Re: [TLS] Another IRINA bug in TLS

Santiago Zanella-Beguelin <santiago@microsoft.com> Fri, 22 May 2015 23:47 UTC

Return-Path: <santiago@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDAB31A88D0 for <tls@ietfa.amsl.com>; Fri, 22 May 2015 16:47:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rENlDcnewZuO for <tls@ietfa.amsl.com>; Fri, 22 May 2015 16:47:36 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0720.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:720]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0F7E1A87C8 for <tls@ietf.org>; Fri, 22 May 2015 16:47:35 -0700 (PDT)
Received: from BN3PR0301CA0047.namprd03.prod.outlook.com (10.160.152.143) by BY2PR03MB364.namprd03.prod.outlook.com (10.242.237.17) with Microsoft SMTP Server (TLS) id 15.1.172.17; Fri, 22 May 2015 23:47:14 +0000
Received: from BN1AFFO11FD009.protection.gbl (2a01:111:f400:7c10::187) by BN3PR0301CA0047.outlook.office365.com (2a01:111:e400:401e::15) with Microsoft SMTP Server (TLS) id 15.1.172.22 via Frontend Transport; Fri, 22 May 2015 23:47:14 +0000
Authentication-Results: spf=pass (sender IP is 206.191.250.196) smtp.mailfrom=microsoft.com; cs.auckland.ac.nz; dkim=none (message not signed) header.d=none;
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 206.191.250.196 as permitted sender) receiver=protection.outlook.com; client-ip=206.191.250.196; helo=064-smtp-out.microsoft.com;
Received: from 064-smtp-out.microsoft.com (206.191.250.196) by BN1AFFO11FD009.mail.protection.outlook.com (10.58.52.69) with Microsoft SMTP Server (TLS) id 15.1.172.14 via Frontend Transport; Fri, 22 May 2015 23:47:12 +0000
Received: from DB4PR30MB032.064d.mgd.msft.net (141.251.50.216) by DB4PR30MB032.064d.mgd.msft.net (141.251.50.216) with Microsoft SMTP Server (TLS) id 15.1.112.16; Fri, 22 May 2015 23:47:09 +0000
Received: from DB4PR30MB032.064d.mgd.msft.net ([141.251.50.216]) by DB4PR30MB032.064d.mgd.msft.net ([141.251.50.216]) with mapi id 15.01.0112.000; Fri, 22 May 2015 23:47:09 +0000
From: Santiago Zanella-Beguelin <santiago@microsoft.com>
To: Tanja Lange <tanja@hyperelliptic.org>
Thread-Topic: [TLS] Another IRINA bug in TLS
Thread-Index: AdCUn0KvDdHZ+lmQNUW54l67jurcrQAGEh4FAAqyaQAAAcVhKQ==
Date: Fri, 22 May 2015 23:47:09 +0000
Message-ID: <1432338428908.4667@microsoft.com>
References: <9A043F3CF02CD34C8E74AC1594475C73AB029727@uxcn10-tdc05.UoA.auckland.ac.nz> <1432317148442.5357@microsoft.com>,<20150522225500.GH20757@cph.win.tue.nl>
In-Reply-To: <20150522225500.GH20757@cph.win.tue.nl>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [109.216.4.228]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Microsoft-Exchange-Diagnostics: 1; BN1AFFO11FD009; 1:49/kLaTjv5WAofS6+lO3beR73k4DAH29eNXu6ChkeaU+0saR4i5lx5Mj7EzdZuGR67pPo22zhO90f2sRTLqYYpjb63oB7azB84g7O9NX9ipaBFeKK1xC0HRb39V/14UQ17Jh11j0/NyZASUp1+AlGd4ngPv4+AunlKYUrJ5kEQ/30uEkuzSLQQEZtAwrInUgRMSToZK1HoBynkH7vsnIHPSD2m5PvGUDciFwH2LyLZqYlpyHo2UP+UiUvSuUpqeXcIqzJ74/r6SjsyNNrpaISKKaf2REeMw4XP1WHQL/1ZIFjbTTfCk0NwGWZFd7Sgr9
X-Forefront-Antispam-Report: CIP:206.191.250.196; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(438002)(199003)(189002)(51704005)(377454003)(62966003)(36756003)(5001860100001)(5001830100001)(106466001)(97736004)(86146001)(5001960100002)(81156007)(77156002)(64706001)(19580405001)(69596002)(50466002)(19580395003)(86362001)(189998001)(47776003)(4001540100001)(110136002)(68736005)(23756003)(2656002)(102836002)(87936001)(76176999)(16796002)(54356999)(92566002)(50986999)(15975445007)(66066001)(46102003)(2950100001)(2900100001)(86612001)(6806004)(117636001); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB364; H:064-smtp-out.microsoft.com; FPR:; SPF:Pass; PTR:ErrorRetry; A:1; MX:1; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; BY2PR03MB364; 2:KzUj05mzNVaKdEfOJupN0ZjxNGd/jxsja2CnnDHdPp8Vf5cGQHZjTurE22HRzNfi; 2:kykaXskx/bv2Vxm3s22NXlD8OxPYZqx10l8QoEX6Yfac99XN64ku+IaOPf1O6sCU4JvZVJj9Zp8ktp38kmRbqTVQih44fcdQwN6ZJT2vKK7cbNsX8xnuvgbig3vvw/vPWaB0w+hykU3AmYItC4jrX6L21fBR7m4xgpD/j8P8jRpeFfH5DB8NkbDCpAbWJTq/LrlDD/hqnhxw9mt4YS5WGrg4UZJOQ3GgPv8gPdxtcaSJdLzf7KckviOQmvMeFrNw; 6:Wltk+sPld/JTN8qx7fT8vaVODTLnNNYISMCIHXDBpKBpk0zwi7cFDnOmDfS9aoAt69Q89ikEwaV/b44K4FTHXoC3+0UoNGRm81wsoQ3SIGXttAtrzF3F1eqRUktUljguwEsFGJo1SR+pc3cdTL3K7Qxj1D1PmmJ3oQykZv40Qsvq7ojE2mxTxabprK+EmYeHwLmfAYfemnOORu1naK6FrYEcEl0YgLKrPJe9Qf1zj7qjTZJ5jVSb1XPRN6HfxbHahlW7xCBsDk7OwIHoDOGnhDlFOXvAkvU3dMPmsQhCkXyKw5VfraG2lHehozvH/31vbxvd+x6jX6k0mb5gTzxEf2zPcwyswmgqAx7BfgWc/eM7GxxsLsB8g6tkNqHBLZZHmo5pHuJc8C2WdDTXE/1w//9pbJ9m17lXLVDvBlEOPJkxq1EYzJEn5tihz0ia5LbXjxl4Zfy9UHLMA9Y90Isi6apjfBuG+RqWkFwLsrZ7kXfJyuQtESGUoDXUPqeDw88F
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB364;
X-Microsoft-Antispam-PRVS: <BY2PR03MB364D233A60BCA730EF1DA9BC9C00@BY2PR03MB364.namprd03.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(520002)(3002001); SRVR:BY2PR03MB364; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB364;
X-Microsoft-Exchange-Diagnostics: 1; BY2PR03MB364; 3:Z57MxWuq1ooGHXfrdEzWrQoJW0bc+0f3KJdrYtR31MmOd3GstSeFeL4BG63ep7ipfYeriBk1DEbALtLyDRJprL8Xw7s/9Kp84fd6ZIoT6MjXv9DaxGpWlLrqi/0PDfc4E2Yn7vkKqHhx/62DEiH5DGZrXP7hv/iy1Twe65FrgNFcSoFNUrzQSLM8qSNAC089QOHYfe4x+KUux9EJdJ9xr3/kzuv40nmoOwTpRKEYMkzSUTs2H0WsodAG9AwVE+SQh1J1X1B95PaNRb/djZyCYaJcFD5nZNVoAZGbRRUymjZhbUBjWx0pt6Eh7qkfcz70SA7rizvn2hwpO9CoY16sBw==
X-Forefront-PRVS: 058441C12A
X-Microsoft-Exchange-Diagnostics: =?iso-8859-1?Q?1; BY2PR03MB364; 9:uGPdEqvIeY4iSX8BcGu7sTvaTvN62D/vS9tSk1z6h?= =?iso-8859-1?Q?ONQNjDGxYyEwBxAonf7wtSIwKF1ffBiZcIwlxPBCOH0KwnWYNctdunv/7n?= =?iso-8859-1?Q?GxXPDOAf7MYPecn4jnNUDa0Dux6ET/Vc4NxMhVGqzABmF71U2c6GgXwvRV?= =?iso-8859-1?Q?6pp5DWW3Pm8CoT0zAWcecVBbOc9CxIlUingarrJJz1D6Xju1MbCShQWyWz?= =?iso-8859-1?Q?kTAjky2/UUzLgya48GQFTG48tRfx+dRzTeeHQQBNbj2KEAD3UasC7cTTSg?= =?iso-8859-1?Q?p+qCMGRSUFaimFGcyJo2XHGGteEV1oS2u6OcdTV3Q8dL0sF50DUB6v833I?= =?iso-8859-1?Q?1KK2cULYcfYQki/gDwOECGUw7Wq79w+pvE9gGWZBRYJ7rU5BZWBXOVdZVR?= =?iso-8859-1?Q?6iunWSPoqgXsWX5BMWLWxf+GoMokaeFCzwdDvwIQObsgSWhv6wbKk6TmW1?= =?iso-8859-1?Q?iivcW9E1J52Sv118pmwY8fYJF7M+i86os45Oci6ymQQ0HsRfINiHLDN/js?= =?iso-8859-1?Q?foaiO9QxuyyDJypsPvgRyKahKWbCYYLCEWNotkw2ZYtm4K6zBNUYOOTlnI?= =?iso-8859-1?Q?yO3Wgd0mFQnZEGbR/bEYRKcMsi8oP8EWqbTzOVepnUVpgzPWefZBLPT/c4?= =?iso-8859-1?Q?XeAGxOscG/gYZk+egiUOV4+7WNDJ4mpx78j2ulMB1vsJ6wZiVONXCWrwDF?= =?iso-8859-1?Q?PAG/KxBJlgNaw2EuInzZwQyDSDoB8z8jyfg06lhqGQYwUOk6DMFEiaVC2U?= =?iso-8859-1?Q?7T5/90ckzA6VDPFcYxJPxe5knM/V9Squ7aqBJkI9U/FEbv451qgRTveym1?= =?iso-8859-1?Q?f3pG/IM7AP/vPzNXu8gnAdgostKKVUIgpcI59vGd2MIArDFiAsA70rrj+Q?= =?iso-8859-1?Q?0v6WEZdlR3wehfQwmILs37rBGE4rf5p4at1T3iWITxEa+j55XWvw6Yhq09?= =?iso-8859-1?Q?AQlcbaeK+7UCj61GqYjpXYKhF9hL0QOm3SdoQFO62siPA2G6rP85laDCkO?= =?iso-8859-1?Q?oUBuJRfkRbHi2P16vPyILfsxqUJtmWV4VYBj4qMD8VfZEq69nSyfMZE2+l?= =?iso-8859-1?Q?LF3R3D0kEn9VYTab+snhYDRHcg7XQ2WmkLwdZX2A5hwyxBHPbKiplP3tkD?= =?iso-8859-1?Q?7G+gI4iAnnkWag0oUTiEo5bjUADJHRkEUdbt86VfxGfa6ZDlY1vl2TpOT4?= =?iso-8859-1?Q?fXgshj9dH?=
X-Microsoft-Exchange-Diagnostics: 1; BY2PR03MB364; 3:fAIk8epjDCanCrZ5wY1otaq+5wsxK7QGMkPxZVWDuMCtGEUktWFPQs8R7KnGMoZ3QShCWb9wL4vxm5p5431O6Q5MolpBtbPoyF1TyjNEBADqil13gINy6roHiCjPDc54nPd84Lnq8f/hoSROEg8VNQ==; 10:x8Kt2ayp1Lu33ClMflXKpsgjubdJ94IHyG8W9Td47WvDeeFaArU+bgiq4pJ6n4bgyD3cgo/hQtN/eZidDXTAO1id+v7vj/JpFWPl4bAifqc=; 6:q5726xs6JOZrxjevVesOHshT8ElVlJkxN58od37/csBeEFDWB2uFAvRCNgxes1WE
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 May 2015 23:47:12.9863 (UTC)
X-MS-Exchange-CrossTenant-Id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=72f988bf-86f1-41af-91ab-2d7cd011db47; Ip=[206.191.250.196]; Helo=[064-smtp-out.microsoft.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB364
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/WtHvd5rqCY-Ej8ZbZoW96-cHToo>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Another IRINA bug in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 May 2015 23:47:38 -0000

Hi Tanja,

> What algorithm do you refer to here when you say that the NFS
> precomputation gets easier. The only thing I know is that you
> can solve the matrix modulo the group oder (or using fewer
> moduli when using CRT), but that's a very small speedup.

That's the only speedup I'm aware of, and it's indeed a small one.
(Table 2 in https://weakdh.org/imperfect-forward-secrecy.pdf has 
some estimates.)

--Santiago

________________________________________
From: Tanja Lange <tanja@hyperelliptic.org>;
Sent: Friday, May 22, 2015 11:55 PM
To: Santiago Zanella-Beguelin
Cc: Peter Gutmann; <tls@ietf.org>;
Subject: Re: [TLS] Another IRINA bug in TLS

Hi,
> > What testing do you do on unsafe primes?
>
> We accept them if they're in the pre-populated cache. If not, we reject them
> because we can't check the order of the generator and validate ephemeral keys.
> Unsafe primes have other problems too, e.g. NFS pre-computation is a bit easier
> than for safe primes.
>
What algorithm do you refer to here when you say that the NFS
precomputation gets easier. The only thing I know is that you
can solve the matrix modulo the group oder (or using fewer
moduli when using CRT), but that's a very small speedup.

        Tanja