IETF Logo Mail Archive

Re: [TLS] DH security issue in TLS

Pascal Urien <pascal.urien@gmail.com> Thu, 05 December 2019 16:51 UTC

Return-Path: <pascal.urien@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F086120241 for <tls@ietfa.amsl.com>; Thu, 5 Dec 2019 08:51:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V6NpokEidw0c for <tls@ietfa.amsl.com>; Thu, 5 Dec 2019 08:51:42 -0800 (PST)
Received: from mail-ua1-x931.google.com (mail-ua1-x931.google.com [IPv6:2607:f8b0:4864:20::931]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28DD112012D for <tls@ietf.org>; Thu, 5 Dec 2019 08:51:42 -0800 (PST)
Received: by mail-ua1-x931.google.com with SMTP id 59so1562488uap.12 for <tls@ietf.org>; Thu, 05 Dec 2019 08:51:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=x8GWk8vftgNBMC5NuERHFdVr3lUWpGmFvnPjKHgOIvw=; b=LvYX86wjHM/ntA/CU2vjS8AZmstXGvn4ahypGiwdmAxcgg9gOEimfoY2R+SlFcIyn0 OyIfHWeLkBPCwB8VF+FODhwctgmbnd8aZVwEBJi4MNTRINgzGXddWssUm3YWP+itsn4c fZOh3Gqw60GXHlO/c3PA+UmOLcratt/OXgvmuHcx2Ox05CjbeRoBvq9gbk4ZJJDqYAfU wOZHJLlaNrL/1qS5CGv85HGL9aaixtAUzkMrDAo7GtSMvHxKtcV6Uz2MYONbowKHzNoL bCe/RHnCcrJr39TLjwhFHzBs9j2lJjNMoXghNDNgAR1M2rCmLs4IUIx8bo7CT5yFVPJJ 6c5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=x8GWk8vftgNBMC5NuERHFdVr3lUWpGmFvnPjKHgOIvw=; b=hOUsdsd8cLGYw1iODHSb/PFW2xk/uiG6ckO/izeOU9UaHCuQi5y4N5iGyC9hmMFx7g lQIpuFGhdsRzzafS7dUjdbqiwSNgX0GlO62Rd174FxsrkSpwkX4nzgrr+X8il2YdVN9e vsdEIXbA4hZ0ArNJNdnXsDLLW3y81lqx86b7ZE90K8z8sG7xpG5selJdOfcZFmznFast DC6nWOsRdC6gotkmR1f96T+lKduv/tsqxCHqOfpa4c1Cc2pBww2nfri9FXbRoXkj7m0s aD/SaNSelonv36y10bbc6Qb4ZhuxAw3Coc5rsbs1qQW9Lfwn2DXnt4bDgdB9QXJkZdy9 ZJ7g==
X-Gm-Message-State: APjAAAW4znkRDKgffyp3GSPBKVD47M1fyBxg/zAwfAe1awQN8PzFb/wL 74SeWcPgAnEwb3hhYrB22ny0TbK/7myfzC1U1B26z3yuQzc=
X-Google-Smtp-Source: APXvYqydI+Gywb0R4brqhbG8C83q5vXMLY5Sdyonbo5vg2vJPW7ETChMPZEy2REGRbFukmerTgZAwd3BlVZq60HLShs=
X-Received: by 2002:ab0:2783:: with SMTP id t3mr7972528uap.48.1575564700914; Thu, 05 Dec 2019 08:51:40 -0800 (PST)
MIME-Version: 1.0
References: <CAEQGKXQAd=j_UyBEQPv7frmcDn_=DoBbvEccCkLPr4odSDcqQw@mail.gmail.com> <BN8PR11MB36661739568DB959F7C9D2C4C1420@BN8PR11MB3666.namprd11.prod.outlook.com> <CAKUk3btOGtDtsAoU+VZTE0YPpmF-Xi0H7_MHMFqYo8PuKFbMNA@mail.gmail.com> <CAEQGKXRy8w1SZc=SBAoOpCXOCQmPqDPqf97gsSkTAUS7dpJ1OA@mail.gmail.com> <9a3bcf305595e769458687a872ed26c3@delignat-lavaud.fr>
In-Reply-To: <9a3bcf305595e769458687a872ed26c3@delignat-lavaud.fr>
From: Pascal Urien <pascal.urien@gmail.com>
Date: Thu, 05 Dec 2019 17:51:30 +0100
Message-ID: <CAEQGKXQ12V2fMbNAP9Rw3-6rRwm_vPxNTCydC4yx0TCc_mgzcQ@mail.gmail.com>
To: Antoine Delignat-Lavaud <antoine@delignat-lavaud.fr>
Cc: Andrey Jivsov <crypto@brainhub.org>, tls@ietf.org
Content-Type: multipart/alternative; boundary="00000000000051a8250598f7be3d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/NgsrGGRbV-3rs161DTFBfv0TsyA>
Subject: Re: [TLS] DH security issue in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Dec 2019 16:51:45 -0000

Hi All

I found in NIST Special Publication 800-56A Revision 3
5.6.2.3.1 FFC Full Public-Key Validation Routine
2. Verify  that  1 = y q mod p.

This test is implemented in OPENSSL

This test relies on the fact  that q and p are prime

Pascal



Le mer. 4 déc. 2019 à 18:16, Antoine Delignat-Lavaud <
antoine@delignat-lavaud.fr> a écrit :

> Hi Pascal,
>
> TLS 1.2 does not mandate servers to use safe DH primes. As a client, you
> get g and p from the server. You don't know if p is a safe prime, or
> indeed if it is a prime at all. You don't even know if g is a generator
> of Zp* - it could also be a generator for a small order subgroup. In
> that sense, RFC 7919 is correct in that, in general TLS 1.2, clients
> could pick any private exponent between 2 and p-2 when you have no
> information on p and g. When using an arbitrary server-selected prime
> and generator there is no guarantee that the server selected a share
> that is not in a small subgroup, and similarly there is no guarantee for
> the server that the client share is not of small order. In fact you
> don't even have this guarantee either with ECDH (where the curves are
> chosen from a fixed list) because some curves also have small subgroups.
>
> If you want the guarantee that your DH key exchange is contributive,
> that is, that neither single party can determine with high-probability
> the DH secret produced by the key exchange, you can either 1. use one of
> the safe groups defined in RFC7919. When using these groups, you should
> pick an exponent between 2 and q-1. 2. Figure out all of the low-order
> elements of Zp* and check that the DH secret is not one of them.
>
> Most implementations will do (2), i.e. they check that g^xy is not 0, 1,
> p-1. This is sufficient if p is a safe prime, but it is too expensive to
> check that p and p-1/2 are prime. For X25519 most implementations now
> check that x(yG) <> I, as it is much simpler than checking xG and yG for
> the 8 small order elements. You may be interested in checking Section
> III.B of [1]
>
> Best,
>
> Antoine
>
> [1] http://antoine.delignat-lavaud.fr/doc/ndss15.pdf
>
> On 2019-12-04 16:23, Pascal Urien wrote:
> > Hi all
> >
> > https://tools.ietf.org/html/rfc7919 seems somewhat confusing because
> > the order of the generator (2) is q=(p-1)/2 and not  (p-1 )
> >
> > So in place of
> >
> > "Traditional finite field Diffie-Hellman has each peer choose their
> > secret exponent from the range [2, p-2]."
> > It should suggest to use
> >  "Traditional finite field Diffie-Hellman has each peer choose their
> > secret exponent from the range [2, q-1]."
> >
> > I put below some basic background that could help to understand the DH
> > security
> >
> > If a safe prime p=2q+1 is congruent to 7 modulo 8, then it is a
> > divisor of the Mersenne number
> > with its matching Sophie Germain prime (q) as exponent.
> > a Mersenne prime is a prime number that is one less than a power of
> > two.
> > That is, it is a prime number of the form Mn = 2**n - 1 for some
> > integer n.
> >
> > 2**q-1 = kp;
> > 2**(p-1)/2 = 1 mod p
> > Therefore 2 is a generator of order q=(p-1)/2
> >
> > (p-1) is a generator of order 2, since (p-1)**2 = (p**2+1-2p) = 1 mod
> > q
> >
> > Example
> > p=7 = 2x3 +1, q=3
> > p = 7 mod 8
> > 6 = 2x3
> > 1 group of order 6, phi(6)= 2 generators (q-1)
> > 1 group of order 3, phi(3)= 2 generators (q-1)
> > 1 group of order 2, phi(2)= 1 generators
> >
> > 2 4 1
> > 3 2 6 4 5 1
> > 4 2 1
> > 5 4 6 2 3 1
> > 6 1
> >
> > Le mer. 4 déc. 2019 à 02:52, Andrey Jivsov <crypto@brainhub.org> a
> > écrit :
> >
> >> https://tools.ietf.org/html/rfc7919#section-5.1 prohibits x=(p-1)/2
> >> because this results in a peer's public key g^x= 1.
> >>
> >> Allowing this makes some man-in-the middle attacks on TLS easier,
> >> because the attacker can predict the value of the ephemeral secret
> >> key on another leg of the connection.
> >>
> >> On Tue, Dec 3, 2019 at 3:03 PM Scott Fluhrer (sfluhrer)
> >> <sfluhrer@cisco.com> wrote:
> >>
> >>> See SRF
> >>>
> >>> FROM: TLS <tls-bounces@ietf.org> ON BEHALF OF Pascal Urien
> >>> SENT: Tuesday, December 03, 2019 5:16 PM
> >>> TO: tls@ietf.org
> >>> SUBJECT: [TLS] DH security issue in TLS
> >>>
> >>> I wonder if g**x , with x =(1-p)/2 is checked in current TLS 1.2
> >>> implementation ?
> >>>
> >>> In RFC https://tools.ietf.org/html/rfc7919
> >>> "Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for
> >>> Transport Layer Security (TLS)"
> >>>
> >>> "Traditional finite field Diffie-Hellman has each peer choose
> >>> their secret exponent from the range [2, p-2].
> >>> Using exponentiation by squaring, this means each peer must do
> >>> roughly 2*log_2(p) multiplications,
> >>> twice (once for the generator and once for the peer's public
> >>> key)."
> >>>
> >>> Not True !!!
> >>> Even for p= safe prime (i.e.. Sophie Germain prime, p=2*q+1, with
> >>> p & q prime number) secret exponent x= (p-1)/2 is a security issue
> >>> since :
> >>>
> >>> g**xy = 1       with y an even integer
> >>> g**xy = g**x   for y an odd integer
> >>>
> >>> SRF: actually, g**xy  = 1 in both cases, as g**x = 1 (for the g, p
> >>> values specified in RFC7919); this is easily seen as all listed p
> >>> values are safe primes, and in all cases, g=2 and p=7 mod 8.
> >>>
> >>> In any case, why would that be a security issue?  If both sides
> >>> are honest (and select their x, y values honestly), the
> >>> probability of one of them selecting (p-1)/2 as their private
> >>> value is negligible (even if our selection logic allowed that as a
> >>> possible value – it generally doesn’t).  If we have two honest
> >>> parties with an adversary replacing one of the side’s key share
> >>> with g**(p-1)/2, well, the protocol transmits signatures of the
> >>> transcript, and so that’ll be detected. If you have an honest
> >>> side negotiating with a dishonest one, well, the dishonest one
> >>> could select (p-1)/2 as its private value – however, they could
> >>> also run the protocol honestly (and learn the shared secret and
> >>> the symmetric keys, which are usually the target), and there’s
> >>> nothing the protocol can do about that.
> >>>
> >>> Now, if an honest party reused their private values for multiple
> >>> exchanges, a similar observation would allow an adversary to
> >>> obtain a single bit of the private value.  He would do that by
> >>> performing an exchange with the honest party mostly honestly,
> >>> selecting a value x as his private value, but instead of
> >>> transmitting g**x as his key share, he would transmit -g**x.
> >>> Then, the shared value that the honest party would derive is:
> >>>
> >>> g**xy  with y an even integer
> >>>
> >>> -g**xy  with y an odd integer
> >>>
> >>> The adversary can compute both these values, and determine which
> >>> is being used later in the protocol.
> >>>
> >>> So, the adversary can learn a single bit of the private value
> >>> (which doesn’t translate to him learning any bit of the shared
> >>> secret, much less the symmetric keys) – however, he cannot
> >>> leverage this to learn anything else of the private key.  I do not
> >>> believe that a single bit is worth worrying about.  And, again, if
> >>> we generate a fresh DH private value for every exchange (which we
> >>> encourage people to do for PFS), even that single bit doesn’t
> >>> apply to any other exchange.
> >>>
> >>> If p is not a safe prime (like in RFC 5114) other issues occur....
> >>>
> >>>
> >>> Pascal _______________________________________________
> >>> TLS mailing list
> >>> TLS@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/tls
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email