[TLS] DH security issue in TLS

Pascal Urien <pascal.urien@gmail.com> Tue, 03 December 2019 22:16 UTC

Return-Path: <pascal.urien@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87D0712004D for <tls@ietfa.amsl.com>; Tue, 3 Dec 2019 14:16:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qJDvShJBh5NQ for <tls@ietfa.amsl.com>; Tue, 3 Dec 2019 14:16:26 -0800 (PST)
Received: from mail-vs1-xe2e.google.com (mail-vs1-xe2e.google.com [IPv6:2607:f8b0:4864:20::e2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8FD912003F for <tls@ietf.org>; Tue, 3 Dec 2019 14:16:26 -0800 (PST)
Received: by mail-vs1-xe2e.google.com with SMTP id x18so3513836vsq.4 for <tls@ietf.org>; Tue, 03 Dec 2019 14:16:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=fs6z+ULDyOc8pUWb1BF8wPQVgH98ubQ8yNZWw0ujfoo=; b=IZZ5rO6XFImBqNUEZxkrMMbE4VqTpIJDFBjhVrz9nNzkIf6eJt/OBxqJfOM8VfeNif Nhz7bXyfP+fEzIlQ656xWen6lVTd2bpuRc2IW7q0tYGKNa2ur1PVGPmUmqdfCWJl2KNX eOV36if1To1tKC0IuBHQ6UXuOaSzuN6hDxxeePFn865zUCnwdRRrjbY04TyKRsUCztjs NQA1d5HOsZAxF9bLrdkgUzopdV/AjdLQW5d3nirlX2ZvOUpgspg9BnTzFfCyi3JIzHqI /8AqRTUFtw7o/KNWmkXHO3zStnDugHF4QejyE7sfHYom9nUhFcA5FEMYbhZRjFej7I08 0mcQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=fs6z+ULDyOc8pUWb1BF8wPQVgH98ubQ8yNZWw0ujfoo=; b=iU6rLpkqsrU+Dn0pETTILTWEVQ6vRI3+2+2SnZbLQMaGV1400b7QlAJCVB+EW+pEWa Hkn34zjnynDksawVnyNOzqV0+di+ZJBQ9RHoNjPXY6j0fUmsiyiopY+slwDOLoRXb0HT 0ROoTXPav+ylP9PdJ2zKdqezRNEQamHcAAOKr36Q4TYH/LtZ9l4YGodpg8avTq6j0BMc yt2E4fnHGHiugLeeIvr4eAYHMj7kiONG7oByF0Ul4/S+T5JdzQkZGOyn8uFvLeu8wJdz PQ/2ni2pARZSAsH6q8VfHyiUrznnC26p17s9RsPwVj4WE3gKL/lZw/BWpNuG77dQPCcQ 84Zw==
X-Gm-Message-State: APjAAAXoBTIUiS8j9lIuFXcJcI3Hfonm1h94SQgvrSYEQkFop4hLf/l9 ko9TWhGFfwyoWF4zuQPdzqy9LWo4HuLxOKaxe9Ny5PW3JHy/0Q==
X-Google-Smtp-Source: APXvYqwfpsiY68UdJT41Q4PkAL8DLgPuiWO47Rc/Ko36fcWtlifLeGvlyxOkbOZb2hxrSFSEwrjj44siOIQTPqLtrAY=
X-Received: by 2002:a05:6102:3099:: with SMTP id l25mr951296vsb.235.1575411385424; Tue, 03 Dec 2019 14:16:25 -0800 (PST)
MIME-Version: 1.0
From: Pascal Urien <pascal.urien@gmail.com>
Date: Tue, 3 Dec 2019 23:16:14 +0100
Message-ID: <CAEQGKXQAd=j_UyBEQPv7frmcDn_=DoBbvEccCkLPr4odSDcqQw@mail.gmail.com>
To: tls@ietf.org
Content-Type: multipart/alternative; boundary="00000000000000df5d0598d40c1c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Oydeudi7KYbEEMklnTdDxaq0R-w>
Subject: [TLS] DH security issue in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Dec 2019 22:16:28 -0000

I wonder if g**x , with x =(1-p)/2 is checked in current TLS 1.2
implementation ?

In RFC https://tools.ietf.org/html/rfc7919
"Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport
Layer Security (TLS)"

"Traditional finite field Diffie-Hellman has each peer choose their secret
exponent from the range [2, p-2].
Using exponentiation by squaring, this means each peer must do roughly
2*log_2(p) multiplications,
twice (once for the generator and once for the peer's public key)."

Not True !!!
Even for p= safe prime (i.e. Sophie Germain prime, p=2*q+1, with p & q
prime number) secret exponent x= (p-1)/2 is a security issue since :

g**xy = 1       with y an even integer
g**xy = g**x   for y an odd integer

If p is not a safe prime (like in RFC 5114) other issues occur...

Pascal