IETF Logo Mail Archive

RE: DH group exchange (Re: SSH key algorithm updates)

Peter Gutmann <pgut001@cs.auckland.ac.nz> Sun, 08 November 2015 03:01 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA1A21B2C04 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sat, 7 Nov 2015 19:01:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.91
X-Spam-Level:
X-Spam-Status: No, score=-3.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, GB_I_LETTER=-2, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zYFV6V9CVM1D for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sat, 7 Nov 2015 19:01:41 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72BED1B2BEC for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Sat, 7 Nov 2015 19:01:41 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id E65D114A37F; Sun, 8 Nov 2015 03:01:40 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 4288F14A2D2 for <ietf-ssh@netbsd.org>; Sun, 8 Nov 2015 03:01:34 +0000 (UTC)
X-Virus-Scanned: amavisd-new at NetBSD.org
Authentication-Results: mail.NetBSD.org (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id M7zJv07ekAJL for <ietf-ssh@netbsd.org>; Sun, 8 Nov 2015 03:01:33 +0000 (UTC)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 946B014A297 for <ietf-ssh@netbsd.org>; Sun, 8 Nov 2015 03:01:32 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1446951693; x=1478487693; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=ytZ8ueINzPLk4PDMNXNNb9nj3h9rpRKWqwNWuqZmkeg=; b=FGnxTKaRpEYGpLAl0PlXBWnAJmfASL3Cuh2aYATrqF3to8ZuaVgkJ4O1 fHGsvgOi3H0IpTTjS32zExh00PvlzT3Fr7yaeJoAxoaLbI6Di8hYik/ir Lun3n7dkxqDr6lQpvDnNHc/EfedGSBWTWKQ2+MGZ5S+H+I8uLpWmQd7T/ lNb94UXV3KrsNOlqIzsNYuTbHrkwZXX62Emf/g4PyI5VJp75CM7CwY4FJ mT/gxKrGWxwWPVJLAhHc16jdYW2OMpUJV45L5eAYmvzDN3HRZFLnphIfM elNOEnvDn9EkksghA5Rv0Ky2pk4ISl1bXJAVDfEwYqQgs8Ux4hUFdIIdt Q==;
X-IronPort-AV: E=Sophos;i="5.20,260,1444647600"; d="scan'208";a="53076402"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.171 - Outgoing - Outgoing
Received: from uxchange10-fe4.uoa.auckland.ac.nz ([130.216.4.171]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 08 Nov 2015 16:01:31 +1300
Received: from UXCN10-5.UoA.auckland.ac.nz ([169.254.5.51]) by uxchange10-fe4.UoA.auckland.ac.nz ([169.254.109.63]) with mapi id 14.03.0174.001; Sun, 8 Nov 2015 16:01:30 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "Mark D. Baushke" <mdb@juniper.net>, Jeffrey Hutzelman <jhutz@cmu.edu>
CC: denis bider <ietf-ssh3@denisbider.com>, Niels Möller <nisse@lysator.liu.se>, "ietf-ssh@NetBSD.org" <ietf-ssh@NetBSD.org>, "stephen.farrell@cs.tcd.ie" <stephen.farrell@cs.tcd.ie>, "jon@siliconcircus.com" <jon@siliconcircus.com>
Subject: RE: DH group exchange (Re: SSH key algorithm updates)
Thread-Topic: DH group exchange (Re: SSH key algorithm updates)
Thread-Index: AQHRGZMpddlrPutqm0y/LG2cXIPgg56RbqML
Date: Sun, 08 Nov 2015 03:01:30 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73F4B59709@uxcn10-5.UoA.auckland.ac.nz>
References: <1990286542-756@skroderider.denisbider.com> <1446868237.5945.12.camel@destiny.pc.cs.cmu.edu>, <87436.1446924769@eng-mail01.juniper.net>
In-Reply-To: <87436.1446924769@eng-mail01.juniper.net>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

Mark D. Baushke <mdb@juniper.net> writes:

>The root case is the selection of the generator g in RFC 4419 is not
>sufficient to meet FIPS requirements.

Since RFC 4419 doesn't specify that q is included in the DH keying material,
how do you even verify that it meets FIPS requirements?  You can't actually
perform the FIPS tests on it because one of the parameters is missing.  At
best you can do a test on... well, I'll post my source code comment:

/* There is a further check that we can perform on p, but it's rather
   problematic because it only works for "safe" primes (primes of the form p =
   2p' + 1), and even then the checks depend on your religious inclinations,
   you've got the choice of either choosing a value where the generated DH
   secret is limited to half the possible values, or one where you leak a bit
   of the secret exponent.  For example for g=2, if p is congruent to 11 mod
   24 then g is a quadratic nonresidue and the DH secret covers all possible
   values but you leak the LSB of the secret exponent, but if p is congruent
   to 11 mod 23 then g is a quadratic residue and the DH secret only covers
   half the possible values, but you don't leak any bits of the exponent (for
   OpenSSH's g=5, the values are 3 and 7).

   Once you go to more general values of g, or FIPS 186 primes which should be
   easily verifiable but aren't because the PKCS #3 form discards the q value
   that you need for the verification, there isn't really any checking that
   can be done.  The result is an ugly yes-biased test that can say
   "definitely safe" but only "possibly unsafe" (unless we're willing to deal
   with lots of false positives).

   Because of this we only complain about problems in debug mode, if we
   enabled the rejection of unverifiable primes in release code we'd Get
   Letters... */
switch( BN_get_word( g ) )
	{
	case 2:
		/* Oakley primes, congruent to 11 mod 24 = leaks LSB, 
		   congruent to 23 mod 24 = only covers half the possible 
		   values */
		modWord = BN_mod_word( p, 24 );
		assert_nofuzz( modWord == 11 || modWord == 23 );
		break;

	case 5:
		/* Used by OpenSSH for no known reason */
		modWord = BN_mod_word( p, 10 );
		assert_nofuzz( modWord == 3 || modWord == 7 );
		break;

	default:
		assert_nofuzz( DEBUG_WARN );
	}

Oh, if anyone knows of any other commonly-used magic values I'm missing there,
let me know.

The real fix though would be to publish a quick update to '4419 specifying a
SSH_MSG_KEX_DH_GEX2_GROUP which includes the full set of DH parameters so that
the DH values could be fully verified.

Peter.

v2.23.0 | Report a Bug | By Email