IETF Logo Mail Archive

DH Group Exchange in SSH (RFC 4419) - Avoiding Backsdoors

"Mark D. Baushke" <mdb@juniper.net> Thu, 29 September 2016 14:47 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95D1B12B0E6 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 29 Sep 2016 07:47:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.516
X-Spam-Level:
X-Spam-Status: No, score=-6.516 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.316, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=junipernetworks.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id esZJbOpODQjs for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 29 Sep 2016 07:47:42 -0700 (PDT)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42C2712B308 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Thu, 29 Sep 2016 07:47:42 -0700 (PDT)
Received: by mail.netbsd.org (Postfix, from userid 605) id 8FC1185F17; Thu, 29 Sep 2016 14:47:40 +0000 (UTC)
Delivered-To: ietf-ssh@NetBSD.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id D6D8385E94 for <ietf-ssh@NetBSD.org>; Thu, 29 Sep 2016 14:47:36 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Authentication-Results: mail.netbsd.org (amavisd-new); dkim=pass (1024-bit key) header.d=junipernetworks.onmicrosoft.com
Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id U0-E7PzSJqrM for <ietf-ssh@netbsd.org>; Thu, 29 Sep 2016 14:47:36 +0000 (UTC)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03on071c.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe49::71c]) by mail.netbsd.org (Postfix) with ESMTP id 173C785E5B for <ietf-ssh@NetBSD.org>; Thu, 29 Sep 2016 14:47:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=junipernetworks.onmicrosoft.com; s=selector1-juniper-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=xc5mQyA6jCQtOSUcStsQI0NlRyv1h9157czuDdJxl24=; b=TJqVQTlaVvGsr2pNvQnySuC71mDFix4hNfWy7QYOIwRFzZEpm4SMEu+TMDd0KRqK0HEiTq5O0G/xBKEkMUUwwG5CBRSvWV7qgv9dsa1ulLUCkQG2Ww+bvnh//aGt1T/rr+ldD1LEEQuePRwRzgB7SmzMcMjQoFMdji0io++5T9k=
Received: from CY1PR05CA0028.namprd05.prod.outlook.com (10.166.186.166) by CY1PR0501MB1337.namprd05.prod.outlook.com (10.160.226.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.649.6; Thu, 29 Sep 2016 14:47:32 +0000
Received: from BN1BFFO11FD050.protection.gbl (2a01:111:f400:7c10::1:194) by CY1PR05CA0028.outlook.office365.com (2a01:111:e400:c5a4::38) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.659.8 via Frontend Transport; Thu, 29 Sep 2016 14:47:32 +0000
Authentication-Results: spf=softfail (sender IP is 66.129.239.18) smtp.mailfrom=juniper.net; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=juniper.net;
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.18 as permitted sender)
Received: from p-emfe01a-sac.jnpr.net (66.129.239.18) by BN1BFFO11FD050.mail.protection.outlook.com (10.58.145.5) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.629.5 via Frontend Transport; Thu, 29 Sep 2016 14:47:30 +0000
Received: from p-mailhub01.juniper.net (10.160.2.17) by p-emfe01a-sac.jnpr.net (172.24.192.21) with Microsoft SMTP Server (TLS) id 14.3.123.3; Thu, 29 Sep 2016 07:47:28 -0700
Received: from eng-mail01.juniper.net (eng-mail01.juniper.net [172.17.28.114]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id u8TElSt3030671; Thu, 29 Sep 2016 07:47:28 -0700 (envelope-from mdb@juniper.net)
Received: from eng-mail01.juniper.net (localhost [127.0.0.1]) by eng-mail01.juniper.net (Postfix) with ESMTP id B6EB811446; Thu, 29 Sep 2016 07:47:27 -0700 (PDT)
To: ietf-ssh@NetBSD.org, curdle@ietf.org
CC: frg@irtf.org
From: "Mark D. Baushke" <mdb@juniper.net>
Subject: DH Group Exchange in SSH (RFC 4419) - Avoiding Backsdoors
Date: Thu, 29 Sep 2016 07:47:27 -0700
Message-ID: <35937.1475160447@eng-mail01.juniper.net>
MIME-Version: 1.0
Content-Type: text/plain
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-HT: Tenant
X-Forefront-Antispam-Report: CIP:66.129.239.18; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(7916002)(2980300002)(199003)(189002)(7126002)(117636001)(626004)(2906002)(92566002)(5003940100001)(15975445007)(5660300001)(305945005)(86362001)(8936002)(11100500001)(87936001)(69596002)(68736007)(15395725005)(4326007)(7696004)(586003)(19580405001)(8676002)(229853001)(2810700001)(106466001)(50466002)(48376002)(19580395003)(50986999)(81166006)(54356999)(81156014)(356003)(77096005)(53416004)(97736004)(5001770100001)(189998001)(47776003)(105596002)(76506005)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0501MB1337; H:p-emfe01a-sac.jnpr.net; FPR:; SPF:SoftFail; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; BN1BFFO11FD050; 1:ADUyyXv0hqC88LlpB1PJUq8TUlPrvZz9jtGtXzR4N0RbgPIU/jVh+3tkyslLWqaQw1BE1nfROgrdO8zGsuUYb111kHAAhZpah+BDtfTsFwh27WzrWKOVE89dlms02fXqoMntZeP3Bz170Uyi0Vk18WfCArMHCddbUXyWxCEY1PbYhxNuNaFO1c+QmydZb9gmiQSliXNAgd26VurCbdgV8Pnqx9j01U9g6yDOYKZ/+bImkeSncc6Pfb+Ynr7alkstpY8dR6PJdoV/MVo8GFmoU5+BhTq2NUC1qRjGJT7vmDNtwZrEVpeVeX50QDmsL//zpC0b09YrA/tN+dMKYgRkoZrWguvcNXlcJj0q6K06muOmbGaGcaIrRQA3mt8krxpv6ASvnXGLjY5N1u91NU8frhEbYOM3+KcjCnQZpuxBQpN7PInKpOhU3lWJ/qe7oYYrNlsRa6+uTCM6J58nEzHUpuFJGN2Z08/SGe/ubKoeV6D6iPG0w6mRQvUST9X0DDehyYH20icuRcCHawHiwPTpoKK4aVpWHEXdEz9c32RkSmtB3Dp8Bx10XYlBsrK6vIlD
X-MS-Office365-Filtering-Correlation-Id: c3244b47-8f9c-48fa-6956-08d3e8778abf
X-Microsoft-Exchange-Diagnostics: 1; CY1PR0501MB1337; 2:OSNR8b+qtTwkoexJp9bmN57Xh/o5F8BfiWcNRk6ojmpodIdMqh8SUN/yhgvwB9Mz6ZTF3vHTUgbL28GWFYuONuYn8bgnsUwDMXqp5hp1WK4D3mA8HjVXSGK8SqLhUV6VZ9l24OO3Su44XFE0NDnpkaXDN105vHBlqLbg1nJ8MxgfDTjutkg3e465eOJodor3ecRbGnj2PMsxbocg6YDJGQ==; 3:mJaBOqyZrqxTaYWsI0f8O7NVuvva2FASEj3lf8obuHXcmE/L6I4D3FugxdW8iwnLQ8lCOCYOAIKMJD7nWtSmb2+bNuHUNjaFq76B/RANh+PeBFY8koElnxlsIrWXO88zqkU963i9Bj6ChbSJv7Fm607m1AqctvE4Qyh0C9qFtuI7VdI9YrZCBxgS9YT3vDwe9DNGIlanJhgr5LnIGrxb60hij2Z0Cn+5kdhPWIkvaB/jGLdpGzvVhCPXU5sybjOV; 25:bObbQQZWQBnFEIR/xelKpL30cycd+RQKeIc3W8wuuguNHDaEDalH9bY/AvA7G50Gll4EBracxgCNp6h+9abBPigZTSXe5dizPxICX+BG6TjUXmXwx5AnBZbiBq9TYjZJ11ThwQRwRF3m4kyud6vDKHS6IKLuAMJGxa3QMn11Xi2sYzeT228TfLO4vqCYKdRt5fDxvZXy8cR2XtOV1AdsNGA15AiuXpJCJMxSEGyW3flFlUBMmp4GdHIHLm64vRlOhgvZ3zxH9TRWVWbsMAYW5bZSRlXtrPoB6LREx6un+ebXt3sI9DnYPfThWw9oEEVc/SOEoBe6odGSHBapUdDYjngs5kGsvYIVjsra+zyJPX0RhSyjoVtcs41fGh6VvxPCI9eIhrxeDIs9B3CbYCbYm2PDn4AE4y/yROChGx5fP7ofvr1+uA0ifw6FkpfT9Z8u
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0501MB1337;
X-Microsoft-Exchange-Diagnostics: 1; CY1PR0501MB1337; 31:xe00oWvJ9J5fda3AQ8iOHSH9dwpN8MOTuByyHt1fQrxV55yZvNuYU9Ql+J1jcEDrxXoqZAHcegqhbWkxdRvTj8v/+Qxfb5GkJkbVeqpZtZe1nc8vMcCznfs57n4XKXRoEXzH1eSB+ArHgSNsg/IX395fxbSrIutF3v/JS3XO9ksKdXaSIEkrqqiRKQVbVPE1wCirLq1O9UNjAziriRhw+mZk2bWEKfvnlXJrV+nqZdaUPGpDRfnUKv5YjOX2geKC; 20:YQZ1m+VoX7vY2CuyzKxUdHlKwzwWcUQH6Uqnh9ULroywtnypXenmPQa1Ox+c6oPlOOwSG6i7Zoc+5X3yBKpzs9jDjgWveiBtjqVYEP/6yY7r8vu29NFfmsayq8PPdAdPh4tQHHKzMd4iLEzFHzuNxTFx0Rr+zh8tqwiS6ojJObPSP7/W69lYNmJJbXwxV44QmT5+KQq7Tl55R2opxUhN0PyHyrq9n+xhS2VKzavo6Sta85wrtAs3rmGGFIi+VWpeCP55UqZbteGsg5RkUytvqk8aoSmFcizWHErpsECe3aCG/0qcR9pQryecoa+zG7gsJbohttO/YlDGPQu9y81th0XrTw7VYgpjkNqYKCwNLjx42BO0iMTGC71FG1NxS5pM1XFJmJbBgM+ULp5Fvn9l0h6pRURelHFcNk9Fvw3kleQfMrbVQyTWB1PbN6q/oICUGF8qTiHmeC3MR0jnsdq8T5kdFECdZxKt1y0nZUKOytFgMMLDY/BaYsYnTa2RVIzg
X-Microsoft-Antispam-PRVS: <CY1PR0501MB1337E7C04B276F42FDB9965FBFCE0@CY1PR0501MB1337.namprd05.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(158342451672863)(192374486261705)(138986009662008);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040176)(601004)(2401047)(5005006)(13023025)(13015025)(13017025)(13024025)(13018025)(8121501046)(3002001)(10201501046)(6055026); SRVR:CY1PR0501MB1337; BCL:0; PCL:0; RULEID:; SRVR:CY1PR0501MB1337;
X-Microsoft-Exchange-Diagnostics: 1; CY1PR0501MB1337; 4:Ukmuk2KcHdEATVWFypJ/AweKoRGE9iMi+WbYo6lACZhjtUcuRqISY93j+iF4bjRj63XJwrkB4dDD+qqwLanjrUXNQmn1VgG62YTEy13Kq842rUjPtRc+wZlAryOLVhl+YOwR69FWxMudGm4svQXRz/+id/cNE6hCs7B6k0HDrwiS9MAStML/s42svknk20LebW5RMf6ypXGtuTwWEiD6pXZna8e3+hkgvIYs6fCqmK2Qqwcruypn2wUCASy/+K9OM1L70r2OsNCaUKpPyl37CVoiUIoosCjLc14Q2GF+cP/ZZHKgEaMXQ38c+RYv+rRpoOAuKjVCtAlVqXP+DdkEfzkElPbvWM9aJolJytZpVSHnzFz8xBIt/80Kl5VlU/5RvOdvPeFhyIKUV1Jlu3Sn2M1nDrUi4cPWqtdqQ9Ko57R8Y9Uw17eEqdnHTDG9s7WydCRAfC+sGSOfV2tQ1kuqmP9/DVcQ9XlxVgCL6l9fnX3RfKSpWLXXINGdFEoFKasTV2cO8WgSklJXASvVOPziy9cLL31lep8ZV9NSN8sG6KpYuNlsgwnpTR3NRt2X3/y/S0XWqpXN9uZViHZavpnTQHCHsZiAFI4hJe882BvWSkVvgyqM1geaMVELrB+xiOK1
X-Forefront-PRVS: 00808B16F3
X-Microsoft-Exchange-Diagnostics: 1; CY1PR0501MB1337; 23:LxvIZhktVYHvynTPu842X7kwJg8d4a9nrRBI+BD0MpBZKIVIeqLDUM8xO96RSMQzTO7F9J7TVNwP6lk4siDOJC+exmg7ANUN6E6Et9gZjxz7QbV876IwaMjn/4VdVG/pmDGFnNLSwaRD0eAyYkMVhk3IR5CBUe3si3Pz4lSB/oE4QV3yC8UldV4tLaJaqB4US7AgvrE0SWDDY5TUDHSSTTE9LE8zl2q+7lO5EvQTaU8x0bz+fJumnv/uFr3FmAE/83rL+tkYOADl2SyGwZTrFd4xN9OafSPpbDiBCjUcgBRWV1y5Om8fQM5/P8vvE11VkHROsDneZ9MsPDWHH6zvZRaileLdqOkGB8hJQKjeOQ5aZclaHntiG/PNT2Sd5S/Eic3uaOLNlI1DvEtNf7e8kx7iSXbdN5leRGLQhqsEoi4h9Jbm8bDeEWrpHABCzjCkvL2IkmdUMhc97i4tKC4uELO/V7474xXlsTi8FPgIqzUVQysFjnYH02aCeo9tWUgx3Y82kRZwrA4My0l5lECoAOkZD/CHhNz/I9X3TWYTUPnamexQn4X+dt/u/5VTL6eMPq3l+Z+isI4n3CSY3F+3TA7L+bjUSwhctq3bxsSfmrd+7GIBhAaJpM4EhFzrZXmo0UD11SEsNY0ssJpYfhA6wXQfG4EVSVCD7q2nv1jnflZWV/fphS52G+AlNlpTmv0b4Z4nwIYi22zbAo6nfN7B0OTvh5UddmQP9S5bw+jG2kivBvv8n3uKSK0yIKogEzVwlK9/NjXAF5n0nVC7Ao3Hvb7+TeXWNpeVhhK30IYdMh3QssYiyudgIMNnqHccqHW5oJkmWxAsmpBS7h7I19dYj8kHbzh4e/ZNxGLH1b7bWMtf9iTp7fibom03lCETxWisJXMEUfw+DUwy6uHgPHrzX+0dCTyI3Z8u6czMe1WuqwI0G82s3zPj2dJftZeGmjbJ8VcAnumcDjSky0EG+/JmD/LZWKgkU9SKq7KNspJVEkkn3p7LrEvtY+dn3BZnZJJHRHQ6jyPjOkEjbQxVktql4uADt602xWeA7T8eQCxxm0c3Ah7hYNU0KvNXgRV5fV5Imqc5YQM9IMnnyOV6VqvMKcDt/3KoJvSR9hXvIoOvRiP1vI7YvgSVL+HS0f/Slmhq
X-Microsoft-Exchange-Diagnostics: 1; CY1PR0501MB1337; 6:mFcCvZPXya/09W5XqGksnXirocFbCi1sjAj5fLvscT0FKAUOcuBhOYxB3NhkJPU4i8xADPdYt90fG7l9r0PVKNH0zFe58FdlPAd0wze+Qn+eASM/4P+E2zv+3yWp3SnguR2D+XegIKCMmEoVPuHiyor1B91c+1s6otQT7PlrqsXy41yOkn3Y5DtB0VExSHxpvcrXdadDA2aOgmTyq8papkThOEeZxuh2oKkomNuVgtpJ78Z4c8zr4J9Xny7qwjUdefqmLOm9p38b8kSeoM0T/hkqblYRzQNihQZWs8/Pv/RVggakoqMdN2aUsWzJ/FGDKkUiUJQ7EbmhNZW8RsXFDttbA3u6uquj+J9u12T62Ns=; 5:d5WkToaQtmR5ZJrpX4NpX5O8JwzkCSDjDx0PLMOvVXQhltyJlX6rBEJuREoitRit5yvGSImGbhGEito1+uD3xL74p3ayoUb6D/w6mSu5rJQsvycr6LHJua9KTFBgwsI55prmPm9D3jicims1e9Sm3YXjoWDIJtuEfv+cokvffHo=; 24:oHlGE+vBUSDfwuPDOY+WgmqA5F+2h/TMKiBLbVkyDL3VA7352Oaoi0DjX7zJhfADxHbqNGsaPADIbsX0n4OcnF1YuyQF1aBSSfjXWWrIY1I=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; CY1PR0501MB1337; 7:LmeyA7dDCyJUVdQZZXFWlMc4BtZu4nGwFXGjavmSGf5m7knqEJyrP3SqFtOtL8M3qHdp2aBCYkD0ecWzwUqILUbwz+FceFzNKMWH8BBYr5kwDOPu6T38RHDFOdv7y9ja80FtGxI5tDiu8xmdm0RyPTyd857Wt+iTB0Ly07xtxcZ08YSRLa+75U5I1EMikqUeSBv1gXTmz8tDsWIX0oV0rOSUpHmzRL6wlKPFCl5zuhL3h9WX9TkyLqX0/TnvYAS0Hezsat7qQJWuHXrjKTjy28KZgN6PgPfruUbefkOUIej+WqcUD/WzcB43nOr3hI3D7OHSE/CAcAAeCQAJjC1A6Q==
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Sep 2016 14:47:30.4380 (UTC)
X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.18]; Helo=[p-emfe01a-sac.jnpr.net]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0501MB1337
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

Hi,

Question:

Should RFC 4419 - "Diffie-Hellman Group Exchange for the Secure Shell
(SSH) Transport Layer Protocol" be deprecated?

Background:

The paper "How to Backdoor Diffie-Hellman" by David Wong
https://eprint.iacr.org/2016/644.pdf describes two ways
of creating a Nobody-But-Us (NOBUS) Diffie-Hellman backdoor:

  * a composite modulus with a hidden subgroup (CMHS) and

  * a composite modulus with a smooth order

To the best of my understanding, the only place that the SSH protocol
could be impacted by the attacks suggested in this paper today are in
the use of the RFC 4419 "diffie-hellman-group-exchange-sha1" and
"diffie-hellman-group-exchange-sha256" key exchanges.

The mitigation for this kind of attack would seem to be to use safe
primes of the form 2q + 1 with q prime and ensure that the generator g
has a q-ordered subgroup (g^q = 1 mod p) (c.f. FIPS 186-4 A.2.2
Assurance of the Validity of the Generator g). The checks for Attacks on
Prime Order Subgroups is also discussed in the "Security Issues in the
Diffie-Hellman Key Agreement Protocol" by Jean-Francois Raymond and
Anton Stiglic of Zero-Knowledge Systems Inc., IEEE Transactions on
Information Theory 22-January-2002 (google shows a few URLs for this one
including: http://instantlogic.net/publications/DiffieHellman.pdf )

However, with RFC 4419, only p,g are sent over the wire. So, any
attempts to prove that the Diffie Hellman pramaeters are non-trivial, or
make assumptions that q and p are computationally related.

Indeed, if someone is generating a Lim-Lee prime p (which is a very
efficient way to generate a composite prime), then q is unrelated to p
and would be unavailable to validate the generator g.

I am wondering if David Wong's paper is enough to recommend against
using the RFC 4419 ephemeral DH parameters entirely? Or, is there some
useful way to quickly validate that the server DH parameters are valid
from the client?

I would appreciate any feedback you may have on this matter.

-- 
Mark D. Baushke
mdb@juniper.net

v2.23.0 | Report a Bug | By Email