Re: [TLS] DH security issue in TLS
Pascal Urien <pascal.urien@gmail.com> Thu, 05 December 2019 16:51 UTC
Return-Path: <pascal.urien@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F086120241 for <tls@ietfa.amsl.com>; Thu, 5 Dec 2019 08:51:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V6NpokEidw0c for <tls@ietfa.amsl.com>; Thu, 5 Dec 2019 08:51:42 -0800 (PST)
Received: from mail-ua1-x931.google.com (mail-ua1-x931.google.com [IPv6:2607:f8b0:4864:20::931]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28DD112012D for <tls@ietf.org>; Thu, 5 Dec 2019 08:51:42 -0800 (PST)
Received: by mail-ua1-x931.google.com with SMTP id 59so1562488uap.12 for <tls@ietf.org>; Thu, 05 Dec 2019 08:51:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=x8GWk8vftgNBMC5NuERHFdVr3lUWpGmFvnPjKHgOIvw=; b=LvYX86wjHM/ntA/CU2vjS8AZmstXGvn4ahypGiwdmAxcgg9gOEimfoY2R+SlFcIyn0 OyIfHWeLkBPCwB8VF+FODhwctgmbnd8aZVwEBJi4MNTRINgzGXddWssUm3YWP+itsn4c fZOh3Gqw60GXHlO/c3PA+UmOLcratt/OXgvmuHcx2Ox05CjbeRoBvq9gbk4ZJJDqYAfU wOZHJLlaNrL/1qS5CGv85HGL9aaixtAUzkMrDAo7GtSMvHxKtcV6Uz2MYONbowKHzNoL bCe/RHnCcrJr39TLjwhFHzBs9j2lJjNMoXghNDNgAR1M2rCmLs4IUIx8bo7CT5yFVPJJ 6c5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=x8GWk8vftgNBMC5NuERHFdVr3lUWpGmFvnPjKHgOIvw=; b=hOUsdsd8cLGYw1iODHSb/PFW2xk/uiG6ckO/izeOU9UaHCuQi5y4N5iGyC9hmMFx7g lQIpuFGhdsRzzafS7dUjdbqiwSNgX0GlO62Rd174FxsrkSpwkX4nzgrr+X8il2YdVN9e vsdEIXbA4hZ0ArNJNdnXsDLLW3y81lqx86b7ZE90K8z8sG7xpG5selJdOfcZFmznFast DC6nWOsRdC6gotkmR1f96T+lKduv/tsqxCHqOfpa4c1Cc2pBww2nfri9FXbRoXkj7m0s aD/SaNSelonv36y10bbc6Qb4ZhuxAw3Coc5rsbs1qQW9Lfwn2DXnt4bDgdB9QXJkZdy9 ZJ7g==
X-Gm-Message-State: APjAAAW4znkRDKgffyp3GSPBKVD47M1fyBxg/zAwfAe1awQN8PzFb/wL 74SeWcPgAnEwb3hhYrB22ny0TbK/7myfzC1U1B26z3yuQzc=
X-Google-Smtp-Source: APXvYqydI+Gywb0R4brqhbG8C83q5vXMLY5Sdyonbo5vg2vJPW7ETChMPZEy2REGRbFukmerTgZAwd3BlVZq60HLShs=
X-Received: by 2002:ab0:2783:: with SMTP id t3mr7972528uap.48.1575564700914; Thu, 05 Dec 2019 08:51:40 -0800 (PST)
MIME-Version: 1.0
References: <CAEQGKXQAd=j_UyBEQPv7frmcDn_=DoBbvEccCkLPr4odSDcqQw@mail.gmail.com> <BN8PR11MB36661739568DB959F7C9D2C4C1420@BN8PR11MB3666.namprd11.prod.outlook.com> <CAKUk3btOGtDtsAoU+VZTE0YPpmF-Xi0H7_MHMFqYo8PuKFbMNA@mail.gmail.com> <CAEQGKXRy8w1SZc=SBAoOpCXOCQmPqDPqf97gsSkTAUS7dpJ1OA@mail.gmail.com> <9a3bcf305595e769458687a872ed26c3@delignat-lavaud.fr>
In-Reply-To: <9a3bcf305595e769458687a872ed26c3@delignat-lavaud.fr>
From: Pascal Urien <pascal.urien@gmail.com>
Date: Thu, 05 Dec 2019 17:51:30 +0100
Message-ID: <CAEQGKXQ12V2fMbNAP9Rw3-6rRwm_vPxNTCydC4yx0TCc_mgzcQ@mail.gmail.com>
To: Antoine Delignat-Lavaud <antoine@delignat-lavaud.fr>
Cc: Andrey Jivsov <crypto@brainhub.org>, tls@ietf.org
Content-Type: multipart/alternative; boundary="00000000000051a8250598f7be3d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/NgsrGGRbV-3rs161DTFBfv0TsyA>
Subject: Re: [TLS] DH security issue in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Dec 2019 16:51:45 -0000
Hi All I found in NIST Special Publication 800-56A Revision 3 5.6.2.3.1 FFC Full Public-Key Validation Routine 2. Verify that 1 = y q mod p. This test is implemented in OPENSSL This test relies on the fact that q and p are prime Pascal Le mer. 4 déc. 2019 à 18:16, Antoine Delignat-Lavaud < antoine@delignat-lavaud.fr> a écrit : > Hi Pascal, > > TLS 1.2 does not mandate servers to use safe DH primes. As a client, you > get g and p from the server. You don't know if p is a safe prime, or > indeed if it is a prime at all. You don't even know if g is a generator > of Zp* - it could also be a generator for a small order subgroup. In > that sense, RFC 7919 is correct in that, in general TLS 1.2, clients > could pick any private exponent between 2 and p-2 when you have no > information on p and g. When using an arbitrary server-selected prime > and generator there is no guarantee that the server selected a share > that is not in a small subgroup, and similarly there is no guarantee for > the server that the client share is not of small order. In fact you > don't even have this guarantee either with ECDH (where the curves are > chosen from a fixed list) because some curves also have small subgroups. > > If you want the guarantee that your DH key exchange is contributive, > that is, that neither single party can determine with high-probability > the DH secret produced by the key exchange, you can either 1. use one of > the safe groups defined in RFC7919. When using these groups, you should > pick an exponent between 2 and q-1. 2. Figure out all of the low-order > elements of Zp* and check that the DH secret is not one of them. > > Most implementations will do (2), i.e. they check that g^xy is not 0, 1, > p-1. This is sufficient if p is a safe prime, but it is too expensive to > check that p and p-1/2 are prime. For X25519 most implementations now > check that x(yG) <> I, as it is much simpler than checking xG and yG for > the 8 small order elements. You may be interested in checking Section > III.B of [1] > > Best, > > Antoine > > [1] http://antoine.delignat-lavaud.fr/doc/ndss15.pdf > > On 2019-12-04 16:23, Pascal Urien wrote: > > Hi all > > > > https://tools.ietf.org/html/rfc7919 seems somewhat confusing because > > the order of the generator (2) is q=(p-1)/2 and not (p-1 ) > > > > So in place of > > > > "Traditional finite field Diffie-Hellman has each peer choose their > > secret exponent from the range [2, p-2]." > > It should suggest to use > > "Traditional finite field Diffie-Hellman has each peer choose their > > secret exponent from the range [2, q-1]." > > > > I put below some basic background that could help to understand the DH > > security > > > > If a safe prime p=2q+1 is congruent to 7 modulo 8, then it is a > > divisor of the Mersenne number > > with its matching Sophie Germain prime (q) as exponent. > > a Mersenne prime is a prime number that is one less than a power of > > two. > > That is, it is a prime number of the form Mn = 2**n - 1 for some > > integer n. > > > > 2**q-1 = kp; > > 2**(p-1)/2 = 1 mod p > > Therefore 2 is a generator of order q=(p-1)/2 > > > > (p-1) is a generator of order 2, since (p-1)**2 = (p**2+1-2p) = 1 mod > > q > > > > Example > > p=7 = 2x3 +1, q=3 > > p = 7 mod 8 > > 6 = 2x3 > > 1 group of order 6, phi(6)= 2 generators (q-1) > > 1 group of order 3, phi(3)= 2 generators (q-1) > > 1 group of order 2, phi(2)= 1 generators > > > > 2 4 1 > > 3 2 6 4 5 1 > > 4 2 1 > > 5 4 6 2 3 1 > > 6 1 > > > > Le mer. 4 déc. 2019 à 02:52, Andrey Jivsov <crypto@brainhub.org> a > > écrit : > > > >> https://tools.ietf.org/html/rfc7919#section-5.1 prohibits x=(p-1)/2 > >> because this results in a peer's public key g^x= 1. > >> > >> Allowing this makes some man-in-the middle attacks on TLS easier, > >> because the attacker can predict the value of the ephemeral secret > >> key on another leg of the connection. > >> > >> On Tue, Dec 3, 2019 at 3:03 PM Scott Fluhrer (sfluhrer) > >> <sfluhrer@cisco.com> wrote: > >> > >>> See SRF > >>> > >>> FROM: TLS <tls-bounces@ietf.org> ON BEHALF OF Pascal Urien > >>> SENT: Tuesday, December 03, 2019 5:16 PM > >>> TO: tls@ietf.org > >>> SUBJECT: [TLS] DH security issue in TLS > >>> > >>> I wonder if g**x , with x =(1-p)/2 is checked in current TLS 1.2 > >>> implementation ? > >>> > >>> In RFC https://tools.ietf.org/html/rfc7919 > >>> "Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for > >>> Transport Layer Security (TLS)" > >>> > >>> "Traditional finite field Diffie-Hellman has each peer choose > >>> their secret exponent from the range [2, p-2]. > >>> Using exponentiation by squaring, this means each peer must do > >>> roughly 2*log_2(p) multiplications, > >>> twice (once for the generator and once for the peer's public > >>> key)." > >>> > >>> Not True !!! > >>> Even for p= safe prime (i.e.. Sophie Germain prime, p=2*q+1, with > >>> p & q prime number) secret exponent x= (p-1)/2 is a security issue > >>> since : > >>> > >>> g**xy = 1 with y an even integer > >>> g**xy = g**x for y an odd integer > >>> > >>> SRF: actually, g**xy = 1 in both cases, as g**x = 1 (for the g, p > >>> values specified in RFC7919); this is easily seen as all listed p > >>> values are safe primes, and in all cases, g=2 and p=7 mod 8. > >>> > >>> In any case, why would that be a security issue? If both sides > >>> are honest (and select their x, y values honestly), the > >>> probability of one of them selecting (p-1)/2 as their private > >>> value is negligible (even if our selection logic allowed that as a > >>> possible value – it generally doesn’t). If we have two honest > >>> parties with an adversary replacing one of the side’s key share > >>> with g**(p-1)/2, well, the protocol transmits signatures of the > >>> transcript, and so that’ll be detected. If you have an honest > >>> side negotiating with a dishonest one, well, the dishonest one > >>> could select (p-1)/2 as its private value – however, they could > >>> also run the protocol honestly (and learn the shared secret and > >>> the symmetric keys, which are usually the target), and there’s > >>> nothing the protocol can do about that. > >>> > >>> Now, if an honest party reused their private values for multiple > >>> exchanges, a similar observation would allow an adversary to > >>> obtain a single bit of the private value. He would do that by > >>> performing an exchange with the honest party mostly honestly, > >>> selecting a value x as his private value, but instead of > >>> transmitting g**x as his key share, he would transmit -g**x. > >>> Then, the shared value that the honest party would derive is: > >>> > >>> g**xy with y an even integer > >>> > >>> -g**xy with y an odd integer > >>> > >>> The adversary can compute both these values, and determine which > >>> is being used later in the protocol. > >>> > >>> So, the adversary can learn a single bit of the private value > >>> (which doesn’t translate to him learning any bit of the shared > >>> secret, much less the symmetric keys) – however, he cannot > >>> leverage this to learn anything else of the private key. I do not > >>> believe that a single bit is worth worrying about. And, again, if > >>> we generate a fresh DH private value for every exchange (which we > >>> encourage people to do for PFS), even that single bit doesn’t > >>> apply to any other exchange. > >>> > >>> If p is not a safe prime (like in RFC 5114) other issues occur.... > >>> > >>> > >>> Pascal _______________________________________________ > >>> TLS mailing list > >>> TLS@ietf.org > >>> https://www.ietf.org/mailman/listinfo/tls > > _______________________________________________ > > TLS mailing list > > TLS@ietf.org > > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] DH security issue in TLS Pascal Urien
- Re: [TLS] DH security issue in TLS Scott Fluhrer (sfluhrer)
- Re: [TLS] DH security issue in TLS Andrey Jivsov
- Re: [TLS] DH security issue in TLS Pascal Urien
- Re: [TLS] DH security issue in TLS Antoine Delignat-Lavaud
- Re: [TLS] DH security issue in TLS Pascal Urien
- Re: [TLS] DH security issue in TLS Nasrul Zikri
- Re: [TLS] DH security issue in TLS Viktor Dukhovni
- Re: [TLS] DH security issue in TLS Peter Gutmann