Re: [TLS] Static DH timing attack

Filippo Valsorda <filippo@ml.filippo.io> Sat, 12 September 2020 12:16 UTC

Return-Path: <filippo@ml.filippo.io>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EB9C3A08F5 for <tls@ietfa.amsl.com>; Sat, 12 Sep 2020 05:16:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=filippo.io header.b=QCBYHADG; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=T7GECTUF
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xd0WkHyjRD4x for <tls@ietfa.amsl.com>; Sat, 12 Sep 2020 05:16:10 -0700 (PDT)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52E403A08D4 for <tls@ietf.org>; Sat, 12 Sep 2020 05:16:10 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id A3EE75C0189; Sat, 12 Sep 2020 08:16:09 -0400 (EDT)
Received: from imap1 ([10.202.2.51]) by compute3.internal (MEProxy); Sat, 12 Sep 2020 08:16:09 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=filippo.io; h= mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm1; bh=3kK8gnDN9mPCCyCt/mF83PTXqnINnLG ++X49SRTzoCQ=; b=QCBYHADGYcVOufnOMPsBIlbwR3Zq/gvfh7PpriXrNfcC5eM S6uQuSZUTsKeQbTKTi5BX6Ypul+7gRGpfc4sBLiIv2ftrPPXp19dUytLD7NMA/mz dnGkHQSC7097by67l+092Eka/H5+uIsF+Qgae/whkv6o/L+ywo4yl3WMptma6S0h t+88Pkn603GlQaF9Ljgxbj9oVJaujm6N+/2Seah9WFQ9IUaTMFlpQKlw0IimX1Qw 6vWyTgkSSZRBUSIEEP+elvOn5pRFXC1uE8OC0k+lfqsaLH7kumpLKyuQCQiVYtX9 9nUQoOC6P43Ia4E2w+5kCK4pxXK+WORGoBu8mNw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=3kK8gn DN9mPCCyCt/mF83PTXqnINnLG++X49SRTzoCQ=; b=T7GECTUF6CXTVKnq1kSKgZ KjxNySTve4HTXigZ+5LuOS5+QWiOaqG9+8/SNFSYqK2WoIzXAlBqIWfLFQAQZh6s 930RxfsMZV3FMcpN/3BY5ez1gZhkyHt7erbBeE1zY7XZP1dBjiuNLNlZTNifdD+I gv7Sp6q5JVDpRQyDprgtS8+gI2hQFWAYuD1K6Ad4S94ImKGw+hkapi9Lal98g3hj ILlm6eCqUVh/ki5tkJm+aXMX5sB1MFUnkHf5jtK0Lb0fntRhe3yKez+0UtRVs8Bx BCDaQIQGwBoZKl5khJUAbH0XXACqbrrzsm6/NmRCf027F/GZC1DCDmExzShHgKCQ ==
X-ME-Sender: <xms:CbxcXx8pkNltRCBUA1NJ4AsyAqvd29YkJMt7z5muBRsv0MXyEHCdtA> <xme:CbxcX1t43TlskTfnKgMeWS-lp5z19fPCNv83jl_QgDyGGyZnKe_1WHtqolO583VCC v6CuxSdzEzWb1-jOg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduiedrudeiuddgheduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgesrgdtreerreerjeenucfhrhhomhepfdfhihhl ihhpphhoucggrghlshhorhgurgdfuceofhhilhhiphhpohesmhhlrdhfihhlihhpphhord hioheqnecuggftrfgrthhtvghrnhepffffueejgeekgfektefguddujeeltdfhhfeftddv ieejhffhvdeuuefgjeelhfehnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpe hmrghilhhfrhhomhepfhhilhhiphhpohesmhhlrdhfihhlihhpphhordhioh
X-ME-Proxy: <xmx:CbxcX_BYsnLHTGkgtbcsTPd7jLCBx80-KnfPnHNREupRP-PWLSytYQ> <xmx:CbxcX1fq-nMUADKM-uOv6eCMfPW24See-pJtmy7dN4VNv5wmkLhiTQ> <xmx:CbxcX2O114a5OJ204Vf2R4dHoN63Gf1OICH5P0p4PxAWWyIYCM2qaw> <xmx:CbxcX5Y7OF3oK1uP5XSrdxCj9TdHX9Vq5L8b-G68WlCbeyuubzF6mw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id EA268C200A5; Sat, 12 Sep 2020 08:16:08 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-259-g88fbbfa-fm-20200903.003-g88fbbfa3
Mime-Version: 1.0
Message-Id: <c7edc740-d351-4b9f-a562-c25ccadf4c21@www.fastmail.com>
In-Reply-To: <1599882506352.56326@cs.auckland.ac.nz>
References: <5595BB40-3AFD-4327-B7B7-5E63FFC594DD@akamai.com> <1599729784370.87441@cs.auckland.ac.nz> <fff1a66a-0a49-cfbd-461a-c1d0ed3aeaaa@gmx.net> <1599790864561.88777@cs.auckland.ac.nz> <6B1CC8B1-C497-4E80-9067-3147124F7AE4@vigilsec.com> <9ef4ed20-2ad1-40f0-86c6-6970e7db8b4b@www.fastmail.com> <1599882506352.56326@cs.auckland.ac.nz>
Date: Sat, 12 Sep 2020 14:15:48 +0200
From: "Filippo Valsorda" <filippo@ml.filippo.io>
To: "Peter Gutmann" <pgut001@cs.auckland.ac.nz>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary=a19aae44e0c44a719b3eaa732de9e011
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/XAuz0kRpCngmqmlsSWFf1hdEZmg>
Subject: Re: [TLS] Static DH timing attack
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Sep 2020 12:16:12 -0000

2020-09-12 05:48 GMT+02:00 Peter Gutmann <pgut001@cs.auckland.ac.nz>nz>:
> Filippo Valsorda <filippo@ml.filippo.io> writes:
> 
> >I feel like there should be nothing controversial in the context of TLS.
> >
> >   Non-ephemeral FFDHE ciphersuites in TLS 1.0–1.2 (TLS_DH_*) ought to be a
> > MUST NOT, because they can't be implemented securely.
> >
> >   Reusing ephemeral shares for ECDHE and DHE ought to be a MUST NOT in all
> > TLS versions, because it's unnecessary and has been a requirement for many
> > attacks now.
> >
> >   Non-ephemeral ECDH ciphersuites (TLS_ECDH_*) ought to be a SHOULD NOT,
> > because again ECDH share reuse enables a whole class of attacks.
> >
> >   FFDHE ciphersuites in TLS 1.0–1.2 (TLS_DHE_*) ought to be a SHOULD NOT,
> > because they are specified in a dangerous way that is not secure if shares
> > are reused.
> 
> I agree with the first two but not the last.  Why is non-ephemeral DH a MUST
> NOT but non-ephemeral ECDH a SHOULD NOT?  There's nothing magic about the EC
> form that makes it any better or safer.

Non-ephemeral DH is affected by the Raccoon attack, ECDH is not.

> And for the FFDHE ciphersuites, they're not specified in a dangerous way,
> people implement them in a dangerous way.  You really have to go out of your
> way to get it wrong, in the case of RACCOON it's actually more effort to get
> it wrong (keep old copies of values floating around and reuse them over and
> over) than to get it right (generate a fresh value every time).  So it doesn't
> need a "don't do FFDHE", it needs a "here's a lot of stupid things you can do
> with FFDHE if you put your mind to it.  Don't do any of them".
> 
> Or maybe it can be turned into a more general "here are some dumb things that
> people have done with TLS over the years.  Check your server to make sure
> you're not doing them".  Posting your web server's private key as a .p12 file
> in a subdirectory below $DocumentRoot, for example, would be high on my list.

There are two peers involved in ciphersuite selection, so recommending everyone avoids an unsafe ciphersuite can protect connections even if only one side takes the advice, and even if it's not the side that made the implementation error.