Re: [TLS] Another IRINA bug in TLS

Jeffrey Walton <noloader@gmail.com> Mon, 01 June 2015 21:34 UTC

Return-Path: <noloader@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27D9D1A006F for <tls@ietfa.amsl.com>; Mon, 1 Jun 2015 14:34:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bz3gz9WH5LVF for <tls@ietfa.amsl.com>; Mon, 1 Jun 2015 14:34:01 -0700 (PDT)
Received: from mail-ig0-x22e.google.com (mail-ig0-x22e.google.com [IPv6:2607:f8b0:4001:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 409DA1A0063 for <tls@ietf.org>; Mon, 1 Jun 2015 14:34:01 -0700 (PDT)
Received: by igbpi8 with SMTP id pi8so72324934igb.1 for <tls@ietf.org>; Mon, 01 Jun 2015 14:34:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=aXqvmzOxhLlnQsmBmFAj3oYQVSaja8lDMZggEx/metY=; b=0Pf9pNc9g69nOtXbeknZHb8M4J0hD519SSAhTrriYC7k4KNXSHZPSIU0Hk+hn9yk2e WlSsKpKxbiCl7Yz8G0Z57SxvM8eB7V7KDrf8YcBIbsyBRORpxDrQooJiwIEW03OuYkQN blVvB7PxCQzKnHuWSg0PMlGrqSJoC/glltfFAAkSPIvnN/jK5/Q47iBvRhdQQrFw/h2c lKGE6+bh40lnn+FhfXOqEf5fTC90qWQacN1XJW+Om0fuZ6azcpBfvRXULQFtFR9kJ3aD JnFlbPUCfQBT4DGamG1h7xLUjZCu4dsPPdFxnjcRLTg3GuYu1SN+qHuePP5sKxnlpjQe TRLQ==
MIME-Version: 1.0
X-Received: by 10.50.30.197 with SMTP id u5mr16456346igh.9.1433194440793; Mon, 01 Jun 2015 14:34:00 -0700 (PDT)
Received: by 10.36.77.15 with HTTP; Mon, 1 Jun 2015 14:34:00 -0700 (PDT)
In-Reply-To: <87k2vncei9.fsf@alice.fifthhorseman.net>
References: <9A043F3CF02CD34C8E74AC1594475C73AB029727@uxcn10-tdc05.UoA.auckland.ac.nz> <CAH8yC8=F3jJgEzFQSN=ZMvoC4zunAsfHPs1k2km9dvFJ0bvg2g@mail.gmail.com> <9A043F3CF02CD34C8E74AC1594475C73AB02AA8F@uxcn10-tdc05.UoA.auckland.ac.nz> <87k2vncei9.fsf@alice.fifthhorseman.net>
Date: Mon, 1 Jun 2015 17:34:00 -0400
Message-ID: <CAH8yC8mcr89V8u9eDo4EKjnSG+zwvN9xRCquKsRFw7Of1UhE2w@mail.gmail.com>
From: Jeffrey Walton <noloader@gmail.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/qOGdtTLF0bx-bxn0loAqsbIy3SA>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Another IRINA bug in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: noloader@gmail.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Jun 2015 21:34:03 -0000

On Mon, Jun 1, 2015 at 5:20 PM, Daniel Kahn Gillmor
<dkg@fifthhorseman.net>; wrote:
> On Sun 2015-05-24 03:12:00 -0400, Peter Gutmann wrote:
>> Jeffrey Walton <noloader@gmail.com>; writes:
>>
>>>GnuTLS with its Lim-Lee primes causes me a lot of problems because they
>>>cannot be validated.
>>
>> Actually the problem isn't GnuTLS (hey, I use Lim-Lee primes as well!), it's
>> the fact that TLS uses the PKCS #3 format rather than the DSA format, so
>> you've got nice verifiable values for which you have to throw away the
>> parameter used to verify them and send them in an unverifiable format.  Having
>> said that, there's a pretty simple fix, define an extension that acts like the
>> existing propose/accept extensions that signals a change in DH values to the
>> DSA form (p, q, g) rather than PKCS #3 form (p, g).  And for TLS 1.3, use the
>> DSA form by default, not the PKCS #3 form.
>
> If we're still shipping arbitrary groups across the wire, then adding
> (q) to the data over the wire not only increases the size of the
> handshake (by the size of q) but now the receiving peer has to verify
> that:
>
>  (a) p is prime
>
>  (b) q itself is prime
>
>  (c) p is actually a Lim-Lee prime
>
> either that, or they can skip the checks and cross their fingers.
>
> Standardizing on known safe prime moduli seems simpler and easier and
> less likely to include some steps that people will be tempted to skip
> for speed.
>
Yeah, agreed.

The little voice in the back of my mind is saying the NSA would love
to see standard groups so they can build those big tables and store
them in Utah in its new data center with shiny new floors. But I'll
resist the urge (until Karthikeyan's next paper)....

Jeff