Re: [TLS] Do we need DH?

Peter Gutmann <pgut001@cs.auckland.ac.nz> Tue, 30 December 2014 04:34 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA6421ACD20 for <tls@ietfa.amsl.com>; Mon, 29 Dec 2014 20:34:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.51
X-Spam-Level:
X-Spam-Status: No, score=-1.51 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CMO8qD2-V9Gs for <tls@ietfa.amsl.com>; Mon, 29 Dec 2014 20:34:54 -0800 (PST)
Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.245]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B9121ACD19 for <tls@ietf.org>; Mon, 29 Dec 2014 20:34:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=uoa; t=1419914094; x=1451450094; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=7z9Txa+cy3w3szoAPi6xQPumVuAW1+zKoitJTWoUlmg=; b=TONsIKiUuW0XOCkb49Gh0x65WErvP/0p39Ipki1FbaUTjx+X4/Ulj5La rVADIv+X3qhWzHmytwW1f93/zpU1cDDViw86QR1zgGO1TcjGmrEAXK2aH zcQX7w94uiXaPF5ecyGhdMqkpnk67JYmJid8Xzm81qRCmJlZR4XHzidis A=;
X-IronPort-AV: E=Sophos;i="5.04,630,1406548800"; d="scan'208";a="298823653"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.106 - Outgoing - Outgoing
Received: from uxchange10-fe2.uoa.auckland.ac.nz ([130.216.4.106]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 30 Dec 2014 17:34:52 +1300
Received: from UXCN10-TDC05.UoA.auckland.ac.nz ([169.254.9.148]) by uxchange10-fe2.UoA.auckland.ac.nz ([130.216.4.106]) with mapi id 14.03.0174.001; Tue, 30 Dec 2014 17:34:51 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] Do we need DH?
Thread-Index: AdAj6fNGG3O9pH7CSo6QkGgH8wnwBg==
Date: Tue, 30 Dec 2014 04:34:50 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73AAF4C7B5@uxcn10-tdc05.UoA.auckland.ac.nz>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/DjxDRoaC8bEBvcL5k4ktt_c8vLQ
Subject: Re: [TLS] Do we need DH?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Dec 2014 04:34:59 -0000

Watson Ladd <watsonbladd@gmail.com> writes:

>I invite you to consider the following interesting sources
>
>http://www.spiegel.de/media/media-35511.pdf
>http://www.spiegel.de/media/media-35510.pdf
>
>DH is also being attacked by PHOENIX: I can wild mass guess that this is
>batch FFS: I don't know if this has been researched extensively, and even
>batch NFS has only an asymptotic analysis.

Where did you see this?  All I saw was a note (in 35511) that "EDH key
exchange not exploitable by the 'easy' way" (I assume 'easy' is "grab the
private key", since that's what's referred to for RSA in the line above).  The
only PHOENIX reference was "pushing new moduli for testing against publicly
known weaknesses", which could mean anything ("we're checking whether
anything's vulnerable to the small-subgroup attack circa 1997, so far we
haven't found anything").  So if anything it's a ringing endorsement of EDH.

In any case I doubt it's FFS (or any other cryptanalytic technique), given
that the rest of the documents talk about using implants, stealing config
files with static keys, and similar techniques.  That's the cryptographers
fallacy, "The NSA can attack TLS, they must have some amazing new
cryptanalytic technique that we don't know about".  No, they just lifted the
static keys from the config file (c.f. the XKCD "hit him with this $5 wrench
until he tells us the password" approach).

I also note that 35511 seems to be a case of rampant over-classification,
there's nothing in there that's remotely sensitive or novel, it's just an SSL
101 talk.  35510 is barely better, I've seen more detailed data on public
security blogs.

Further, interesting to note from 35521 that GCHQ (via FLYING PIG) identified
the Iranian government using Diginotar certs to target their own citizens.

Peter.