Re: [TLS] Adoption call for Deprecating FFDH(E) Ciphersuites in TLS

Carrick Bartle <cbartle891@icloud.com> Sun, 29 August 2021 00:41 UTC

Return-Path: <cbartle891@icloud.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E75F3A287D for <tls@ietfa.amsl.com>; Sat, 28 Aug 2021 17:41:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.848
X-Spam-Level:
X-Spam-Status: No, score=-0.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=icloud.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0INXHZDsvtUy for <tls@ietfa.amsl.com>; Sat, 28 Aug 2021 17:40:56 -0700 (PDT)
Received: from mr85p00im-zteg06011501.me.com (mr85p00im-zteg06011501.me.com [17.58.23.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26BA13A287C for <tls@ietf.org>; Sat, 28 Aug 2021 17:40:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com; s=1a1hai; t=1630197655; bh=k0yzDohSI3ftjGQ88SjbzgYkDj2UXAerKDJW+5DjEP4=; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:To; b=Rk1HNKc5njBQUNqs7znCv+QyuFTehmEaMuUirxD1uoj4YGAB0FKDu15F+o5AXvZhf zNldLeZyOj9jZNp/54aHbvXiRxMfC4dwciDDrUSsueurBhZ9WNTb3s1Neu/BRT5eTp ihxOS3iEftOXi1kyTqyNQdF+FSJFIMku9l/Yph/Fc/xHH6hcF1+dEF1x3II8vuz2Mf L01mIPEEl6hSpVzjjr0GpwmdL/1szqfaeQVE6ATRiVc6U9F0r+8Q5Ig1/SOKZZpgMK uLilyCItQ5HZqW5Zm49oCeEWQx0N4DiKB0S4t72/8Kq52o0WN6kDvd6q24wwQElel+ X41dGSvaZrDGA==
Received: from smtpclient.apple (unknown [17.11.79.97]) by mr85p00im-zteg06011501.me.com (Postfix) with ESMTPSA id 37E262A05E1; Sun, 29 Aug 2021 00:40:55 +0000 (UTC)
From: Carrick Bartle <cbartle891@icloud.com>
Message-Id: <4D91E923-C02A-4ECD-9567-66491C7D4C9C@icloud.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_1E0B60DA-81AD-4C9A-940C-54014202FC0E"
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3689.0.4\))
Date: Sat, 28 Aug 2021 17:40:54 -0700
In-Reply-To: <64c6ca0a-b3cf-cbdf-c1be-7cc4cc050a52@gmail.com>
Cc: Filippo Valsorda <filippo@ml.filippo.io>, "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, "tls@ietf.org" <tls@ietf.org>
To: Rene Struik <rstruik.ext@gmail.com>
References: <CAOgPGoC4C0bWz0h0iyzGzMPEoDKAPv4euoOkmS+6Uuxncux4Zg@mail.gmail.com> <cc9c9d9f-d6b1-3b93-1231-a9a9c34a7fcd@gmail.com> <67533325-2983-47B7-871C-D90799D09532@ll.mit.edu> <CAOgPGoDAvnFic3VmEsge3i8C2FEfWp74ac_ievtfNo=MQB+C8g@mail.gmail.com> <C8E91D9B-2326-4AAF-9952-69481081E337@ll.mit.edu> <BD109A95-129A-4995-AFCA-FEF10DBD6440@icloud.com> <CAOgPGoBMhhsTupXuWF__zkLuy-4qQhha_Kp1_+ToZrNoaFUsgQ@mail.gmail.com> <13b9e674-9e0b-46aa-b5d6-49798c310d85@www.fastmail.com> <5D5FB49A-7D18-4EC9-B572-BD860479CD5E@ll.mit.edu> <bc91502a-471e-484e-ae5f-d843b703edd6@www.fastmail.com> <64c6ca0a-b3cf-cbdf-c1be-7cc4cc050a52@gmail.com>
X-Mailer: Apple Mail (2.3689.0.4)
X-Proofpoint-Virus-Version: =?UTF-8?Q?vendor=3Dfsecure_engine=3D1.1.170-22c6f66c430a71ce266a39bfe25bc?= =?UTF-8?Q?2903e8d5c8f:6.0.391,18.0.790,17.0.607.475.0000000_definitions?= =?UTF-8?Q?=3D2021-08-28=5F07:2021-08-27=5F01,2021-08-28=5F07,2020-04-07?= =?UTF-8?Q?=5F01_signatures=3D0?=
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 bulkscore=0 suspectscore=0 malwarescore=0 spamscore=0 mlxlogscore=999 phishscore=0 clxscore=1015 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2108290001
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/jHGFb7CxI54QrboXKsg93Y8ll0E>
Subject: Re: [TLS] Adoption call for Deprecating FFDH(E) Ciphersuites in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Aug 2021 00:41:02 -0000

In the revision of this draft (https://tools.ietf.org/pdf/draft-bartle-tls-deprecate-ffdh-00.pdf), which was unfortunately not the revision sent out on this call for adoption, we cite invalid curve attacks as a reason to advise against ECDH: https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.704.7932&rep=rep1&type=pdf

These attacks seem to me to indicate that ephemeral-static ECDH is inherently insecure. Do you disagree? If so, why?



> On Aug 27, 2021, at 8:25 AM, Rene Struik <rstruik.ext@gmail.com> wrote:
> 
> {officially on vacation till Labor Day, but weighing-in briefly}
> 
> Hi Filippo:
> 
> I had a brief look at the CVEs you referenced and at your Blackhat 2018 presentation. 
> 
> Some observations on your Blackhat 2018 presentaton: (a) the attack seems to be a reincarnation of the so-called Goubin attack presented 19 years earlier (in 1999); (b) the attack requires many (100s) of reuses of the same private key string. Both the 1999 attack and your Blackhat 2018 version can be easily prevented if one uses blinded private keys.
> 
> A closer look at your referenced CVEs suggests these can be classified as (i) lack of checking for improperly generated DH groups; (ii) exploiting overflow/underflow/carry bugs. To me, nothing seems to be new here and more likely a failure of implementers to heed to results and advice predating the CVEs by years (and sometimes decades) or in QA processes. E.g., with respect to (i), one had not gotten oneself into trouble if one had actually bothered to implement domain parameter checks. In the literature of implementation attacks, OpenSSL has proven to be an excellent "implementation security flaw paper generator".
> 
> I have yet to see evidence that ephemeral-static ECDH would be inherently insecure.
> 
> Rene
> 
> On 2021-08-27 9:34 a.m., Filippo Valsorda wrote:
>> [snip]
>> 
>> This is empirically disproved by a number of vulnerabilities that are exploitable (or near-misses for other reasons) only in ephemeral-static mode, such as CVE-2016-0701, CVE-2016-7055, CVE-2017-3732, CVE-2017-3736, CVE-2017-3738, CVE-2019-1551 just in the past 5 years in OpenSSL, and CVE-2017-8932 and CVE-2021-3114 in Go. https://eprint.iacr.org/2011/633 <https://eprint.iacr.org/2011/633> gives a good explanation of how these attacks work, and you might find https://i.blackhat.com/us-18/Wed-August-8/us-18-Valsorda-Squeezing-A-Key-Through-A-Carry-Bit-wp.pdf <https://i.blackhat.com/us-18/Wed-August-8/us-18-Valsorda-Squeezing-A-Key-Through-A-Carry-Bit-wp.pdf> interesting as well.
>> OpenSSL:
>> 
>> CVE-2016-0701: improper generation of Diffie-Hellman group
>> 
>> The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2 before 1.0.2f does not ensure that prime numbers are appropriate for Diffie-Hellman (DH) key exchange, which makes it easier for remote attackers to discover a private DH exponent by making multiple handshakes with a peer that chose an inappropriate number, as demonstrated by a number in an X9.42 file.
>> 
>> CVE-2016-7055: carry-propagation bug
>> 
>> There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the private key itself and an input of the attacker's direct choice. Otherwise the bug can manifest itself as transient authentication and key negotiation failures or reproducible erroneous outcome of public-key operations with specially crafted input. Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation. Impact was not analyzed in detail, because pre-requisites for attack are considered unlikely. Namely multiple clients have to choose the curve in question and the server has to share the private key among them, neither of which is default behaviour. Even then only clients that chose the curve will be affected.
>> 
>> CVE-2017-3732: carry-propagation bug
>> 
>> There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0d. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very similar to CVE-2015-3193 but must be treated as a separate problem.
>> 
>> CVE-2017-3736: carry-propagation bug
>> 
>> There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen.
>> 
>> CVE-2017-3738: overflow bug
>> 
>> There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. OpenSSL version 1.0.2-1.0.2m and 1.1.0-1.1.0g are affected. Fixed in OpenSSL 1.0.2n. Due to the low severity of this issue we are not issuing a new release of OpenSSL 1.1.0 at this time. The fix will be included in OpenSSL 1.1.0h when it becomes available. The fix is also available in commit e502cc86d in the OpenSSL git repository.
>> 
>> CVE-2019-1551: overflow bug
>> 
>> There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).
>> 
>> Go:
>> 
>> CVE-2017-8932: arithmetic bug
>> 
>> A bug in the standard library ScalarMult implementation of curve P-256 for amd64 architectures in Go before 1.7.6 and 1.8.x before 1.8.2 causes incorrect results to be generated for specific input points. An adaptive attack can be mounted to progressively extract the scalar input to ScalarMult by submitting crafted points and observing failures to the derive correct output. This leads to a full key recovery attack against static ECDH, as used in popular JWT libraries.
>> 
>> CVE-2021-3114: underflow bug
>> 
>> In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field.
>> 
>> 
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org <mailto:TLS@ietf.org>
>> https://www.ietf.org/mailman/listinfo/tls <https://www.ietf.org/mailman/listinfo/tls>
> 
> -- 
> email: rstruik.ext@gmail.com <mailto:rstruik.ext@gmail.com> | Skype: rstruik
> cell: +1 (647) 867-5658 | US: +1 (415) 287-3867
> _______________________________________________
> TLS mailing list
> TLS@ietf.org <mailto:TLS@ietf.org>
> https://www.ietf.org/mailman/listinfo/tls <https://www.ietf.org/mailman/listinfo/tls>