Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
 by ietfa.amsl.com (Postfix) with ESMTP id CA6421ACD20
 for <tls@ietfa.amsl.com>; Mon, 29 Dec 2014 20:34:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.51
X-Spam-Level: 
X-Spam-Status: No, score=-1.51 tagged_above=-999 required=5
 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44])
 by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id CMO8qD2-V9Gs for <tls@ietfa.amsl.com>;
 Mon, 29 Dec 2014 20:34:54 -0800 (PST)
Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.245])
 (using TLSv1 with cipher RC4-SHA (128/128 bits))
 (No client certificate requested)
 by ietfa.amsl.com (Postfix) with ESMTPS id 0B9121ACD19
 for <tls@ietf.org>; Mon, 29 Dec 2014 20:34:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
 d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=uoa;
 t=1419914094; x=1451450094; h=from:to:subject:date:message-id:
 content-transfer-encoding:mime-version;
 bh=7z9Txa+cy3w3szoAPi6xQPumVuAW1+zKoitJTWoUlmg=;
 b=TONsIKiUuW0XOCkb49Gh0x65WErvP/0p39Ipki1FbaUTjx+X4/Ulj5La
 rVADIv+X3qhWzHmytwW1f93/zpU1cDDViw86QR1zgGO1TcjGmrEAXK2aH
 zcQX7w94uiXaPF5ecyGhdMqkpnk67JYmJid8Xzm81qRCmJlZR4XHzidis A=;
X-IronPort-AV: E=Sophos;i="5.04,630,1406548800"; d="scan'208";a="298823653"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.106 - Outgoing - Outgoing
Received: from uxchange10-fe2.uoa.auckland.ac.nz ([130.216.4.106])
 by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 30 Dec 2014 17:34:52 +1300
Received: from UXCN10-TDC05.UoA.auckland.ac.nz ([169.254.9.148]) by
 uxchange10-fe2.UoA.auckland.ac.nz ([130.216.4.106]) with mapi id
 14.03.0174.001; Tue, 30 Dec 2014 17:34:51 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] Do we need DH?
Thread-Index: AdAj6fNGG3O9pH7CSo6QkGgH8wnwBg==
Date: Tue, 30 Dec 2014 04:34:50 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73AAF4C7B5@uxcn10-tdc05.UoA.auckland.ac.nz>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/DjxDRoaC8bEBvcL5k4ktt_c8vLQ
Subject: Re: [TLS] Do we need DH?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working
 group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>,
 <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>,
 <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Dec 2014 04:34:59 -0000

Watson Ladd <watsonbladd@gmail.com> writes:=0A=
=0A=
>I invite you to consider the following interesting sources=0A=
>=0A=
>http://www.spiegel.de/media/media-35511.pdf=0A=
>http://www.spiegel.de/media/media-35510.pdf=0A=
>=0A=
>DH is also being attacked by PHOENIX: I can wild mass guess that this is=
=0A=
>batch FFS: I don't know if this has been researched extensively, and even=
=0A=
>batch NFS has only an asymptotic analysis.=0A=
=0A=
Where did you see this?  All I saw was a note (in 35511) that "EDH key=0A=
exchange not exploitable by the 'easy' way" (I assume 'easy' is "grab the=
=0A=
private key", since that's what's referred to for RSA in the line above).  =
The=0A=
only PHOENIX reference was "pushing new moduli for testing against publicly=
=0A=
known weaknesses", which could mean anything ("we're checking whether=0A=
anything's vulnerable to the small-subgroup attack circa 1997, so far we=0A=
haven't found anything").  So if anything it's a ringing endorsement of EDH=
.=0A=
=0A=
In any case I doubt it's FFS (or any other cryptanalytic technique), given=
=0A=
that the rest of the documents talk about using implants, stealing config=
=0A=
files with static keys, and similar techniques.  That's the cryptographers=
=0A=
fallacy, "The NSA can attack TLS, they must have some amazing new=0A=
cryptanalytic technique that we don't know about".  No, they just lifted th=
e=0A=
static keys from the config file (c.f. the XKCD "hit him with this $5 wrenc=
h=0A=
until he tells us the password" approach).=0A=
=0A=
I also note that 35511 seems to be a case of rampant over-classification,=
=0A=
there's nothing in there that's remotely sensitive or novel, it's just an S=
SL=0A=
101 talk.  35510 is barely better, I've seen more detailed data on public=
=0A=
security blogs.=0A=
=0A=
Further, interesting to note from 35521 that GCHQ (via FLYING PIG) identifi=
ed=0A=
the Iranian government using Diginotar certs to target their own citizens.=
=0A=
=0A=
Peter.=