IETF Logo Mail Archive

Re: [TLS] Adoption call for Deprecating FFDH(E) Ciphersuites in TLS

Rene Struik <rstruik.ext@gmail.com> Fri, 27 August 2021 15:26 UTC

Return-Path: <rstruik.ext@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 678883A0D7C for <tls@ietfa.amsl.com>; Fri, 27 Aug 2021 08:26:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p92vJRf21wQX for <tls@ietfa.amsl.com>; Fri, 27 Aug 2021 08:26:05 -0700 (PDT)
Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7162D3A0D78 for <tls@ietf.org>; Fri, 27 Aug 2021 08:26:05 -0700 (PDT)
Received: by mail-qt1-x82a.google.com with SMTP id t9so5595203qtp.2 for <tls@ietf.org>; Fri, 27 Aug 2021 08:26:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:references:from:subject:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=fFO2cKW1WSmY3atQKoyRLvbwxnpWXIOSi1syZUx3R10=; b=lvYfbtVU6v0Z1Wrle1swLzsWIaEkUNoUbOLNIK51ytoH8PaXZSqmZMCH73UP9Rz35J aCmU9JHs77gUKDSsnmYiCHXw6DfXfAyC5NIC5ltg+BFD/B6w//O8pASzDqlVQxsgnTp8 /yQHeJ7GotCjkKZ6aF4r5s5ifjHRqGEYYufUsZiE+dD3WsUYBt7Z8Fsn097Z2p3fag5l AOlz2EAufcOe2xFN0UHOaQ65cgJjgcTGzWw5iXlLI24kWrd8VdULOAej/ViotuNkhx1v kmsxtxhWzR/bDvsJOQ/Tx46CaG7QtkGRHePNzdvN5SfaPYtHFvhns0gr8YVRb4xs9MW5 WY1g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:references:from:subject:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=fFO2cKW1WSmY3atQKoyRLvbwxnpWXIOSi1syZUx3R10=; b=fF8WAq77BjXOlATQumZrI8jRRiPm/7VeTnxAag11C7+G0dKcUrRml+y3/Zd7X0MBYF dh5yWPWWI862wNq30R2fafWI2nT4zdCobPGsV1+cjcPA+F8QyiYaztM01+et1ZYqM1z2 DDwW30xRuc/NmLHUShB91jHhu9C3vRZmmOPQPmDIFNgKlYBv1B7rcdKfz4GPQ/IQTpqQ paID1JCgzOiJlxfeYYPNYILQKvBZaGNVtBEQz5aQQndi2IWBuZJXydDPLTIKPexhJpdD ZRsQyGBWgzQ5YhXHGu/xSNItoNa05k4+2HbgSP89XHjVIzf869c4qW6lXG8WQqxEEKn5 h97A==
X-Gm-Message-State: AOAM531WVN5TnzaZeuf8EiK+OB0x5H7NeYny0N3VO2KEQgYzAMolPaue FGDBEgWaxAvjIcsCEle2sMqziEPbQEU=
X-Google-Smtp-Source: ABdhPJykz/2LuTRuW3gdrJmu3m2jjUtUabEztfjFg9VZecZN9XbhMXuQQhENaee5yJc+mU8NRRKLfw==
X-Received: by 2002:aed:3065:: with SMTP id 92mr8724980qte.351.1630077961946; Fri, 27 Aug 2021 08:26:01 -0700 (PDT)
Received: from ?IPv6:2607:fea8:8a0:1397:fc5f:12b:d173:619a? ([2607:fea8:8a0:1397:fc5f:12b:d173:619a]) by smtp.gmail.com with ESMTPSA id y19sm3632798qto.8.2021.08.27.08.26.00 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 27 Aug 2021 08:26:01 -0700 (PDT)
To: Filippo Valsorda <filippo@ml.filippo.io>, "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, "tls@ietf.org" <tls@ietf.org>
References: <CAOgPGoC4C0bWz0h0iyzGzMPEoDKAPv4euoOkmS+6Uuxncux4Zg@mail.gmail.com> <cc9c9d9f-d6b1-3b93-1231-a9a9c34a7fcd@gmail.com> <67533325-2983-47B7-871C-D90799D09532@ll.mit.edu> <CAOgPGoDAvnFic3VmEsge3i8C2FEfWp74ac_ievtfNo=MQB+C8g@mail.gmail.com> <C8E91D9B-2326-4AAF-9952-69481081E337@ll.mit.edu> <BD109A95-129A-4995-AFCA-FEF10DBD6440@icloud.com> <CAOgPGoBMhhsTupXuWF__zkLuy-4qQhha_Kp1_+ToZrNoaFUsgQ@mail.gmail.com> <13b9e674-9e0b-46aa-b5d6-49798c310d85@www.fastmail.com> <5D5FB49A-7D18-4EC9-B572-BD860479CD5E@ll.mit.edu> <bc91502a-471e-484e-ae5f-d843b703edd6@www.fastmail.com>
From: Rene Struik <rstruik.ext@gmail.com>
Message-ID: <64c6ca0a-b3cf-cbdf-c1be-7cc4cc050a52@gmail.com>
Date: Fri, 27 Aug 2021 11:25:58 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0
MIME-Version: 1.0
In-Reply-To: <bc91502a-471e-484e-ae5f-d843b703edd6@www.fastmail.com>
Content-Type: multipart/alternative; boundary="------------BE9704462BD2F7793EC6C204"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/hem5224MeKZ7Dx3ABWKEAsGU_zM>
Subject: Re: [TLS] Adoption call for Deprecating FFDH(E) Ciphersuites in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Aug 2021 15:26:12 -0000

{officially on vacation till Labor Day, but weighing-in briefly}

Hi Filippo:

I had a brief look at the CVEs you referenced and at your Blackhat 2018 
presentation.

Some observations on your Blackhat 2018 presentaton: (a) the attack 
seems to be a reincarnation of the so-called Goubin attack presented 19 
years earlier (in 1999); (b) the attack requires many (100s) of reuses 
of the same private key string. Both the 1999 attack and your Blackhat 
2018 version can be easily prevented if one uses blinded private keys.

A closer look at your referenced CVEs suggests these can be classified 
as (i) lack of checking for improperly generated DH groups; (ii) 
exploiting overflow/underflow/carry bugs. To me, nothing seems to be new 
here and more likely a failure of implementers to heed to results and 
advice predating the CVEs by years (and sometimes decades) or in QA 
processes. E.g., with respect to (i), one had not gotten oneself into 
trouble if one had actually bothered to implement domain parameter 
checks. In the literature of implementation attacks, OpenSSL has proven 
to be an excellent "implementation security flaw paper generator".

I have yet to see evidence that ephemeral-static ECDH would be 
inherently insecure.

Rene

On 2021-08-27 9:34 a.m., Filippo Valsorda wrote:
> [snip]
>
> This is empirically disproved by a number of vulnerabilities that are 
> exploitable (or near-misses for other reasons) only in 
> ephemeral-static mode, such as CVE-2016-0701, CVE-2016-7055, 
> CVE-2017-3732, CVE-2017-3736, CVE-2017-3738, CVE-2019-1551 just in the 
> past 5 years in OpenSSL, and CVE-2017-8932 and CVE-2021-3114 in Go. 
> https://eprint.iacr.org/2011/633 <https://eprint.iacr.org/2011/633> 
> gives a good explanation of how these attacks work, and you might find 
> https://i.blackhat.com/us-18/Wed-August-8/us-18-Valsorda-Squeezing-A-Key-Through-A-Carry-Bit-wp.pdf 
> <https://i.blackhat.com/us-18/Wed-August-8/us-18-Valsorda-Squeezing-A-Key-Through-A-Carry-Bit-wp.pdf> 
> interesting as well.
>
> OpenSSL:
>
> CVE-2016-0701: improper generation of Diffie-Hellman group
>
> The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2 
> before 1.0.2f does not ensure that prime numbers are appropriate for 
> Diffie-Hellman (DH) key exchange, which makes it easier for remote 
> attackers to discover a private DH exponent by making multiple 
> handshakes with a peer that chose an inappropriate number, as 
> demonstrated by a number in an X9.42 file.
>
> CVE-2016-7055: carry-propagation bug
>
> There is a carry propagating bug in the Broadwell-specific Montgomery 
> multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that 
> handles input lengths divisible by, but longer than 256 bits. Analysis 
> suggests that attacks against RSA, DSA and DH private keys are 
> impossible. This is because the subroutine in question is not used in 
> operations with the private key itself and an input of the attacker's 
> direct choice. Otherwise the bug can manifest itself as transient 
> authentication and key negotiation failures or reproducible erroneous 
> outcome of public-key operations with specially crafted input. Among 
> EC algorithms only Brainpool P-512 curves are affected and one 
> presumably can attack ECDH key negotiation. Impact was not analyzed in 
> detail, because pre-requisites for attack are considered unlikely. 
> Namely multiple clients have to choose the curve in question and the 
> server has to share the private key among them, neither of which is 
> default behaviour. Even then only clients that chose the curve will be 
> affected.
>
> CVE-2017-3732: carry-propagation bug
>
> There is a carry propagating bug in the x86_64 Montgomery squaring 
> procedure in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0d. No 
> EC algorithms are affected. Analysis suggests that attacks against RSA 
> and DSA as a result of this defect would be very difficult to perform 
> and are not believed likely. Attacks against DH are considered just 
> feasible (although very difficult) because most of the work necessary 
> to deduce information about a private key may be performed offline. 
> The amount of resources required for such an attack would be very 
> significant and likely only accessible to a limited number of 
> attackers. An attacker would additionally need online access to an 
> unpatched system using the target private key in a scenario with 
> persistent DH parameters and a private key that is shared between 
> multiple clients. For example this can occur by default in OpenSSL DHE 
> based SSL/TLS ciphersuites. Note: This issue is very similar to 
> CVE-2015-3193 but must be treated as a separate problem.
>
> CVE-2017-3736: carry-propagation bug
>
> There is a carry propagating bug in the x86_64 Montgomery squaring 
> procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC 
> algorithms are affected. Analysis suggests that attacks against RSA 
> and DSA as a result of this defect would be very difficult to perform 
> and are not believed likely. Attacks against DH are considered just 
> feasible (although very difficult) because most of the work necessary 
> to deduce information about a private key may be performed offline. 
> The amount of resources required for such an attack would be very 
> significant and likely only accessible to a limited number of 
> attackers. An attacker would additionally need online access to an 
> unpatched system using the target private key in a scenario with 
> persistent DH parameters and a private key that is shared between 
> multiple clients. This only affects processors that support the BMI1, 
> BMI2 and ADX extensions like Intel Broadwell (5th generation) and 
> later or AMD Ryzen.
>
> CVE-2017-3738: overflow bug
>
> There is an overflow bug in the AVX2 Montgomery multiplication 
> procedure used in exponentiation with 1024-bit moduli. No EC 
> algorithms are affected. Analysis suggests that attacks against RSA 
> and DSA as a result of this defect would be very difficult to perform 
> and are not believed likely. Attacks against DH1024 are considered 
> just feasible, because most of the work necessary to deduce 
> information about a private key may be performed offline. The amount 
> of resources required for such an attack would be significant. 
> However, for an attack on TLS to be meaningful, the server would have 
> to share the DH1024 private key among multiple clients, which is no 
> longer an option since CVE-2016-0701. This only affects processors 
> that support the AVX2 but not ADX extensions like Intel Haswell (4th 
> generation). Note: The impact from this issue is similar to 
> CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. OpenSSL version 
> 1.0.2-1.0.2m and 1.1.0-1.1.0g are affected. Fixed in OpenSSL 1.0.2n. 
> Due to the low severity of this issue we are not issuing a new release 
> of OpenSSL 1.1.0 at this time. The fix will be included in OpenSSL 
> 1.1.0h when it becomes available. The fix is also available in commit 
> e502cc86d in the OpenSSL git repository.
>
> CVE-2019-1551: overflow bug
>
> There is an overflow bug in the x64_64 Montgomery squaring procedure 
> used in exponentiation with 512-bit moduli. No EC algorithms are 
> affected. Analysis suggests that attacks against 2-prime RSA1024, 
> 3-prime RSA1536, and DSA1024 as a result of this defect would be very 
> difficult to perform and are not believed likely. Attacks against 
> DH512 are considered just feasible. However, for an attack the target 
> would have to re-use the DH512 private key, which is not recommended 
> anyway. Also applications directly using the low level API BN_mod_exp 
> may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e 
> (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).
>
> Go:
>
> CVE-2017-8932: arithmetic bug
>
> A bug in the standard library ScalarMult implementation of curve P-256 
> for amd64 architectures in Go before 1.7.6 and 1.8.x before 1.8.2 
> causes incorrect results to be generated for specific input points. An 
> adaptive attack can be mounted to progressively extract the scalar 
> input to ScalarMult by submitting crafted points and observing 
> failures to the derive correct output. This leads to a full key 
> recovery attack against static ECDH, as used in popular JWT libraries.
>
> CVE-2021-3114: underflow bug
>
> In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go 
> can generate incorrect outputs, related to an underflow of the lowest 
> limb during the final complete reduction in the P-224 field.
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls


-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 287-3867

v2.23.0 | Report a Bug | By Email