[TLS] Weak Diffie-Hellman Primes (was: DH generator 2 problem?)

Michael D'Errico <mike-list@pobox.com> Mon, 12 October 2020 16:50 UTC

Return-Path: <mike-list@pobox.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 58C353A151D for <tls@ietfa.amsl.com>; Mon, 12 Oct 2020 09:50:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pobox.com header.b=RGph+QfM; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=Pmo4IMxm
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id cECQtJ4ZGE_c for <tls@ietfa.amsl.com>; Mon, 12 Oct 2020 09:50:01 -0700 (PDT)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2FB5E3A142E for <tls@ietf.org>; Mon, 12 Oct 2020 09:50:00 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal []) by mailout.nyi.internal (Postfix) with ESMTP id 24FA05C0079 for <tls@ietf.org>; Mon, 12 Oct 2020 12:50:00 -0400 (EDT)
Received: from imap21 ([]) by compute4.internal (MEProxy); Mon, 12 Oct 2020 12:50:00 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pobox.com; h= mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm1; bh=e6zNlJxy2XEMcqN5VTu18hx3xP3B3fm 1PXztus3w/BU=; b=RGph+QfMWkbdebk+A3bao254LfdrTtD2oydqrDcIVgyHhA+ snVNYOukke7FjhIWyC4v4XAYo1zTTS8xp4cmV875TvSOJNifwKsAW7ccPkloUb1e zpgPxfgBWxLxAKtSZU29JLypwu5jRr8+MQtaESpJh9z29Gk22hQjG3f1ltjjqMcd 2qxlZEZlQDJaPd0T5DFqc60ppAPbqSRKmle/QRh50woPg6/7R4WytPfqXQbAgCRt lj+tvuyQmQQeiDEWmQFTpTXn/Y/7EEUaglfVbbjMpOnjpnAGebrezd+/nCXPg0U6 ZqVi4JhIWX//V0xN6qD1EDFqXtSigFBlWCxzYwg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=e6zNlJ xy2XEMcqN5VTu18hx3xP3B3fm1PXztus3w/BU=; b=Pmo4IMxmy2W+dPtn664Bb3 RaX+oRt+q64P7dMgn6I9kLdSTBYPQ2dYIPppHsgaTDJxr37eMnJam9W9R22xlzG/ caWUCcxZqiKrHE3CRVDYCv9MfIo52gsgoic2WRim2Xnz+hV40VCJxGIcM7zLAgb8 4Y4Fk0lJd5iMQa2XRTCK779abO34tDxcFZ7aVaBNHHMrCcQRuahmPsYFcMM6d+It Bn52+b1TkbjqL16ZgZB0n/QBwYxLK8WcHZATTCExa1rE8jKEzg7FAoP7YthkfjAK kgAfrajqg2fX8EX4hoNISPTAsH9DD9z8UYVFOyHuAYhG1wv/sdcEBRrlFAiUTBfg ==
X-ME-Sender: <xms:N4mEXyscOyjWvQQCvKRc1_N1KcdVeSWsiQMGuXNonQUgwFvlxQ2RrQ> <xme:N4mEX3e8E8aWWr85H6aTB4hzoLvNlZzRzx-W2A0hK8bhlopeKkXisEHN7YTs4hS2V kU8jgCfR3S2SHJ-Uw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrheejgddutdeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderredtnecuhfhrohhmpedfofhitghhrggvlhcuffdkgfhrrhhitghofdcuoehmihhk vgdqlhhishhtsehpohgsohigrdgtohhmqeenucggtffrrghtthgvrhhnpeevudevueehhf evkeevudfhueeggfeivdfhtdekheeuhefhieeuvefgjeffgedtueenucffohhmrghinhep ihgvthhfrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilh hfrhhomhepmhhikhgvqdhlihhsthesphhosghogidrtghomh
X-ME-Proxy: <xmx:N4mEX9yAzvjCHPtUpoLnI_GtsbwiRMn6UYVoRlZReStorNo912nl-w> <xmx:N4mEX9PxZU_MERsB8wwoOq9VxMagYL7vD93uODST1-EcVAFg67WGoA> <xmx:N4mEXy9Nc4q0GxDGprplbBbBl-8hy2Zq0PPKJFxxUifDz7qlRNYg_w> <xmx:OImEX1LBpDmvoUC8110M7riN-Kd8AcvWg0001HPQDB68_jSQKS2G0g>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id E597A660069; Mon, 12 Oct 2020 12:49:50 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-407-g461656c-fm-20201004.001-g461656c6
Mime-Version: 1.0
Message-Id: <e87c2589-8804-4d0c-9e02-c24fed901d50@www.fastmail.com>
In-Reply-To: <987cc58c-84e3-4413-b2f8-ae177a39ed14@www.fastmail.com>
References: <d876f953-2d5a-40a4-5738-b2bc24705f2c@pobox.com> <dd15bfa7-f5d7-47c3-9ce8-caf6a445fdce@www.fastmail.com> <CACsn0ckwoMmq9ioBe4D9fPVCWai_4w2UfZWS1m1qi5xfh0h2zQ@mail.gmail.com> <3765fb3c-fe5f-10cc-5c82-bc8d3c20d2cd@pobox.com> <987cc58c-84e3-4413-b2f8-ae177a39ed14@www.fastmail.com>
Date: Mon, 12 Oct 2020 12:49:39 -0400
From: "Michael D'Errico" <mike-list@pobox.com>
To: "TLS List" <tls@ietf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/-ikT90vnkJeQZpy9VviuVatHT5w>
Subject: [TLS] Weak Diffie-Hellman Primes (was: DH generator 2 problem?)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Oct 2020 16:50:05 -0000

On Fri, Oct 9, 2020, at 11:17, Christopher Wood wrote:
> Michael, since your question is more related to the cryptographic 
> primitives used by TLS than the protocol itself, the chairs encourage 
> you to continue this discussion on the CFRG mailing list [2]. 
> Thanks,
> Chris, on behalf of the chairs
> [1] ...
> [2] https://mailarchive.ietf.org/arch/browse/cfrg/


As requested, I sent the message below to the CFRG
mailing list on the 10th.  I did not join the list, but have
been watching via the link [2] above and so far nobody
has said anything.


To: cfrg at irtf dot org


I'm not a member of this list, but was encouraged to
start a discussion here about a discovery I made
w.r.t. the published Diffie-Hellman prime numbers in
RFC's 2409, 3526, and 7919.  These primes all have
a very interesting property where you get 64 or more
bits (the least significant bits of 2^X mod P for some
secret X and prime P) detailing how the modulo
operation was done.  These 64 bits probably reduce
the security of Diffie-Hellman key exchanges though
I have not tried to figure out how.

The number 2^X is going to be a single bit with value
1 followed by a lot of zeros.  All of the primes in the
above mentioned RFC's have 64 bits of 1 in the most
and least significant positions.  The 2's complement
of these primes will have a one in the least significant
bit and at least 63 zeros to the left.

When you think about how a modulo operation is done
manually, you compare a shifted version of P against
the current value of the operand (which is initially 2^X)
and if it's larger than the (shifted) P, you subtract P at
that position and shift P to the right, or if the operand
is smaller than (the shifted) P, you just shift P to the
right without subtracting.

Instead of subtracting, you can add the 2's complement
I mentioned above.  Because of the fact that there are
63 zeros followed by a 1 in the lowest position, you will
see a record of when the modulo operation performed
a subtraction (there's a one) and when it didn't (there's
a zero).

You can use the value of the result you were given by
your peer (which is 2^X mod P) and then add back the
various 2^j * P's detailed wherever the lowest 64 bits
had a value of 1 to find the state of the mod  P operation
when it wasn't yet finished.  This intermediate result is
likely going to make it easier to determine X than just a
brute force search.

I don't plan to join this list, though I am flattered to have
been asked to do so.  I'm not a cryptographer.