Re: [TLS] DH security issue in TLS

Nasrul Zikri <nasrulzikri@outlook.com> Fri, 06 December 2019 01:37 UTC

Return-Path: <nasrulzikri@outlook.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1524212004D for <tls@ietfa.amsl.com>; Thu, 5 Dec 2019 17:37:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=outlook.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TJMM_sTCui1u for <tls@ietfa.amsl.com>; Thu, 5 Dec 2019 17:37:41 -0800 (PST)
Received: from APC01-HK2-obe.outbound.protection.outlook.com (mail-oln040092255109.outbound.protection.outlook.com [40.92.255.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D5BE12004C for <tls@ietf.org>; Thu, 5 Dec 2019 17:37:41 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UN2OPUW1UqEr/fH8+wD4kuz6aKWSvvDzFa+0+0thwGDceZtKbYdIdA54jExbqS1YgA+JIO9gAMF5Zf/YWfNv+rK/2zITAxQB+OoaVMeC+KIL8ln8jf7KGyt788wYVdSJEaEbfi3Qn2NTPapY7uV0HiEYYuCcXSXBB9bMCOaPRegJbFSo4/VmIP5Vj+4bjmzdT1jo7GiX/H1YrDmn4l8469/QHmkLMK+ctRaiT8WGOG+ORR96TKHt9chsVW3sal8MTcjuZmRna3TU9YdiG9kohoOukZyiitT4mFbqPZPBl3jVqbq7EKTrkkBu1vtn5KXj8d2pW1dMbQPkbjM3GfTeZg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=m3IiZSAq5O8i/BsXryCpl8/ctsnVmsV4WkBMdh11pe8=; b=gMLtHxRptkk0jEos+5amC2Qhv5LH4Q/nGfDRZQjPwe5JMElKH1/P2hsA6aARFp1pfMiICPKc9ZucLvqssp+Oyz1G83/CjHPxBB3BDosAsB+Hds1dKr3fsC0AphSgwpbvuDVXsKfRX3jYVHRvArQht1zINxg90Il8Yng/iKvM0WS1xDutNo2suTeRJCtY32z/zhrCN/TESVoJm+I6I41ynhRl5tNozY7Y1sOqOxFu0hyJ+K+KVyCHedNg94NZV8/3gMIFTi8CocHbLhXE701qE2zQfk/rFMR/7HSuO6WARkDmG6gsYUDxKP7o3gaslFmnPDJH9amblVv3EAQ2tu/MsA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=m3IiZSAq5O8i/BsXryCpl8/ctsnVmsV4WkBMdh11pe8=; b=a+RC1q3KcM/Gq2j+HckeqVJch/0SgvaE0OxHoStgBNk3CklMN/bNjuNLOxeuksta7df4cmjIyeWODyeXVDjj56laRgKs2mTtNGxWMyp86q9gtWgGbo5IlqopadfSeQTEjvUkqgzq+QfdqDZh5alZssXa2FZU6iHC1aWa3ZH0m2cKTb2XYkFHKgg3Ok1gL7bs4GM1jbf5SXEIih0IiuRag2/cHzQ+Wq6nqVQpc2gVJhP++qAKEyqPVKCBb6/MU6f0MQNXJ1a019oZ+9RwTI874bHOep4SCxYjjHB+dTFHmiIj8RPgWnnJ7T1eND0yXg8vxyQ6kmu29a4XMuj9QBPuBA==
Received: from HK2APC01FT106.eop-APC01.prod.protection.outlook.com (10.152.248.55) by HK2APC01HT246.eop-APC01.prod.protection.outlook.com (10.152.249.159) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2495.25; Fri, 6 Dec 2019 01:37:38 +0000
Received: from PU1PR01MB1947.apcprd01.prod.exchangelabs.com (10.152.248.52) by HK2APC01FT106.mail.protection.outlook.com (10.152.249.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2495.25 via Frontend Transport; Fri, 6 Dec 2019 01:37:38 +0000
Received: from PU1PR01MB1947.apcprd01.prod.exchangelabs.com ([fe80::3076:a7ea:eac2:8b10]) by PU1PR01MB1947.apcprd01.prod.exchangelabs.com ([fe80::3076:a7ea:eac2:8b10%5]) with mapi id 15.20.2495.026; Fri, 6 Dec 2019 01:37:37 +0000
From: Nasrul Zikri <nasrulzikri@outlook.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] DH security issue in TLS
Thread-Index: AQHVq6XdgNNXYqyQtES5UWU5It4MXA==
Date: Fri, 6 Dec 2019 01:37:37 +0000
Message-ID: <PU1PR01MB19478C2D4355867979F8C82CA85C0@PU1PR01MB1947.apcprd01.prod.exchangelabs.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-incomingtopheadermarker: OriginalChecksum:5CBA10D1CBB9573FA5A7D0DEC0804DD15CB1B0BCE831A3F9279E56500F147B99; UpperCasedChecksum:AF43AFD23C7DDD1E81DB417E0E69A98A9D000EDB856A44A7FD11E3D601A3C068; SizeAsReceived:6698; Count:42
x-tmn: [HF0b5rBEuG+AywnhWmca7K0++/gxe1Ah]
x-ms-publictraffictype: Email
x-incomingheadercount: 42
x-eopattributedmessage: 0
x-ms-office365-filtering-correlation-id: 0800b7bd-9d70-491b-c71a-08d779ece01c
x-ms-traffictypediagnostic: HK2APC01HT246:
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: dBcLRpdLnCm/HVEvJtQZQEUVmgPFMC97J9ZhkAACT64mKdn4Tw0gHhgQ73UEfpD0ulg+nqtoejouzqjJe6ZEYlUrYuQcUwPYMQrqR+IsjRTxfHpNbMcJ73IS2y2Q0+a8iGYIdvOmLheQwywTzSbncbEZWauIrrCc3zH660me+XaOwzUR0mvuyzFqrbV4uJZj
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_PU1PR01MB19478C2D4355867979F8C82CA85C0PU1PR01MB1947apcp_"
MIME-Version: 1.0
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 0800b7bd-9d70-491b-c71a-08d779ece01c
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Dec 2019 01:37:37.4750 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HK2APC01HT246
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/o6lveTsxmSshLPYjciPQIWI-gGA>
Subject: Re: [TLS] DH security issue in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Dec 2019 01:37:44 -0000

> Hi All
>
> I found in NIST Special Publication 800-56A Revision 3
> 5.6.2.3.1 FFC Full Public-Key Validation Routine
> 2. Verify  that  1 = y q mod p.

That should be, 1 = y^q mod p.

>
> This test is implemented in OPENSSL
>
> This test relies on the fact  that q and p are prime
>
> Pascal
>


> > If you want the guarantee that your DH key exchange is contributive,
> > that is, that neither single party can determine with high-probability
> > the DH secret produced by the key exchange, you can either 1. use one of
> > the safe groups defined in RFC7919. When using these groups, you should
> > pick an exponent between 2 and q-1. 2. Figure out all of the low-order
> > elements of Zp* and check that the DH secret is not one of them.


What must the server do if the client is old and does not support the safe groups in RFC 7919? The advice from Mozilla is generate a 1024-bit Diffie-Hellman group. Is there good code to generate safe group efficiently? Will OpenSSL generate safe group?

Tk,
Nasrul