Re: [TLS] Static DH timing attack

Filippo Valsorda <filippo@ml.filippo.io> Fri, 11 September 2020 17:51 UTC

Return-Path: <filippo@ml.filippo.io>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F0C63A0E2C for <tls@ietfa.amsl.com>; Fri, 11 Sep 2020 10:51:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=filippo.io header.b=e7hZp5j4; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=fIJ8D9bl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ckZ88hFBpGeL for <tls@ietfa.amsl.com>; Fri, 11 Sep 2020 10:51:32 -0700 (PDT)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CADA3A0D20 for <tls@ietf.org>; Fri, 11 Sep 2020 10:51:32 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id A0AA85C020B for <tls@ietf.org>; Fri, 11 Sep 2020 13:51:31 -0400 (EDT)
Received: from imap1 ([10.202.2.51]) by compute3.internal (MEProxy); Fri, 11 Sep 2020 13:51:31 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=filippo.io; h= mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm1; bh=9KEe/1C/n1feC4fN3X4oWzAwZ1YxOzR c8yLJjVto+2Y=; b=e7hZp5j4r6N0N2zrZVXSnKjBAJIxetNM2bnD1nCahypd1Zr F7sUFjIn3/QKlJLplXvCacuGhRrvE6kMOXvXdrZgPLIHafkhkPPh49RxJFZgywGr rIGHa50sDCe5Mux6B33zYwdG5ShgS34sElRtyOWdCGc7TsB96dtW5uTf7AF/SfJ/ qSgXIEx2CpaQXcJRv/a98s7I+3V3KxvfZmWrTbs5KuJ4ym1cg5kqh/xBZWlGejYh mUWwpni5l7qTXjsjYjD2A8uV73SE8rYTtfNnWgTvyUR0Gr2LQBvr1XZUpWOePAAN EGWkwuDAif3KnslM2dn1fsWRfhMOhAMAJf1/8Qg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=9KEe/1 C/n1feC4fN3X4oWzAwZ1YxOzRc8yLJjVto+2Y=; b=fIJ8D9bl0G18QqEEzdi3vh BKyDlEn3HLdwfEP5zh74IDlyw3dmrZY9tumhrDGxK+yyrU3mit0TDRt1pJUp7mzz aGBj9naTHaboXfDAeCGYNfMP6/2zJAwIdBjk6j8FJ10ARTBVdrE6/EXcfcjJQTVh q4DkooQzCz4j9nd18x80z+mXph/KSZzeSGZCIkyzR/vMIAwUk21eQvDakCqd2spb 5U/LecEkswegnAsQQLGd3jNEyLAGViA7XSGiYdSR9U1/VGPPxhPZgm6NdLrdyp+p 7+Gmn+wo+gp9m+qUTxXsf5nRHnYwjpWpGDMr4IvCuQ9FKpPi4DYnMWXwrzqr9VOQ ==
X-ME-Sender: <xms:IblbXyyzc30ffgXQAh9ZJp49fkRCpUDFRer7CXA1IX1g6QF9CA_uqQ> <xme:IblbX-TtwvlK-bWG-rOrZJF1rD-u3sCPmlQFmrGCTW7WsIvYuQyD1p_pT1eurBl_N dVKpD3ly87sCXuEvA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduiedrudehledguddvtdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesrg dtreerreerjeenucfhrhhomhepfdfhihhlihhpphhoucggrghlshhorhgurgdfuceofhhi lhhiphhpohesmhhlrdhfihhlihhpphhordhioheqnecuggftrfgrthhtvghrnhepudfhhe evhfekteetkeetvdejjedtheejtddujeeujeffudfhtedufedvhfekkedvnecuffhomhgr ihhnpehivghtfhdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmh grihhlfhhrohhmpehfihhlihhpphhosehmlhdrfhhilhhiphhpohdrihho
X-ME-Proxy: <xmx:IblbX0V6SnfOFlHEmXKfJ8wt2BwjCSIfqPUyYCzdNWYHzeJFFywEHg> <xmx:IblbX4h5D4dLgY_YYYykxrZ6NHKTsdVxAH4gh1CV7ve5VJzJfDlUjw> <xmx:IblbX0Czap64oL-v7rGXA9mwWxaEo9j3IWHGScu4wCwHtQTe3CoR8A> <xmx:I7lbX3PX3s3EWrEKycjir_DzmJ-g1eTOZLE0JNryjuXJBT3lPrnUBw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 82F6EC200A5; Fri, 11 Sep 2020 13:51:29 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-259-g88fbbfa-fm-20200903.003-g88fbbfa3
Mime-Version: 1.0
Message-Id: <9ef4ed20-2ad1-40f0-86c6-6970e7db8b4b@www.fastmail.com>
In-Reply-To: <6B1CC8B1-C497-4E80-9067-3147124F7AE4@vigilsec.com>
References: <5595BB40-3AFD-4327-B7B7-5E63FFC594DD@akamai.com> <1599729784370.87441@cs.auckland.ac.nz> <fff1a66a-0a49-cfbd-461a-c1d0ed3aeaaa@gmx.net> <1599790864561.88777@cs.auckland.ac.nz> <6B1CC8B1-C497-4E80-9067-3147124F7AE4@vigilsec.com>
Date: Fri, 11 Sep 2020 19:49:44 +0200
From: "Filippo Valsorda" <filippo@ml.filippo.io>
To: tls@ietf.org
Content-Type: multipart/alternative; boundary=089967dd98384c3fb188fdf9f2d8e1ca
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/WRHtz3L4odGyqRULx2myOpOlFA0>
Subject: Re: [TLS] Static DH timing attack
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Sep 2020 17:51:34 -0000

I feel like there should be nothing controversial in the context of TLS.
 * Non-ephemeral FFDHE ciphersuites in TLS 1.0–1.2 (TLS_DH_*) ought to be a MUST NOT, because they can't be implemented securely.
 * Reusing ephemeral shares for ECDHE and DHE ought to be a MUST NOT in all TLS versions, because it's unnecessary and has been a requirement for many attacks now.
 * Non-ephemeral ECDH ciphersuites (TLS_ECDH_*) ought to be a SHOULD NOT, because again ECDH share reuse enables a whole class of attacks.
 * FFDHE ciphersuites in TLS 1.0–1.2 (TLS_DHE_*) ought to be a SHOULD NOT, because they are specified in a dangerous way that is not secure if shares are reused.
If any of the above are not already the case, it should be a quick and easy document.

2020-09-11 16:06 GMT+02:00 Russ Housley <housley@vigilsec.com>om>:
> Peter:
> 
> > Achim Kraus <achimkraus@gmx.net> writes:
> > 
> >> Does using x25519 for ECDHE is significant less secure than using it with
> >> e.g. secp384r1?
> > 
> > The NIST curves AFAIK are never used that way, it's only done with 25519
> > (there was something about it in an OpenPGP draft, but I think GPG went
> > straight to 25519 and only used ECDSA for signatures).
> > 
> > What I'm specifically referring to is DH run sideways, as someone put it
> > during the X9.42 discussion, i.e. used in static-ephemeral mode to try and
> > make it work like it's RSA.
> > 
> > In all the code audits I've done of 25519 used that way, I've never seen it
> > used correctly.  Usually there isn't just one mistake made but many of them.
> > It's such an obvious problem that that and misuse of RC4-equivalent modes/
> > algorithms like GCM and ChaCha20 are the first things I look for in crypto
> > code.
> 
> I am sure you know that ephemeral-static DH was original used for S/MIME.  The reasoning for ephemeral-static DH was not to make it work like RSA.  Rather, the idea was to provide authentication of the static DH key holder by certifying the static DH public key.  Then, the ephemeral DH key pair is generated using the parameters from the certificate.  One important aspect of this approach was to avoid picking a single group for all of the DH keys.
> 
> Russ
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>