IETF Logo Mail Archive

Re: [TLS] Static DH timing attack

Peter Gutmann <pgut001@cs.auckland.ac.nz> Fri, 11 September 2020 02:21 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6908D3A131D for <tls@ietfa.amsl.com>; Thu, 10 Sep 2020 19:21:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XvI2ZoYlvgkB for <tls@ietfa.amsl.com>; Thu, 10 Sep 2020 19:21:16 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [124.47.189.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 840F33A0A2A for <tls@ietf.org>; Thu, 10 Sep 2020 19:21:15 -0700 (PDT)
Received: from AUS01-ME1-obe.outbound.protection.outlook.com (mail-me1aus01lp2057.outbound.protection.outlook.com [104.47.116.57]) (Using TLS) by relay.mimecast.com with ESMTP id au-mta-74-R36vQfudP4myiYYDcbCR8Q-1; Fri, 11 Sep 2020 12:21:11 +1000
X-MC-Unique: R36vQfudP4myiYYDcbCR8Q-1
Received: from SG2PR06CA0193.apcprd06.prod.outlook.com (2603:1096:4:1::25) by ME2PR01MB5107.ausprd01.prod.outlook.com (2603:10c6:220:4b::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3370.16; Fri, 11 Sep 2020 02:21:07 +0000
Received: from HK2APC01FT058.eop-APC01.prod.protection.outlook.com (2603:1096:4:1:cafe::dd) by SG2PR06CA0193.outlook.office365.com (2603:1096:4:1::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3326.19 via Frontend Transport; Fri, 11 Sep 2020 02:21:06 +0000
X-MS-Exchange-Authentication-Results: spf=none (sender IP is 130.216.95.208) smtp.mailfrom=cs.auckland.ac.nz; gmx.net; dkim=none (message not signed) header.d=none;gmx.net; dmarc=none action=none header.from=cs.auckland.ac.nz;
Received: from uxcn13-tdc-b.UoA.auckland.ac.nz (130.216.95.208) by HK2APC01FT058.mail.protection.outlook.com (10.152.249.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.3370.16 via Frontend Transport; Fri, 11 Sep 2020 02:21:06 +0000
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-tdc-b.UoA.auckland.ac.nz (10.6.3.3) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 11 Sep 2020 14:21:04 +1200
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.5]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.5]) with mapi id 15.00.1497.006; Fri, 11 Sep 2020 14:21:04 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Achim Kraus <achimkraus@gmx.net>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Static DH timing attack
Thread-Index: AQHWhrp+9EGmAKHnM0S2YOV3OYQKzqlhmhsF//998wCAAZtd6g==
Date: Fri, 11 Sep 2020 02:21:04 +0000
Message-ID: <1599790864561.88777@cs.auckland.ac.nz>
References: <5595BB40-3AFD-4327-B7B7-5E63FFC594DD@akamai.com> <1599729784370.87441@cs.auckland.ac.nz>, <fff1a66a-0a49-cfbd-461a-c1d0ed3aeaaa@gmx.net>
In-Reply-To: <fff1a66a-0a49-cfbd-461a-c1d0ed3aeaaa@gmx.net>
Accept-Language: en-NZ, en-GB, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 15d6b457-a26a-4731-c2f9-08d855f956c6
X-MS-TrafficTypeDiagnostic: ME2PR01MB5107:
X-Microsoft-Antispam-PRVS: <ME2PR01MB51079D30A2E7EEAE8A545210EE240@ME2PR01MB5107.ausprd01.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:8882;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: Ojr9y+hIsGizY/mb7Nf2Y4yyVbD7dL9ZSLZEeXCSyeIbtEd8DRAdu9SOEXfp+oVz9OwJ+L2UAAg63CBLw7/hPkLZ6/C1oouF0OmWGdp+DKYRRZdm57bVHTAfViKlslhvFBpRYXTs8dYPlmwt2aJeEEvJBIal0026R/VtGSuAl2oa0JJnzOiHdlz8nzJVyI/eIAJnJAdZojzloCe65MQkBrOlNV9dFOMfRO6Vmecq8D7MFAMJ8CNZnbA3+ZWFcbEvo58fFQe4xvzlSQoqddwNMvbR0dhQnpDorGq6VxTnwmx6b4LcqSVfqpdaFac1mirIWCqG3DR/m2MBhxOZN3oDEk42JRrUH+tbhpNIr5NrKsfTCLF+YUmjN7nxPs9uXmIlKLIflEq/O9AgNVscIurq0g==
X-Forefront-Antispam-Report: CIP:130.216.95.208; CTRY:NZ; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:uxcn13-tdc-b.UoA.auckland.ac.nz; PTR:natgate1-1.auckland.ac.nz; CAT:NONE; SFS:(4636009)(39860400002)(136003)(396003)(376002)(346002)(46966005)(316002)(786003)(4744005)(70586007)(336012)(70206006)(5660300002)(2906002)(82310400003)(478600001)(356005)(186003)(82740400003)(8936002)(7636003)(36906005)(47076004)(26005)(110136005)(2616005)(86362001)(8676002); DIR:OUT; SFP:1101;
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Sep 2020 02:21:06.0711 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 15d6b457-a26a-4731-c2f9-08d855f956c6
X-MS-Exchange-CrossTenant-Id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=d1b36e95-0d50-42e9-958f-b63fa906beaa; Ip=[130.216.95.208]; Helo=[uxcn13-tdc-b.UoA.auckland.ac.nz]
X-MS-Exchange-CrossTenant-AuthSource: HK2APC01FT058.eop-APC01.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: ME2PR01MB5107
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CAU17A13 smtp.mailfrom=pgut001@cs.auckland.ac.nz
X-Mimecast-Spam-Score: 0.002
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-NZ
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/SdWwCHxvieuL9QYTN3zt8K6m2nM>
Subject: Re: [TLS] Static DH timing attack
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Sep 2020 02:21:18 -0000

Achim Kraus <achimkraus@gmx.net> writes:

>Does using x25519 for ECDHE is significant less secure than using it with
>e.g. secp384r1?

The NIST curves AFAIK are never used that way, it's only done with 25519
(there was something about it in an OpenPGP draft, but I think GPG went
straight to 25519 and only used ECDSA for signatures).

What I'm specifically referring to is DH run sideways, as someone put it
during the X9.42 discussion, i.e. used in static-ephemeral mode to try and
make it work like it's RSA.

In all the code audits I've done of 25519 used that way, I've never seen it
used correctly.  Usually there isn't just one mistake made but many of them.
It's such an obvious problem that that and misuse of RC4-equivalent modes/
algorithms like GCM and ChaCha20 are the first things I look for in crypto
code.

Peter.

v2.14.0 | Report a Bug | By Email