Re: [TLS] DH security issue in TLS
Pascal Urien <pascal.urien@gmail.com> Wed, 04 December 2019 16:23 UTC
Return-Path: <pascal.urien@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64DFF120025 for <tls@ietfa.amsl.com>; Wed, 4 Dec 2019 08:23:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.498
X-Spam-Level:
X-Spam-Status: No, score=-1.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, PDS_BTC_ID=0.499, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1o5TUkz2ndji for <tls@ietfa.amsl.com>; Wed, 4 Dec 2019 08:23:23 -0800 (PST)
Received: from mail-ua1-x932.google.com (mail-ua1-x932.google.com [IPv6:2607:f8b0:4864:20::932]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5131F12083E for <tls@ietf.org>; Wed, 4 Dec 2019 08:23:23 -0800 (PST)
Received: by mail-ua1-x932.google.com with SMTP id f7so2998537uaa.8 for <tls@ietf.org>; Wed, 04 Dec 2019 08:23:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=neOw+uJa3rBsuTeL5AsurVSh16jCFzfc5o7gdsii81w=; b=VQGkcGwu4pUTvo54mzUHiD4xGxOxOyD+h0s77Xn/md6+Imom8wyFzBxxaq4s33nvj/ vbu5haYqAn8zan5Ec4zKwPJnxRG3xaHb1NwgUjDG2JgfeY2A8fTdr23C/QZqx6JPwK7l 1TXTR+Wpz5vFU5FmkeMUZ5gHtIsMV72uOjaSTLLcvBeBAGWdzCackK4TfUo0vX/LPd8p /t2VLTgoN6Nwkd6G7AWaFs6wFZmoJp+tOvdbqqy/zMcmpTA6cXhAAw+7S5gJWpL31rIh C+D3adQq/6f+IUh33/X/+dLvGb19WzDoIq9jVuAQwZAngWf8czUlRvLE11uakEY78pnN s49A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=neOw+uJa3rBsuTeL5AsurVSh16jCFzfc5o7gdsii81w=; b=NK7r5ByImubO+w1LKxPPbx2F6wsAsxXp/BwzNXafNosYpg1dVcG3K60jmSIKjDTbL1 Mkmczv/8xhrAfxVW1dOaPb83MVJp/lQBJ7RdOo/6nWLPHGcoEXe8DuyhDPbxvAZhe72x OMJWIDY9qgZ0on+UADv/aXo5DK3+qMVmY8oqN2fnF8GSpDfWvOiDaFaoE+ZoYsfDc1ud z3i7QWVfhsx19MVuSrqeHecqTTtD64OUhBQXDzSNU3xNzdjMaggK6sSWCgI+PUu28Yid 4WbGB8HqXqoW3BR36SEUVl0tI7nngFoBz1ndG5uj7Y1uO/6uT7fr7PL8sOCgtQzkNUBa v3qg==
X-Gm-Message-State: APjAAAV5fOX5MJK58mNUPqDx6dub1KU+s73+txIKj83Hxy99zHDAC3vr lZXuSv5Bx/DVSi2Ze9KSzM/yZkc9n4Gouo6RuYt5tDVwrtYBIg==
X-Google-Smtp-Source: APXvYqyZCe7CIxtrWeCKrYwe5n2Y09uMz5NfyRpDy+elwGZA2z8YQyU8j1Jaj+WSd8kX6BQ5h24i64oVCusF+hA8fLU=
X-Received: by 2002:ab0:2783:: with SMTP id t3mr3130591uap.48.1575476602100; Wed, 04 Dec 2019 08:23:22 -0800 (PST)
MIME-Version: 1.0
References: <CAEQGKXQAd=j_UyBEQPv7frmcDn_=DoBbvEccCkLPr4odSDcqQw@mail.gmail.com> <BN8PR11MB36661739568DB959F7C9D2C4C1420@BN8PR11MB3666.namprd11.prod.outlook.com> <CAKUk3btOGtDtsAoU+VZTE0YPpmF-Xi0H7_MHMFqYo8PuKFbMNA@mail.gmail.com>
In-Reply-To: <CAKUk3btOGtDtsAoU+VZTE0YPpmF-Xi0H7_MHMFqYo8PuKFbMNA@mail.gmail.com>
From: Pascal Urien <pascal.urien@gmail.com>
Date: Wed, 04 Dec 2019 17:23:11 +0100
Message-ID: <CAEQGKXRy8w1SZc=SBAoOpCXOCQmPqDPqf97gsSkTAUS7dpJ1OA@mail.gmail.com>
To: Andrey Jivsov <crypto@brainhub.org>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000038630b0598e33b80"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/nrwO-Zct_GzBufby4bO4M3vUfbk>
Subject: Re: [TLS] DH security issue in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Dec 2019 16:23:25 -0000
Hi all https://tools.ietf.org/html/rfc7919 seems somewhat confusing because the order of the generator (2) is q=(p-1)/2 and not (p-1 ) So in place of "Traditional finite field Diffie-Hellman has each peer choose their secret exponent from the range [2, p-2]." It should suggest to use "Traditional finite field Diffie-Hellman has each peer choose their secret exponent from the range [2, q-1]." I put below some basic background that could help to understand the DH security If a safe prime p=2q+1 is congruent to 7 modulo 8, then it is a divisor of the Mersenne number with its matching Sophie Germain prime (q) as exponent. a Mersenne prime is a prime number that is one less than a power of two. That is, it is a prime number of the form Mn = 2**n - 1 for some integer n. 2**q-1 = kp; 2**(p-1)/2 = 1 mod p Therefore 2 is a generator of order q=(p-1)/2 (p-1) is a generator of order 2, since (p-1)**2 = (p**2+1-2p) = 1 mod q Example p=7 = 2x3 +1, q=3 p = 7 mod 8 6 = 2x3 1 group of order 6, phi(6)= 2 generators (q-1) 1 group of order 3, phi(3)= 2 generators (q-1) 1 group of order 2, phi(2)= 1 generators 2 4 1 3 2 6 4 5 1 4 2 1 5 4 6 2 3 1 6 1 Le mer. 4 déc. 2019 à 02:52, Andrey Jivsov <crypto@brainhub.org> a écrit : > https://tools.ietf.org/html/rfc7919#section-5.1 prohibits x=(p-1)/2 > because this results in a peer's public key g^x= 1. > > Allowing this makes some man-in-the middle attacks on TLS easier, because > the attacker can predict the value of the ephemeral secret key on another > leg of the connection. > > On Tue, Dec 3, 2019 at 3:03 PM Scott Fluhrer (sfluhrer) < > sfluhrer@cisco.com> wrote: > >> See SRF >> >> >> >> *From:* TLS <tls-bounces@ietf.org> *On Behalf Of * Pascal Urien >> *Sent:* Tuesday, December 03, 2019 5:16 PM >> *To:* tls@ietf.org >> *Subject:* [TLS] DH security issue in TLS >> >> >> >> I wonder if g**x , with x =(1-p)/2 is checked in current TLS 1.2 >> implementation ? >> >> In RFC https://tools.ietf.org/html/rfc7919 >> "Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for >> Transport Layer Security (TLS)" >> >> "Traditional finite field Diffie-Hellman has each peer choose their >> secret exponent from the range [2, p-2]. >> Using exponentiation by squaring, this means each peer must do roughly >> 2*log_2(p) multiplications, >> twice (once for the generator and once for the peer's public key)." >> >> Not True !!! >> Even for p= safe prime (i.e.. Sophie Germain prime, p=2*q+1, with p & q >> prime number) secret exponent x= (p-1)/2 is a security issue since : >> >> g**xy = 1 with y an even integer >> g**xy = g**x for y an odd integer >> >> >> >> SRF: actually, g**xy = 1 in both cases, as g**x = 1 (for the g, p values >> specified in RFC7919); this is easily seen as all listed p values are safe >> primes, and in all cases, g=2 and p=7 mod 8. >> >> >> >> In any case, why would that be a security issue? If both sides are >> honest (and select their x, y values honestly), the probability of one of >> them selecting (p-1)/2 as their private value is negligible (even if our >> selection logic allowed that as a possible value – it generally doesn’t). >> If we have two honest parties with an adversary replacing one of the side’s >> key share with g**(p-1)/2, well, the protocol transmits signatures of the >> transcript, and so that’ll be detected. If you have an honest side >> negotiating with a dishonest one, well, the dishonest one could select >> (p-1)/2 as its private value – however, they could also run the protocol >> honestly (and learn the shared secret and the symmetric keys, which are >> usually the target), and there’s nothing the protocol can do about that. >> >> >> >> Now, if an honest party reused their private values for multiple >> exchanges, a similar observation would allow an adversary to obtain a >> single bit of the private value. He would do that by performing an >> exchange with the honest party mostly honestly, selecting a value x as his >> private value, but instead of transmitting g**x as his key share, he would >> transmit -g**x. Then, the shared value that the honest party would derive >> is: >> >> >> >> g**xy with y an even integer >> >> -g**xy with y an odd integer >> >> >> >> The adversary can compute both these values, and determine which is being >> used later in the protocol. >> >> >> >> So, the adversary can learn a single bit of the private value (which >> doesn’t translate to him learning any bit of the shared secret, much less >> the symmetric keys) – however, he cannot leverage this to learn anything >> else of the private key. I do not believe that a single bit is worth >> worrying about. And, again, if we generate a fresh DH private value for >> every exchange (which we encourage people to do for PFS), even that single >> bit doesn’t apply to any other exchange. >> >> >> >> >> >> If p is not a safe prime (like in RFC 5114) other issues occur.... >> >> >> >> >> >> Pascal >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> >
- [TLS] DH security issue in TLS Pascal Urien
- Re: [TLS] DH security issue in TLS Scott Fluhrer (sfluhrer)
- Re: [TLS] DH security issue in TLS Andrey Jivsov
- Re: [TLS] DH security issue in TLS Pascal Urien
- Re: [TLS] DH security issue in TLS Antoine Delignat-Lavaud
- Re: [TLS] DH security issue in TLS Pascal Urien
- Re: [TLS] DH security issue in TLS Nasrul Zikri
- Re: [TLS] DH security issue in TLS Viktor Dukhovni
- Re: [TLS] DH security issue in TLS Peter Gutmann