RE: DH group exchange (Re: SSH key algorithm updates)
Peter Gutmann <pgut001@cs.auckland.ac.nz> Sun, 08 November 2015 03:01 UTC
Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA1A21B2C04 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sat, 7 Nov 2015 19:01:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.91
X-Spam-Level:
X-Spam-Status: No, score=-3.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, GB_I_LETTER=-2, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zYFV6V9CVM1D for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sat, 7 Nov 2015 19:01:41 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72BED1B2BEC for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Sat, 7 Nov 2015 19:01:41 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id E65D114A37F; Sun, 8 Nov 2015 03:01:40 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 4288F14A2D2 for <ietf-ssh@netbsd.org>; Sun, 8 Nov 2015 03:01:34 +0000 (UTC)
X-Virus-Scanned: amavisd-new at NetBSD.org
Authentication-Results: mail.NetBSD.org (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id M7zJv07ekAJL for <ietf-ssh@netbsd.org>; Sun, 8 Nov 2015 03:01:33 +0000 (UTC)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 946B014A297 for <ietf-ssh@netbsd.org>; Sun, 8 Nov 2015 03:01:32 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1446951693; x=1478487693; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=ytZ8ueINzPLk4PDMNXNNb9nj3h9rpRKWqwNWuqZmkeg=; b=FGnxTKaRpEYGpLAl0PlXBWnAJmfASL3Cuh2aYATrqF3to8ZuaVgkJ4O1 fHGsvgOi3H0IpTTjS32zExh00PvlzT3Fr7yaeJoAxoaLbI6Di8hYik/ir Lun3n7dkxqDr6lQpvDnNHc/EfedGSBWTWKQ2+MGZ5S+H+I8uLpWmQd7T/ lNb94UXV3KrsNOlqIzsNYuTbHrkwZXX62Emf/g4PyI5VJp75CM7CwY4FJ mT/gxKrGWxwWPVJLAhHc16jdYW2OMpUJV45L5eAYmvzDN3HRZFLnphIfM elNOEnvDn9EkksghA5Rv0Ky2pk4ISl1bXJAVDfEwYqQgs8Ux4hUFdIIdt Q==;
X-IronPort-AV: E=Sophos;i="5.20,260,1444647600"; d="scan'208";a="53076402"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.171 - Outgoing - Outgoing
Received: from uxchange10-fe4.uoa.auckland.ac.nz ([130.216.4.171]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 08 Nov 2015 16:01:31 +1300
Received: from UXCN10-5.UoA.auckland.ac.nz ([169.254.5.51]) by uxchange10-fe4.UoA.auckland.ac.nz ([169.254.109.63]) with mapi id 14.03.0174.001; Sun, 8 Nov 2015 16:01:30 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "Mark D. Baushke" <mdb@juniper.net>, Jeffrey Hutzelman <jhutz@cmu.edu>
CC: denis bider <ietf-ssh3@denisbider.com>, Niels Möller <nisse@lysator.liu.se>, "ietf-ssh@NetBSD.org" <ietf-ssh@NetBSD.org>, "stephen.farrell@cs.tcd.ie" <stephen.farrell@cs.tcd.ie>, "jon@siliconcircus.com" <jon@siliconcircus.com>
Subject: RE: DH group exchange (Re: SSH key algorithm updates)
Thread-Topic: DH group exchange (Re: SSH key algorithm updates)
Thread-Index: AQHRGZMpddlrPutqm0y/LG2cXIPgg56RbqML
Date: Sun, 08 Nov 2015 03:01:30 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73F4B59709@uxcn10-5.UoA.auckland.ac.nz>
References: <1990286542-756@skroderider.denisbider.com> <1446868237.5945.12.camel@destiny.pc.cs.cmu.edu>, <87436.1446924769@eng-mail01.juniper.net>
In-Reply-To: <87436.1446924769@eng-mail01.juniper.net>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list
Mark D. Baushke <mdb@juniper.net> writes: >The root case is the selection of the generator g in RFC 4419 is not >sufficient to meet FIPS requirements. Since RFC 4419 doesn't specify that q is included in the DH keying material, how do you even verify that it meets FIPS requirements? You can't actually perform the FIPS tests on it because one of the parameters is missing. At best you can do a test on... well, I'll post my source code comment: /* There is a further check that we can perform on p, but it's rather problematic because it only works for "safe" primes (primes of the form p = 2p' + 1), and even then the checks depend on your religious inclinations, you've got the choice of either choosing a value where the generated DH secret is limited to half the possible values, or one where you leak a bit of the secret exponent. For example for g=2, if p is congruent to 11 mod 24 then g is a quadratic nonresidue and the DH secret covers all possible values but you leak the LSB of the secret exponent, but if p is congruent to 11 mod 23 then g is a quadratic residue and the DH secret only covers half the possible values, but you don't leak any bits of the exponent (for OpenSSH's g=5, the values are 3 and 7). Once you go to more general values of g, or FIPS 186 primes which should be easily verifiable but aren't because the PKCS #3 form discards the q value that you need for the verification, there isn't really any checking that can be done. The result is an ugly yes-biased test that can say "definitely safe" but only "possibly unsafe" (unless we're willing to deal with lots of false positives). Because of this we only complain about problems in debug mode, if we enabled the rejection of unverifiable primes in release code we'd Get Letters... */ switch( BN_get_word( g ) ) { case 2: /* Oakley primes, congruent to 11 mod 24 = leaks LSB, congruent to 23 mod 24 = only covers half the possible values */ modWord = BN_mod_word( p, 24 ); assert_nofuzz( modWord == 11 || modWord == 23 ); break; case 5: /* Used by OpenSSH for no known reason */ modWord = BN_mod_word( p, 10 ); assert_nofuzz( modWord == 3 || modWord == 7 ); break; default: assert_nofuzz( DEBUG_WARN ); } Oh, if anyone knows of any other commonly-used magic values I'm missing there, let me know. The real fix though would be to publish a quick update to '4419 specifying a SSH_MSG_KEX_DH_GEX2_GROUP which includes the full set of DH parameters so that the DH values could be fully verified. Peter.
- Re: DH group exchange (Re: SSH key algorithm upda… Jeffrey Hutzelman
- DH group exchange (Re: SSH key algorithm updates) denis bider
- Re: DH group exchange (Re: SSH key algorithm upda… denis bider
- Re: DH group exchange (Re: SSH key algorithm upda… Mark D. Baushke
- Re: DH group exchange (Re: SSH key algorithm upda… denis bider
- RE: DH group exchange (Re: SSH key algorithm upda… Peter Gutmann
- Re: DH group exchange (Re: SSH key algorithm upda… Mark D. Baushke
- RE: DH group exchange (Re: SSH key algorithm upda… Peter Gutmann
- RE: DH group exchange (Re: SSH key algorithm upda… Peter Gutmann
- Re: DH group exchange (Re: SSH key algorithm upda… denis bider
- Re: DH group exchange (Re: SSH key algorithm upda… Mark D. Baushke
- RE: DH group exchange (Re: SSH key algorithm upda… Peter Gutmann
- Re: DH group exchange (Re: SSH key algorithm upda… Mark D. Baushke
- Re: DH group exchange (Re: SSH key algorithm upda… Mark D. Baushke
- Re: DH group exchange (Re: SSH key algorithm upda… Niels Möller
- Re: DH group exchange (Re: SSH key algorithm upda… Niels Möller
- RE: DH group exchange (Re: SSH key algorithm upda… Peter Gutmann
- Re: DH group exchange (Re: SSH key algorithm upda… Niels Möller
- Re: DH group exchange (Re: SSH key algorithm upda… Damien Miller
- Re: DH group exchange (Re: SSH key algorithm upda… Mark D. Baushke
- Re: DH group exchange (Re: SSH key algorithm upda… Niels Möller
- Re: DH group exchange (Re: SSH key algorithm upda… Mark D. Baushke
- Re: DH group exchange (Re: SSH key algorithm upda… Niels Möller
- Re: DH group exchange (Re: SSH key algorithm upda… Mark D. Baushke
- Re: DH group exchange (Re: SSH key algorithm upda… Mark D. Baushke
- Re: DH group exchange (Re: SSH key algorithm upda… denis bider
- Re: DH group exchange (Re: SSH key algorithm upda… Niels Möller
- Re: DH group exchange (Re: SSH key algorithm upda… Niels Möller
- Re: DH group exchange (Re: SSH key algorithm upda… Niels Möller
- Re: DH group exchange (Re: SSH key algorithm upda… Mark D. Baushke
- Re: DH group exchange (Re: SSH key algorithm upda… Mark D. Baushke
- Re: DH group exchange (Re: SSH key algorithm upda… Darren Tucker
- Re: DH group exchange (Re: SSH key algorithm upda… Matt Johnston
- Re: DH group exchange (Re: SSH key algorithm upda… Niels Möller
- RE: DH group exchange (Re: SSH key algorithm upda… Peter Gutmann
- Re: DH group exchange (Re: SSH key algorithm upda… Darren Tucker