[TLS] (EC)DSA potential problems (ECC "brittleness")

mrex@sap.com (Martin Rex) Tue, 08 October 2013 20:51 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A264511E80FE for <tls@ietfa.amsl.com>; Tue, 8 Oct 2013 13:51:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.449
X-Spam-Level:
X-Spam-Status: No, score=-9.449 tagged_above=-999 required=5 tests=[AWL=0.800, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K6iWaLqSgkxx for <tls@ietfa.amsl.com>; Tue, 8 Oct 2013 13:51:39 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 600E411E80EA for <tls@ietf.org>; Tue, 8 Oct 2013 13:51:39 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id r98KpTUJ023027 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 8 Oct 2013 22:51:29 +0200 (MEST)
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C7355674EE0@uxcn10-6.UoA.auckland.ac.nz>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Date: Tue, 8 Oct 2013 22:51:29 +0200 (CEST)
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20131008205129.4D7AF1A9E6@ld9781.wdf.sap.corp>
From: mrex@sap.com (Martin Rex)
X-SAP: out
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: [TLS] (EC)DSA potential problems (ECC "brittleness")
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Oct 2013 20:51:43 -0000

Peter Gutmann wrote:
> Yaron Sheffer <yaronf.ietf@gmail.com>; writes:
> 
> >I think we've been through all these arguments (on both sides of the issue)
> >over the last week, with the exception of "ECC brittleness". Can you please
> >clarify what you mean by that?
> 
> So with RSA-authenticated DH all you need to do is use a constant-time modexp
> on the server when you sign and pre-encode the PKCS #1 expected result and use
> a constant-time memcmp() on the client when you verify and you're OK.  If you
> did that ten years ago then you're safe against pretty much everything that's
> come along since then.
> 
> With ECDLP-based algorithms in contrast there's a whole range of issues you
> need to take into account, the worst of which is the distressing propensity of
> the DLP algorithms to leak the private key if you get even the tiniest detail
> wrong.  Not only do you have to get all of these finicky details exactly
> right, but every now and then someone points out a new issue that you then
> need to retroactively patch into your existing code base.  For example if you
> used the recommended (until not too long ago) way to generate your k for 
> (EC)DSA then you'd leak a tiny bit of your private key on each signature
> (again, that nasty propensity of DLP algorithms to leak the private key).
> That's what I meant by ECC, and DLP in general, brittleness.


Which
  "recommended (until not too long ago) way to generate your k for (EC)DSA"
are you referring to specifically?

Is or was this part of FIPS 186-x for DSA--or some X9.xx document for ECDSA
that do not have (not having coughed up the $$), and is that specific
issue sufficient to enable the attack described in this paper:

  Jean-Charles Faugere, Christopher Goyet and Guenael Renault
  "Attacking (EC)DSA Given Only an Implicit Hint"

  http://www-polsys.lip6.fr/~goyetc/doc/ImplicitECDSA_Goyet.pdf


(My own understanding of the crypto math is rather poor)


What's also irritates me is that every intentional weaknesses or bias in
a DRNG could enable this attack.  IIRC, EC_Dual_DRNG has both, a bias
and a weaknesss.  It also makes me feel uneasy about secret RNG designs
such as Intels RDRAND--on top of the Problem that RDRAND expands
1.5 GBit/s alleged real randomness into 6 GBit/s weakened output
(rather than the reverse, compressing it).


The fact that TLS requires a new and independent signature on the
(EC)DHE params in ServerKeyExchange on every full handshakes makes
it easy to obtain (EC)DSA signatures in large numbers and short time
through successful and therefore unsuspicious "full TLS handshakes".


Btw. where would one find the information necessary to implement
(EC)DSA safe with respect to the state-of-the-art?  The references
in rfc4492 (ECC for TLS) and rfc6460 (Suite B Profile for TLS)
appear somewhat static:
  http://tools.ietf.org/html/rfc6460#section-7
  http://tools.ietf.org/html/rfc4492#section-10

Wouldn't it make sense to first ensure that implementors _know_ what
known problems they have to watch out for TODAY (which is not necessarily
part of the original algorithm specs), before we ask them to prefer/migrate
to such algorithms?


-Martin