Re: [TLS] Another IRINA bug in TLS

Santiago Zanella-Beguelin <santiago@microsoft.com> Thu, 21 May 2015 11:31 UTC

Return-Path: <santiago@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B5371ACE96 for <tls@ietfa.amsl.com>; Thu, 21 May 2015 04:31:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KsatrP1fBUwz for <tls@ietfa.amsl.com>; Thu, 21 May 2015 04:31:09 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0127.outbound.protection.outlook.com [65.55.169.127]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 564C21ACE7A for <tls@ietf.org>; Thu, 21 May 2015 04:31:09 -0700 (PDT)
Received: from BN3PR0301MB0833.namprd03.prod.outlook.com (10.160.154.143) by BN3PR0301MB1249.namprd03.prod.outlook.com (10.161.207.25) with Microsoft SMTP Server (TLS) id 15.1.166.22; Thu, 21 May 2015 11:31:08 +0000
Received: from BN3PR0301CA0067.namprd03.prod.outlook.com (10.160.152.163) by BN3PR0301MB0833.namprd03.prod.outlook.com (10.160.154.143) with Microsoft SMTP Server (TLS) id 15.1.166.22; Thu, 21 May 2015 11:31:06 +0000
Received: from BN1BFFO11FD032.protection.gbl (2a01:111:f400:7c10::1:138) by BN3PR0301CA0067.outlook.office365.com (2a01:111:e400:401e::35) with Microsoft SMTP Server (TLS) id 15.1.166.22 via Frontend Transport; Thu, 21 May 2015 11:31:06 +0000
Authentication-Results: spf=pass (sender IP is 206.191.250.196) smtp.mailfrom=microsoft.com; ietf.org; dkim=none (message not signed) header.d=none;
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 206.191.250.196 as permitted sender) receiver=protection.outlook.com; client-ip=206.191.250.196; helo=064-smtp-out.microsoft.com;
Received: from 064-smtp-out.microsoft.com (206.191.250.196) by BN1BFFO11FD032.mail.protection.outlook.com (10.58.144.95) with Microsoft SMTP Server (TLS) id 15.1.172.14 via Frontend Transport; Thu, 21 May 2015 11:31:05 +0000
Received: from DB4PR30MB032.064d.mgd.msft.net (141.251.50.216) by DB4PR30MB032.064d.mgd.msft.net (141.251.50.216) with Microsoft SMTP Server (TLS) id 15.1.112.16; Thu, 21 May 2015 11:31:04 +0000
Received: from DB4PR30MB032.064d.mgd.msft.net ([141.251.50.216]) by DB4PR30MB032.064d.mgd.msft.net ([141.251.50.216]) with mapi id 15.01.0112.000; Thu, 21 May 2015 11:31:04 +0000
From: Santiago Zanella-Beguelin <santiago@microsoft.com>
To: Florian Weimer <fweimer@redhat.com>, Nikos Mavrogiannopoulos <nmav@redhat.com>
Thread-Topic: [TLS] Another IRINA bug in TLS
Thread-Index: AQHQkwYvDdHZ+lmQNUW54l67jurcrZ2E9gcAgAD9fwCAAB8/AIAAAj6AgAAyIwCAAAGZgIAAAX4AgAACGWE=
Date: Thu, 21 May 2015 11:31:04 +0000
Message-ID: <1432207863352.27057@microsoft.com>
References: <CACsn0ckaML0M_Foq9FXs5LA2dRb1jz+JDX7DUej_ZbuSkUB=tQ@mail.gmail.com> , <1432134170.2926.9.camel@redhat.com> <9A043F3CF02CD34C8E74AC1594475C73AB027EED@uxcn10-tdc05.UoA.auckland.ac.nz> <555D90F6.10103@redhat.com> <1432195799.3243.18.camel@redhat.com> <555DBCE6.7080308@redhat.com> <1432206909.3243.45.camel@redhat.com>,<555DBF7E.9050807@redhat.com>
In-Reply-To: <555DBF7E.9050807@redhat.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [92.151.241.88]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Microsoft-Exchange-Diagnostics: 1; BN1BFFO11FD032; 1:vhB3hve6XQBRkhtOEjUZA9EIbs3bsGjzVAfgxVm+QGP1KeSTnXo0evcx0IoeAb1hZ75QApUMnnbiAzMN/Q9Ib++nbwJpZk6tfZ2WmucVy6bgfEekTMG0PU3l29QHmyWzOrWNURIhq6sp4SG+IWMvHiLKaWwNMTIyorurnOXtPvus6HwaVIGl7tAwxZ4wZIbV3RTdPQsa+yvDBpx41B9ZvCF02bbwjxPv8u2hbSirY0V4yO4wQEXR+Au8nsh9DFNIvFQA6b2qE8GgXkad5oM2IftygUKo8z+7gDtKZKuqvz0kG/6f9E27rBYCiYEUy2NO
X-Forefront-Antispam-Report: CIP:206.191.250.196; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(438002)(479174004)(189002)(51704005)(199003)(24454002)(377454003)(106466001)(106116001)(69596002)(5001830100001)(5001860100001)(5001770100001)(117636001)(50466002)(6806004)(23756003)(19580405001)(19580395003)(36756003)(189998001)(68736005)(47776003)(92566002)(50986999)(102836002)(15975445007)(81156007)(86612001)(46102003)(4001540100001)(86146001)(93886004)(2656002)(2900100001)(87936001)(5001960100002)(97736004)(66066001)(2950100001)(64706001)(62966003)(77156002)(86362001)(76176999)(16796002)(54356999); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0301MB0833; H:064-smtp-out.microsoft.com; FPR:; SPF:Pass; PTR:ErrorRetry; MX:1; A:1; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; BN3PR0301MB0833; 2:7BFW4Ihpedy1a+0klN3ANV6sR7fEbqRZ92RQBheGsJzOxzeFEbcMLbgBbrUX3oM0; 2:zYqKwwYOwv8bnpkvDV3BP3OYUEK8VpW2ZhQ6PKE/s2rrG5yUpxjeR0Oz8oG2Mx6ZwR/OJvdX/VAUWhYcrBwJhe+n/VTOGTwHZZD8EW3EsPukGKxElpVMzV9Qj+mK7npUzpWEGt4vW8QYiRHEjYjpkVH3jHrs0yRhGP235wUJHA8i/EKBRIFjHqE1QT8JcTNgzwF86ubXwZ3MdsY95oD5x/djXBw4z+R+cKol3uM7fcNzqS2tD+Pzdgit/xJndibk; 6:JYtR3ezLMc0QaytcWqPOsqu4FlHggfpgHES0GKBpfFcRUnL/e8NEanG6O2/EUuM2oMGDBflqOdV5DLnss2GA1L1GBHQwIV8LlZ2+REBBHyw+FC7TrNHhAHzRudRHvFWAPJXGlHr+pPCwbGzP1KHEOBdomtFQ0X4AMaJVmKwo5gQm9L2EhpkxDxjQXWkOOJa9fISyhkeAgggEiz7Jl1ywW2NLxwFOQhkKO+iCtoKv5RJ2HGbFZnjss/hFs+uvLRJoNHj8iFaKDZyDlqZoB1xXwvzSWB6b4QyGCq71L/eab/YLohb+HGNJw4PUjF6guwZ4pDjnFF9apS2pvGgHSPdPznJa0vfmme8Qy9gCzYzdfiezy40pXFL93Sp3lTJF6LXAqtK81+VGe+K1omeRv00Msc8sxjTaR68KDQlDEaN0//LiiO7QYrKSCthtP514H244jaH/l05HMvHZIlFKe3Be9rI7Qawdu+Xu0v3no8xjruhdNn/bHOCQR8/1g0tUQ2IJ
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0301MB0833; UriScan:; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0301MB1249;
X-Microsoft-Antispam-PRVS: <BN3PR0301MB0833A5B1DCF76B8784FD7A0AC9C10@BN3PR0301MB0833.namprd03.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BN3PR0301MB0833; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0301MB0833;
X-Microsoft-Exchange-Diagnostics: 1; BN3PR0301MB0833; 3:ORi2cdlgQJIZlbWdChwM6qnSd3GeQTZLYO10loo4b+MEcSV/5xJgJ+3kLSz/cmxgf4vQruC5GlR4ec5SLaYvFAW3Vnz/HLVFGCAJNf7x0KL1LVSvi9VumqGUoa/kv1YszrYWM94CJ8j7CuwjTywFDNfvLLmt8D7BadLc5rsTl3y+QLyaPIG4OfeSuKgaCk4lYHYroc8C5APL2XfJciPaKsqDxnAVMNQnhrhbPhBVseq1zGrsNIkLo4P4ROc7XWsIbWBaa51GcbqTMwBgHn75nepvEJuGvZQ45uVKm1Q9iwvZDnIsrIfcNt6EEI9JfF9j
X-Forefront-PRVS: 0583A86C08
X-Microsoft-Exchange-Diagnostics: 1; BN3PR0301MB0833; 9:Qt3F8vVR4vZUMQA+6p7MwbDgLB19+1jQnSCF+B58iUyIESfvt8dmea+u/Jhehi4tqPwx7LtYI8OI0omlS7+WHdOaawgBY8Op+bqyacZCEPtNhvcXPbTPDvrkdJAe6zKf5OqetsvCdpfeXRkroLsP3IAYMuNKq+DL1ansv4vLpDNPqzAaedGkHjneM+Dy5n4Bw5t1xImuy4yOD9guNfnvWcyXELhMXDPOJeJy2buXpK3DG1ZHT9MyZnszNSlRkYnMWN0ua9VqZYpqO1kL+eSwf1sH+0TgQE9UCTE8vmB4hJcNjux7JONkV+GInYw44zmi5oOzZUmuW4DKnbx6mJw25aSGmt7OkkktRmOHFFFAudU/BHEMiKF5p6OQPKs2MXacU/xwoiZ/mL8b2xDzqwuYJ+RahMfiEFGUR2F1Uv4QZ4UEOCZUECRGIdx/tqc5yDtZzgHjF7vmK6cjUbJ2WjybPM8aeF6vz8duK4uQkcenBZVq+rpckBnsdKI/j8A1QQVrKP4HsO/RNw4sdgLnvtHupfwOgZcgoCflfFDI77r2BsPsY+oF3QjqUPsdIV0B5FkMlCGKML2q3QPJm5CsS//qDuBaXS0B9nk2lY+6hiZsSphR0vBwNh73IKN498Z0646UWYDLwd0m70nB3Ejj5zHT99dnxOG1A7iJX1K2vTDYtXonPG7nPHCvc8jsVD5aEKbWvzh1vejnsyT9O085UsXhdYNlKxv9qmsIi2mqw8O9ILv0JBmqmc07L/yiY5QAcr75z+kqTTmMGU/G1/sBDtNbkQu/yf0m/4/iOMuHzTpBMpKc8Y7AfXhUxS7k6YzIRgM9xHyfndKoH57KakPVwHGITBoL9vf6YKg9rZ8cuFMKFWuDfXyyMDyh1WW3uzxkd6+2RJx9rXqwQm8ZdfxxSSGEbI78K7q6oiRxlx5VXPtyzM1wLlSt0bL0++n0KPcNv/evo/2Dn5Wm7S0rhgXIazAHqDkNSiZp/pk6Gdiml1xBctR5QpCD6/zeSwuFbLP9y1enNbobmvrA5EtFobesfS0Sawqos5d2JyDgea0Na40vs0xrqRW0SoHOG9cVgjSH/8ZNMvlOQEhkNmdChANR/lIrhXq7XJUWmy3u92gl367I+u6WOGWMg8FPc64K6/p1AmdOF8m1GM68punJeR4gnGbT+6J2Q/AP5DBu0gh/Tsq1iarceIup4bHDhku+rhmPI6UwKQqm44QqrpDyDNie05KckXD6tHy/KF5ByXkvD+T8lQA=
X-Microsoft-Exchange-Diagnostics: 1; BN3PR0301MB0833; 3:hjogSGYGQ/G0benf77qmZALOdIFJtKtLdAMAA8rAcx7x22abz9n/+G0FSehNMR0uS9ICIdCyDvV0e4j44YzesUrW2wcevH4uNVpPHtG0QIawa8oIiTPx0Gl5AGyO+f7fb59BnN2iiLbHL14yttDNFg==; 10:yWnfbYceP7twHKkrG/CVkE9BuDUmWeE5YruBtVy8uu7puBJSS8A+1WdaDKjbe2sjrJwc7FsiiaDqXvTR28PWfxJ3MkL11t0lBUDwten2mTE=; 6:HIwSQZ54pTEYdr2+/zCUFOoM9Yt60O0YEBTGnRDBWQR8+QsBdF3e3rpiuxiIcddQ
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 May 2015 11:31:05.6457 (UTC)
X-MS-Exchange-CrossTenant-Id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=72f988bf-86f1-41af-91ab-2d7cd011db47; Ip=[206.191.250.196]; Helo=[064-smtp-out.microsoft.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0301MB0833
X-Microsoft-Exchange-Diagnostics: 1; BN3PR0301MB1249; 2:B1xxsnYTFSfEvk+kYA6VZDhRvjDIPkdg3nRzn5/HCqoGbH5DdncHs6MKCNcA6Rpl; 2:uePjfmSa4AI+qZd7aS57ReNkztVIPODiAb7RdGdG+8TalGbX+c0cj2BtB0HImSY3r5oWLk2NOG4vgt+HWLdNMxIPR1ABKMrLfYA5tnTQI3ttn0KkYwZQ4j6bE2cANUNX5gIGk0I7sjuMJlWaSJfksZRY3GHnskguNjh6vvctew1HMexjutXkxsO5JNYI19sYlqUnxsOIBtTlrIGu3FAxzaZKSkkz7mrUjiarsUZmUl/lfjAzYlcyMsBlNWKttfOr; 9:4vlMBheuvRkZd6XrZR2WohvG4v+0/ZeQhFYFW/czteMNnvjNpsmD1D3EeRLkXXniGS0f6q+hhWwxw6QZWkA6GzmgDVfRV0OSutu3T+2hUrEi6p/Xcs7u+usC97qGPcj4BQNP0yWTRdGdOHYhPyUlhQ==
X-OriginatorOrg: microsoft.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Kdann13jge_0fE8xcf_ERWXS9_o>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Another IRINA bug in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2015 11:31:11 -0000

Deprecating non-safe DH primes and having clients test primality of p and (p-1)/2 goes a long way. It doesn't rule out all weak groups or trapdoors.

________________________________________
From: TLS <tls-bounces@ietf.org> on behalf of Florian Weimer <fweimer@redhat.com>
Sent: Thursday, May 21, 2015 12:20 PM
To: Nikos Mavrogiannopoulos
Cc: tls@ietf.org
Subject: Re: [TLS] Another IRINA bug in TLS

On 05/21/2015 01:15 PM, Nikos Mavrogiannopoulos wrote:

>> Interesting.  But do we want to encourage the use of additional magic
>> primes?
>
> We do the same with elliptic curves.

I think the situation with curves is markedly different because
individual curves can have quite different properties.  With safe DH
primes of similar size, one is presumably as good as the other.

> We agreed on some groups and use
> these for simplicity. With arbitrary groups, a client cannot verify the
> quality of the parameters of the provided group by the server.

It could still run a primality check on (p - 1) / 2.

> It can only check its size which is an insufficient test if a client wants to
> enforce a particular security level.

On the other hand, a broken server might leak key material by other
means, and if that happens, there is nothing a client can do about that.

>>> However, that would not solve the incompatibility issue with old
>>> servers.
>> You mean, if the client rejects handshakes with defective primes, it
>> will not be able to connect to servers which use them?
>
> The use case that will fail, is if there is a server which is configured
> to prefer DHE ciphersuites, and is setup with 512-bit primes, then no
> client will be able to connect to it, unless it disables DHE.

Yes, this is a tough scenario to solve.

--
Florian Weimer / Red Hat Product Security

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls