Re: [TLS] WGLC: draft-ietf-tls-negotiated-ff-dhe-05
Watson Ladd <watsonbladd@gmail.com> Wed, 28 January 2015 03:13 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3A751A1B61 for <tls@ietfa.amsl.com>; Tue, 27 Jan 2015 19:13:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.101
X-Spam-Level:
X-Spam-Status: No, score=-0.101 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bb9wds1R05f6 for <tls@ietfa.amsl.com>; Tue, 27 Jan 2015 19:13:35 -0800 (PST)
Received: from mail-yk0-x232.google.com (mail-yk0-x232.google.com [IPv6:2607:f8b0:4002:c07::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 782E01A1B71 for <tls@ietf.org>; Tue, 27 Jan 2015 19:13:34 -0800 (PST)
Received: by mail-yk0-f178.google.com with SMTP id q200so7919198ykb.9 for <tls@ietf.org>; Tue, 27 Jan 2015 19:13:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=SO1vogXI5RKXo5GKB7jgvTK4pLqlu010rxODmtd4LlA=; b=SKzRFRb/KwMhDVqV+EykCVbRer/XIjgXlyWuEOxXfT7T0fNBSN08hNekqhdGYIn/Io BDWbyD74zCSz07AqhVC1R97xk/i1/dop0glRODybLjE5cvYJihUSmMo3vEYrcIJVzYYC oPG1titNNf+gVIyK679NhnyUiFnycLX9FeFNkqaGUpuv45PXkaJgKl6HRnENAJzRuk4k aLz0I3MNewRKZVVzt+5AVlvbImQ+55QHbvGMP20d0zpJdlPIFYO+Zwhsf9NUWcJ01Vx+ pHa0/i/gMIBr35naBItQfCxlfUXtPMeYz7QZmkVwxbYbmCRCI687HVM36VkHSQLjFI/t +kdw==
MIME-Version: 1.0
X-Received: by 10.170.217.9 with SMTP id j9mr210430ykf.19.1422414813654; Tue, 27 Jan 2015 19:13:33 -0800 (PST)
Received: by 10.170.115.77 with HTTP; Tue, 27 Jan 2015 19:13:33 -0800 (PST)
In-Reply-To: <87fvb1hvqx.fsf@alice.fifthhorseman.net>
References: <3F4C76ED-4375-438F-ADC9-66E49A19574B@ieca.com> <87fvb1hvqx.fsf@alice.fifthhorseman.net>
Date: Tue, 27 Jan 2015 19:13:33 -0800
Message-ID: <CACsn0cm=oVvMsPRDqef6S6yYO4X4EwZHsTg1MvjnNrhEEb5H4w@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/wyTEyqX7ei1pMwEZ0aQC-VxXoPg>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] WGLC: draft-ietf-tls-negotiated-ff-dhe-05
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jan 2015 03:13:38 -0000
<chop> > > Using a keyed PRF instead of e > ------------------------------ > > Two objections were made about the use of e -- > > (a) because of its definition as the base of the natural log, e has some > sort of special internal structure that might make FFDH groups > derived from it more vulnerable to analysis. > > (b) that starting from e and counting up biases the randomized prime > selection by only fiddling certain bits in the prime while counting. > > I've spoken with several cryptographers about (a) who dismissed it as > totally implausible. I haven't gotten much feedback about (b). > > The proposed change is to select the "random" bits by using a keyed PRF, > or KDF, with the seed or additional input incrementing until a safe > prime is found. > > I confess this sounds better than using e to me, simply because the > construction avoids any claims about (a) and (b). > > One approach would be to use [HKDF] with SHA-512, with the initial key > material ("IKM") and info parameter both set to "TLS-ffdheNNNN" (where > ffdheNNNN is the ASCII name of the group), and a salt that we increment > until a safe prime is found at the right length. > > [HKDF] https://tools.ietf.org/html/rfc5869 I don't see what the gains of this approach are over the existing one. (b) is valid as far as it goes but I don't think it's a real concern. > > > Avoiding the high-64 and low-64 bits set to 1 > --------------------------------------------- > > The high 64 bits and the low 64 bits of these primes are set to 1 > specifically to facilitate Montgomery and Barrett reduction. This is > similar to the choices made in the MODP FFDHE groups. > > The objection to this is that the special structure may make these > groups more vulnerable to attacks that we don't know about, potentially > making them equivalent to groups the size of the inner bits or > something. > > I'd like to think that if any advances had been made against the DLOG > problem for groups with this special form, they would be published > already, since the first Oakley group is 768 bits, with the top and > bottom 64 bits all set to 0xff, so this should be in-range and > high-profile for anyone who wants to take a crack at it: > > https://tools.ietf.org/html/rfc2409#section-6.1 > > But i'm not a cryptographer, i know of no such attack, and i have no > idea how to judge the likelihood of something like this existing. > > I also don't know how widespread or desirable Barrett and Montgomery > reductions are: if these reduction methods are unlikely to be actually > used in the field, or offer only insignificant efficiency incentives for > adoption, then we might not need to maintain them. Montgomery reduction is a very common implementation choice for RSA and DH implementations. Barrett may get used, but requires a big table per prime. I doubt there are going to be attacks based on this "special" property. > > Another argument here is that if efficiency is paramount, most people > will choose ECDHE instead of FFDHE. So if we're proposing FFDHE groups > as a bulwark against some future failure of ECDHE, we might as well > accept that performance efficiency isn't the highest priority. > > > > These last two points are what Andrei is referring to when he says > "avoid special-form primes", fwiw. > > > Thoughts, feedback? > > --dkg > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- [TLS] WGLC: draft-ietf-tls-negotiated-ff-dhe-05 Sean Turner
- Re: [TLS] WGLC: draft-ietf-tls-negotiated-ff-dhe-… Andrei Popov
- Re: [TLS] WGLC: draft-ietf-tls-negotiated-ff-dhe-… Daniel Kahn Gillmor
- Re: [TLS] WGLC: draft-ietf-tls-negotiated-ff-dhe-… Watson Ladd
- Re: [TLS] WGLC: draft-ietf-tls-negotiated-ff-dhe-… Sean Turner
- Re: [TLS] WGLC: draft-ietf-tls-negotiated-ff-dhe-… Daniel Kahn Gillmor
- Re: [TLS] WGLC: draft-ietf-tls-negotiated-ff-dhe-… Hubert Kario
- Re: [TLS] WGLC: draft-ietf-tls-negotiated-ff-dhe-… Daniel Kahn Gillmor