(5002640100001)(77096005)(15975445007)(7736002)(81156014)(7846002)(54356999)(33656002)(92566002)(6916009)(5660300001)(50986999)(305945005)(3660700001)(2950100002)(93886004)(122556002)(3280700002)(106116001)(105586002)(36756003)(76176999)(19580405001)(81166006)(83716003)(8936002)(106356001)(19580395003)(66066001)(6116002)(102836003)(97736004)(99286002)(189998001)(68736007)(4326007)(86362001)(2906002)(2900100001)(82746002)(10400500002)(110136003)(11100500001)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY1PR0201MB1032; H:BY1PR0201MB1030.namprd02.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: adobe.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <659BC7680B462945945A8A276F19C0A7@namprd02.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: adobe.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Oct 2016 08:18:19.9492 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: fa7b1b5a-7b34-4387-94ae-d2c178decee1
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0201MB1032
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/y-mclSzHfyfyPc7h-r01RLbQUtw>
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>, Paul Wouters <paul@nohats.ca>, Security Area Advisory Group <saag@ietf.org>
Subject: Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Oct 2016 08:18:26 -0000
hi Peter, (one of the authors here) thanks a lot for you comments. As for the case with Nikos we take on board and well appreciate comments/feedbacks. Will pass the message. Thanks a lot and regards antonio On Oct 20, 2016, at 2:13 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote: > Nikos Mavrogiannopoulos <nmav@gnutls.org> writes: > >> I am not sure that the recommendations of this paper should be blindly >> trusted. There are some inaccurate facts about a library I work on [0], but a >> part of the abstract is also concerning: "We examine over 20 open-source >> cryptographic libraries and applications and observe that until January 2016, >> not a single one validated subgroup orders by default." > > I've got some comments on it as well, are any of the authors on this list? > There are no email addresses given in the paper and I'm not sure that I should > be spamming them all, or at least the ones I know... in any case the comments > may be of interest to others, so I've posted them here. > > Using shorter private exponents yields faster exponentiation times, and is a > commonly implemented optimization. The justification for matching the order > of the subgroup q to the exponent size rather than making subgroup order as > large as possible is not documented anywhere in the standards documents. > > It's not in any standards doc, but it's in HAC AFAIK, and originally came from > a paper by van Oorschot and Wiener. My code uses a curve-fitting mechanism to > choose the appropriate-size exponent for a given prime (implementation > provided by Colin Plumb many years ago). Calling it a quadratic curve > calculation is probably over-selling it a bit, it's just a way of matching the > exponent size to the prime size without having to include a large lookup > table. > > For protocols like TLS and SSH that allow a server to unilaterally specify > the group to use, this validation step is not possible for clients to > perform for non-safe primes: there is no way for the server to communicate > to the client the intended order of the group > > Actually it is for TLS, anything implementing the TLS-LTS draft [1] will > communicate the group order and the client can then verify it. > > We observe that no implementation that we examined validated group order for > subgroups of order larger than two > > That's kind of a tautology there, both TLS and SSH make this impossible to do. > At the moment there's at least one implementation that does this, and possibly > more (there are some proprietary vendor stacks doing -LTS, but since they're > for embedded devices and tend to be as minimalistic as possible - the most > popular ASN.1 library there is memcpy() - I wouldn't be surprised if they > skipped this particular check). So there's a minimum of one, and a maximum of > n. > > In addition, we observed that nearly every implementation uses short > exponents by default, > > Yep, because they're the most efficient. This is what killed RFC 5114, > they're the most inefficient (random) DH domain parameters ever published. > Which, in the long run, was probably a good thing since it strongly > discouraged their use. > > They have been widely implemented in IPsec and TLS > > Not in TLS they ain't, for the reason given above. I realise there are > oddball implementations out there that use or enable their use, but I wouldn't > say that counts as "widely used". > > This means a client has no feasible way to validate that the group sent by > the server has the desired level of security or that a server’s key exchange > value is in the correct group for a non-safe prime. > > See the previous note, TLS-LTS provides this capability. If you're using the > RFC 3526 DH params then you can also pretty easily recreate q from them, so > it's a simple change to apply this fix. > > (TLS-LTS also fixes a number of other issues in TLS 1.2 and earlier, it's not > only the DH fix that's in there). > > TABLE II: TLS Library Behavior > > I assume this was the item that Nikos was grumbling about :-). The two issues > are that the "Reuses exponent" entries are rather unclear and "Validates > Subgroup" is somewhat tautological since standard TLS (without -LTS) doesn't > allow you to do this, so the anwer is always "No". I assume for "Reuses > exponent" the entry "Application dependent" means "it's not very clear from > the code", because my code certainly never reuses DH exponents. However, to > see that you need to know that although each DH instance uses an { x, y } pair > that's fixed at the time of creation, no DH instance is ever reused in a TLS > or SSH session, > > (Nikos, if you want to do the subgroup checking with GnuTLS and interop-test > an implementation that provides subgroup info and does the required checking, > let me know and I'll put up a server. Same for anyone else, e.g. the OpenSSL > guys). > > implementations should follow the guidelines outlined in RFC 7919 for > selecting finite field Diffie-Hellman primes > > Uh, no. 7919 is a my-way-or-the-highway spec, or more accurately my-way-or- > no-way. You can't say "I'd like to do DH-2048" as with SSH, you can only use > the one value that 7919 specifies and if either side chooses some other > DH-2048 value you're required to fall back to RSA. When this was discussed on > the TLS list, the general response, from those who commented, was that they > weren't going to use it because of this and other problems it had. Some of > these issues were brought up long ago (e.g. [2]), but ignored. So 7919 is > pretty much a non-starter. > > implementations should prefer “safe” primes of documented provenance of at > least 2048 bit > > This is unfortunately easier to recommend than to do. For example my code > (and some other implementations I know of) recognise and fastpath known-good > values like the RFC 3526 ones, but you can't restrict yourself to only using > known-good values because too many sites use who-knows-what sort of values, > and you'd lose the ability to connect to a significant chunk of the net if you > get too exclusive. > > The real solution, and obviously I'm a bit biased here because I'm the author > (but then it was also an obvious problem that needed fixing), is to use -LTS, > which provides what you need to validate the DH parameters. > > Peter. > > [0] Not my footnote. > [1] https://datatracker.ietf.org/doc/draft-gutmann-tls-lts. > [2] https://www.ietf.org/mail-archive/web/tls/current/msg18697.html. > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag
- [saag] trapdoor'ed DH (and RFC-5114 again) Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Dang, Quynh (Fed)
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… John Mattsson
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Daniel Migault
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Yoav Nir
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Tero Kivinen
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Yoav Nir
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Peter Gutmann
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Yoav Nir
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Tero Kivinen
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Watson Ladd
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Paul Wouters
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Stephen Kent
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… John Mattsson
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Nikos Mavrogiannopoulos
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… John Mattsson
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Peter Gutmann
- Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 a… Antonio Sanso