IETF Logo Mail Archive

Re: [TLS] DH security issue in TLS

Antoine Delignat-Lavaud <antoine@delignat-lavaud.fr> Wed, 04 December 2019 17:16 UTC

Return-Path: <antoine@delignat-lavaud.fr>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4814C1208FC for <tls@ietfa.amsl.com>; Wed, 4 Dec 2019 09:16:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=delignat-lavaud.fr
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t_t3fIQpBneS for <tls@ietfa.amsl.com>; Wed, 4 Dec 2019 09:16:12 -0800 (PST)
Received: from argon.maxg.info (argon.maxg.info [IPv6:2001:41d0:2:7f22::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86E781208E0 for <tls@ietf.org>; Wed, 4 Dec 2019 09:16:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=delignat-lavaud.fr; s=dkim; h=Message-ID:References:In-Reply-To:Subject:Cc: To:From:Date:Content-Transfer-Encoding:Content-Type:MIME-Version; bh=8hDk5HHHE5NtPMKt8GelQUg7/rqFyB3DPGiD4OUrIXc=; b=VaVBfrR7Mx5ExSwGHVXjVUZjlA sQgbaF85y4q0CnWb+LBZ0ZJh9sL9PGjpC0uS2crvIWW6uMwcEN/uVZbrMcg7tMSfL5fdn0xPwFJ5c 4hvVJ/cDz6NmOZd4Vmi1/4mPduez6qKVt2/1XcWH002CKtgw0ZDXj+ptrZnMhApmksJQW6veCn9aL i1AiKXb9KnpMzdPIIq6VKhRyPNHBKGDKQrFoHyYrREvPze2i8GB0vsrsMTtiCvQAXj2Y+cSt50R9p SlPWXzeFOHljsXPGftnGWfS87Ts0chjnGrvco7zcetCZqdeg8+yoWOTsM8EVa4qiVv1AmgV7SS+Un 797pj3RQ==;
Received: from localhost (authenticated.user.IP.removed [::1]) by argon.maxg.info with esmtpa (envelope-from <antoine@delignat-lavaud.fr>) id 1icYG0-0004rg-Ie ; Wed, 04 Dec 2019 18:16:08 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Date: Wed, 04 Dec 2019 17:16:07 +0000
From: Antoine Delignat-Lavaud <antoine@delignat-lavaud.fr>
To: Pascal Urien <pascal.urien@gmail.com>
Cc: Andrey Jivsov <crypto@brainhub.org>, tls@ietf.org
Organization: Microsoft Research
In-Reply-To: <CAEQGKXRy8w1SZc=SBAoOpCXOCQmPqDPqf97gsSkTAUS7dpJ1OA@mail.gmail.com>
References: <CAEQGKXQAd=j_UyBEQPv7frmcDn_=DoBbvEccCkLPr4odSDcqQw@mail.gmail.com> <BN8PR11MB36661739568DB959F7C9D2C4C1420@BN8PR11MB3666.namprd11.prod.outlook.com> <CAKUk3btOGtDtsAoU+VZTE0YPpmF-Xi0H7_MHMFqYo8PuKFbMNA@mail.gmail.com> <CAEQGKXRy8w1SZc=SBAoOpCXOCQmPqDPqf97gsSkTAUS7dpJ1OA@mail.gmail.com>
Message-ID: <9a3bcf305595e769458687a872ed26c3@delignat-lavaud.fr>
X-Sender: antoine@delignat-lavaud.fr
User-Agent: Roundcube Webmail/1.2.3
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/WRpzKGMfUAcJArmyyfwQMHH39kw>
Subject: Re: [TLS] DH security issue in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Dec 2019 17:16:16 -0000

Hi Pascal,

TLS 1.2 does not mandate servers to use safe DH primes. As a client, you 
get g and p from the server. You don't know if p is a safe prime, or 
indeed if it is a prime at all. You don't even know if g is a generator 
of Zp* - it could also be a generator for a small order subgroup. In 
that sense, RFC 7919 is correct in that, in general TLS 1.2, clients 
could pick any private exponent between 2 and p-2 when you have no 
information on p and g. When using an arbitrary server-selected prime 
and generator there is no guarantee that the server selected a share 
that is not in a small subgroup, and similarly there is no guarantee for 
the server that the client share is not of small order. In fact you 
don't even have this guarantee either with ECDH (where the curves are 
chosen from a fixed list) because some curves also have small subgroups.

If you want the guarantee that your DH key exchange is contributive, 
that is, that neither single party can determine with high-probability 
the DH secret produced by the key exchange, you can either 1. use one of 
the safe groups defined in RFC7919. When using these groups, you should 
pick an exponent between 2 and q-1. 2. Figure out all of the low-order 
elements of Zp* and check that the DH secret is not one of them.

Most implementations will do (2), i.e. they check that g^xy is not 0, 1, 
p-1. This is sufficient if p is a safe prime, but it is too expensive to 
check that p and p-1/2 are prime. For X25519 most implementations now 
check that x(yG) <> I, as it is much simpler than checking xG and yG for 
the 8 small order elements. You may be interested in checking Section 
III.B of [1]

Best,

Antoine

[1] http://antoine.delignat-lavaud.fr/doc/ndss15.pdf

On 2019-12-04 16:23, Pascal Urien wrote:
> Hi all
> 
> https://tools.ietf.org/html/rfc7919 seems somewhat confusing because
> the order of the generator (2) is q=(p-1)/2 and not  (p-1 )
> 
> So in place of
> 
> "Traditional finite field Diffie-Hellman has each peer choose their
> secret exponent from the range [2, p-2]."
> It should suggest to use
>  "Traditional finite field Diffie-Hellman has each peer choose their
> secret exponent from the range [2, q-1]."
> 
> I put below some basic background that could help to understand the DH
> security
> 
> If a safe prime p=2q+1 is congruent to 7 modulo 8, then it is a
> divisor of the Mersenne number
> with its matching Sophie Germain prime (q) as exponent.
> a Mersenne prime is a prime number that is one less than a power of
> two.
> That is, it is a prime number of the form Mn = 2**n - 1 for some
> integer n.
> 
> 2**q-1 = kp;
> 2**(p-1)/2 = 1 mod p
> Therefore 2 is a generator of order q=(p-1)/2
> 
> (p-1) is a generator of order 2, since (p-1)**2 = (p**2+1-2p) = 1 mod
> q
> 
> Example
> p=7 = 2x3 +1, q=3
> p = 7 mod 8
> 6 = 2x3
> 1 group of order 6, phi(6)= 2 generators (q-1)
> 1 group of order 3, phi(3)= 2 generators (q-1)
> 1 group of order 2, phi(2)= 1 generators
> 
> 2 4 1
> 3 2 6 4 5 1
> 4 2 1
> 5 4 6 2 3 1
> 6 1
> 
> Le mer. 4 déc. 2019 à 02:52, Andrey Jivsov <crypto@brainhub.org> a
> écrit :
> 
>> https://tools.ietf.org/html/rfc7919#section-5.1 prohibits x=(p-1)/2
>> because this results in a peer's public key g^x= 1.
>> 
>> Allowing this makes some man-in-the middle attacks on TLS easier,
>> because the attacker can predict the value of the ephemeral secret
>> key on another leg of the connection.
>> 
>> On Tue, Dec 3, 2019 at 3:03 PM Scott Fluhrer (sfluhrer)
>> <sfluhrer@cisco.com> wrote:
>> 
>>> See SRF
>>> 
>>> FROM: TLS <tls-bounces@ietf.org> ON BEHALF OF Pascal Urien
>>> SENT: Tuesday, December 03, 2019 5:16 PM
>>> TO: tls@ietf.org
>>> SUBJECT: [TLS] DH security issue in TLS
>>> 
>>> I wonder if g**x , with x =(1-p)/2 is checked in current TLS 1.2
>>> implementation ?
>>> 
>>> In RFC https://tools.ietf.org/html/rfc7919
>>> "Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for
>>> Transport Layer Security (TLS)"
>>> 
>>> "Traditional finite field Diffie-Hellman has each peer choose
>>> their secret exponent from the range [2, p-2].
>>> Using exponentiation by squaring, this means each peer must do
>>> roughly 2*log_2(p) multiplications,
>>> twice (once for the generator and once for the peer's public
>>> key)."
>>> 
>>> Not True !!!
>>> Even for p= safe prime (i.e.. Sophie Germain prime, p=2*q+1, with
>>> p & q prime number) secret exponent x= (p-1)/2 is a security issue
>>> since :
>>> 
>>> g**xy = 1       with y an even integer
>>> g**xy = g**x   for y an odd integer
>>> 
>>> SRF: actually, g**xy  = 1 in both cases, as g**x = 1 (for the g, p
>>> values specified in RFC7919); this is easily seen as all listed p
>>> values are safe primes, and in all cases, g=2 and p=7 mod 8.
>>> 
>>> In any case, why would that be a security issue?  If both sides
>>> are honest (and select their x, y values honestly), the
>>> probability of one of them selecting (p-1)/2 as their private
>>> value is negligible (even if our selection logic allowed that as a
>>> possible value – it generally doesn’t).  If we have two honest
>>> parties with an adversary replacing one of the side’s key share
>>> with g**(p-1)/2, well, the protocol transmits signatures of the
>>> transcript, and so that’ll be detected. If you have an honest
>>> side negotiating with a dishonest one, well, the dishonest one
>>> could select (p-1)/2 as its private value – however, they could
>>> also run the protocol honestly (and learn the shared secret and
>>> the symmetric keys, which are usually the target), and there’s
>>> nothing the protocol can do about that.
>>> 
>>> Now, if an honest party reused their private values for multiple
>>> exchanges, a similar observation would allow an adversary to
>>> obtain a single bit of the private value.  He would do that by
>>> performing an exchange with the honest party mostly honestly,
>>> selecting a value x as his private value, but instead of
>>> transmitting g**x as his key share, he would transmit -g**x.
>>> Then, the shared value that the honest party would derive is:
>>> 
>>> g**xy  with y an even integer
>>> 
>>> -g**xy  with y an odd integer
>>> 
>>> The adversary can compute both these values, and determine which
>>> is being used later in the protocol.
>>> 
>>> So, the adversary can learn a single bit of the private value
>>> (which doesn’t translate to him learning any bit of the shared
>>> secret, much less the symmetric keys) – however, he cannot
>>> leverage this to learn anything else of the private key.  I do not
>>> believe that a single bit is worth worrying about.  And, again, if
>>> we generate a fresh DH private value for every exchange (which we
>>> encourage people to do for PFS), even that single bit doesn’t
>>> apply to any other exchange.
>>> 
>>> If p is not a safe prime (like in RFC 5114) other issues occur....
>>> 
>>> 
>>> Pascal _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tls
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email