Re: [TLS] Adoption call for Deprecating FFDH(E) Ciphersuites in TLS

Filippo Valsorda <filippo@ml.filippo.io> Fri, 27 August 2021 16:41 UTC

Return-Path: <filippo@ml.filippo.io>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEFC73A166F for <tls@ietfa.amsl.com>; Fri, 27 Aug 2021 09:41:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=filippo.io header.b=g7H8mZS9; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=cby90Gpw
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sOnjwT2Zn7KD for <tls@ietfa.amsl.com>; Fri, 27 Aug 2021 09:41:17 -0700 (PDT)
Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB8553A166A for <tls@ietf.org>; Fri, 27 Aug 2021 09:41:17 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.west.internal (Postfix) with ESMTP id 76434320096B; Fri, 27 Aug 2021 12:41:13 -0400 (EDT)
Received: from imap1 ([10.202.2.51]) by compute2.internal (MEProxy); Fri, 27 Aug 2021 12:41:13 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=filippo.io; h= mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm1; bh=zajHGOGwHbXv/3Wu0XLUAARoVFpvary uGCv69f+Vff0=; b=g7H8mZS9A22p4EFJjkY8YzBiJhAv4Z9F+GNKCqQbZONAtrn 4zDplIr6oWtHUwhW8wTEehs7+XBAmtvr1TSJrZEJLh17kgSfi2efP1lFrHCZtahC yzFODZwjYnvKklJmCR+GRou0Ft/HlnVoBpCy08FvCuE7Lje4f7FgmYuyjl/cqVK3 Tj1NraM64RooyQ2XriX/K59SNnmkqRmFv4dk2mprFaXyrK2FZbspQSEqD6toLWSD Uaiu0LG8bNeBIzye5AfO4CEidTYPT5N+pGwqirQdUHJB1pKQL9pfcP+EfGZrmHDs V1ReXIG8tvFFKIuNNWZpjBATjFMQyAcWqmJ/hOw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=zajHGO GwHbXv/3Wu0XLUAARoVFpvaryuGCv69f+Vff0=; b=cby90GpwQnAXOFCKlcUUjj mH6KsjOlQaDaRxJ2p9e+ou64pS67Tbd5XALT2AosVtxBvn0AO4rH5leBPH4AzyRv KMCf9Jmy9dAmz5CXWl1RvdJD/DQv6BgJtA/851q7C72c+UFQLFuy3OD4v2J++kqw tw0sGAi4u204B0QPtoPwmmVVJX0B//n5bOyo+nTU4jxnGZVRVC0i/6NvYDcmZh9N pexo89GLxXFBbtMM0KrsZ5YqT3wB498m5gay6a8pS7SOluKiorjzvCfYPgZdH1KX ZzrtZtYvjs5LtToY4sw+74klXDTcI3EHWnBJnc/AIEI4a/PM4DLcY4qfx6C8zxlA ==
X-ME-Sender: <xms:qBUpYTr_G06vPDY_O9LAgwykHexGPfwGJfw6fDowVuNVR5sawMotUg> <xme:qBUpYdrjp0Y4avU_mQ646E_NeB5W0BfPITmNXHx3ZL58cEiKwXKXQYcL0i0dYs1gI mF_PgX4_gPDnwxP1A>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddruddufedguddtvdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesrg dtreerreertdenucfhrhhomhepfdfhihhlihhpphhoucggrghlshhorhgurgdfuceofhhi lhhiphhpohesmhhlrdhfihhlihhpphhordhioheqnecuggftrfgrthhtvghrnhepgedtve fgfffgieduvdeutdefvddvkeehlefhleevtefhiedvgfekvdffteekgfeinecuffhomhgr ihhnpehirggtrhdrohhrghdpsghlrggtkhhhrghtrdgtohhmpdhivghtfhdrohhrghenuc evlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehfihhlihhp phhosehmlhdrfhhilhhiphhpohdrihho
X-ME-Proxy: <xmx:qBUpYQM4ivz0J1FQ4KF22h9pl_IfhcZ1q4g-9Bl0K5OcaVQAv1iHeA> <xmx:qBUpYW730zZRG_Mam1SBZpxEAYbPMfyT-uLkAJ6uCTs_ecLFA3jo8w> <xmx:qBUpYS7yOIKCQIXzJNvuPRgLLsl-AvYcOaUoKO7BJN4sk53nOn1bGg> <xmx:qRUpYXgyV4RIswSqPnmLJ5ixtH0q2hMYN9Zf5q9ABgX5dN0i3Bsa1A>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 728E61300089; Fri, 27 Aug 2021 12:41:12 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-1125-g685cec594c-fm-20210825.001-g685cec59
Mime-Version: 1.0
Message-Id: <0ba2ed9a-3128-4956-bd9d-2b961cbcb6d0@www.fastmail.com>
In-Reply-To: <64c6ca0a-b3cf-cbdf-c1be-7cc4cc050a52@gmail.com>
References: <CAOgPGoC4C0bWz0h0iyzGzMPEoDKAPv4euoOkmS+6Uuxncux4Zg@mail.gmail.com> <cc9c9d9f-d6b1-3b93-1231-a9a9c34a7fcd@gmail.com> <67533325-2983-47B7-871C-D90799D09532@ll.mit.edu> <CAOgPGoDAvnFic3VmEsge3i8C2FEfWp74ac_ievtfNo=MQB+C8g@mail.gmail.com> <C8E91D9B-2326-4AAF-9952-69481081E337@ll.mit.edu> <BD109A95-129A-4995-AFCA-FEF10DBD6440@icloud.com> <CAOgPGoBMhhsTupXuWF__zkLuy-4qQhha_Kp1_+ToZrNoaFUsgQ@mail.gmail.com> <13b9e674-9e0b-46aa-b5d6-49798c310d85@www.fastmail.com> <5D5FB49A-7D18-4EC9-B572-BD860479CD5E@ll.mit.edu> <bc91502a-471e-484e-ae5f-d843b703edd6@www.fastmail.com> <64c6ca0a-b3cf-cbdf-c1be-7cc4cc050a52@gmail.com>
Date: Fri, 27 Aug 2021 18:40:52 +0200
From: "Filippo Valsorda" <filippo@ml.filippo.io>
To: "Rene Struik" <rstruik.ext@gmail.com>, "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary=27f1c9d2bb5145398ee47139a78f949b
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/28CgP1puGHopS-tPiYco2veCjIs>
Subject: Re: [TLS] Adoption call for Deprecating FFDH(E) Ciphersuites in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Aug 2021 16:41:25 -0000

2021-08-27 17:25 GMT+02:00 Rene Struik <rstruik.ext@gmail.com>om>:
> {officially on vacation till Labor Day, but weighing-in briefly}
> 
> Hi Filippo:
> 
> I had a brief look at the CVEs you referenced and at your Blackhat 2018 presentation. 
> 
> Some observations on your Blackhat 2018 presentaton: (a) the attack seems to be a reincarnation of the so-called Goubin attack presented 19 years earlier (in 1999); (b) the attack requires many (100s) of reuses of the same private key string. Both the 1999 attack and your Blackhat 2018 version can be easily prevented if one uses blinded private keys.
> 
> A closer look at your referenced CVEs suggests these can be classified as (i) lack of checking for improperly generated DH groups; (ii) exploiting overflow/underflow/carry bugs. To me, nothing seems to be new here and more likely a failure of implementers to heed to results and advice predating the CVEs by years (and sometimes decades) or in QA processes. E.g., with respect to (i), one had not gotten oneself into trouble if one had actually bothered to implement domain parameter checks. In the literature of implementation attacks, OpenSSL has proven to be an excellent "implementation security flaw paper generator".
> 
> I have yet to see evidence that ephemeral-static ECDH would be inherently insecure.

If a consistent history of directly linked vulnerabilities across major implementations doesn't show something is unsafe, I don't think there is progress to be made in the discussion. Blaming the implementers is not particularly interesting to me.

Anyway, I don't have an opinion on SHOULD NOT vs MUST NOT, as long as it leads to Recommended: N in the registry.

> Rene
> 
> On 2021-08-27 9:34 a.m., Filippo Valsorda wrote:
>> [snip] 
>> 
>> This is empirically disproved by a number of vulnerabilities that are exploitable (or near-misses for other reasons) only in ephemeral-static mode, such as CVE-2016-0701, CVE-2016-7055, CVE-2017-3732, CVE-2017-3736, CVE-2017-3738, CVE-2019-1551 just in the past 5 years in OpenSSL, and CVE-2017-8932 and CVE-2021-3114 in Go. https://eprint.iacr.org/2011/633 gives a good explanation of how these attacks work, and you might find https://i.blackhat.com/us-18/Wed-August-8/us-18-Valsorda-Squeezing-A-Key-Through-A-Carry-Bit-wp.pdf interesting as well.
>> OpenSSL:
>> 
>> CVE-2016-0701: improper generation of Diffie-Hellman group
>> 
>> The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2 before 1.0.2f does not ensure that prime numbers are appropriate for Diffie-Hellman (DH) key exchange, which makes it easier for remote attackers to discover a private DH exponent by making multiple handshakes with a peer that chose an inappropriate number, as demonstrated by a number in an X9.42 file.
>> 
>> CVE-2016-7055: carry-propagation bug
>> 
>> There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the private key itself and an input of the attacker's direct choice. Otherwise the bug can manifest itself as transient authentication and key negotiation failures or reproducible erroneous outcome of public-key operations with specially crafted input. Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation. Impact was not analyzed in detail, because pre-requisites for attack are considered unlikely. Namely multiple clients have to choose the curve in question and the server has to share the private key among them, neither of which is default behaviour. Even then only clients that chose the curve will be affected.
>> 
>> CVE-2017-3732: carry-propagation bug
>> 
>> There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0d. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very similar to CVE-2015-3193 but must be treated as a separate problem.
>> 
>> CVE-2017-3736: carry-propagation bug
>> 
>> There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen.
>> 
>> CVE-2017-3738: overflow bug
>> 
>> There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. OpenSSL version 1.0.2-1.0.2m and 1.1.0-1.1.0g are affected. Fixed in OpenSSL 1.0.2n. Due to the low severity of this issue we are not issuing a new release of OpenSSL 1.1.0 at this time. The fix will be included in OpenSSL 1.1.0h when it becomes available. The fix is also available in commit e502cc86d in the OpenSSL git repository.
>> 
>> CVE-2019-1551: overflow bug
>> 
>> There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).
>> 
>> Go:
>> 
>> CVE-2017-8932: arithmetic bug
>> 
>> A bug in the standard library ScalarMult implementation of curve P-256 for amd64 architectures in Go before 1.7.6 and 1.8.x before 1.8.2 causes incorrect results to be generated for specific input points. An adaptive attack can be mounted to progressively extract the scalar input to ScalarMult by submitting crafted points and observing failures to the derive correct output. This leads to a full key recovery attack against static ECDH, as used in popular JWT libraries.
>> 
>> CVE-2021-3114: underflow bug
>> 
>> In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field.
>> 
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>> 
> 
> 
> -- 
> email: rstruik.ext@gmail.com | Skype: rstruik
> cell: +1 (647) 867-5658 | US: +1 (415) 287-3867