Re: [TLS] Static DH timing attack

Peter Gutmann <pgut001@cs.auckland.ac.nz> Sat, 12 September 2020 03:48 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56B7A3A0BE9 for <tls@ietfa.amsl.com>; Fri, 11 Sep 2020 20:48:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tf-_YwY20Ah3 for <tls@ietfa.amsl.com>; Fri, 11 Sep 2020 20:48:36 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [124.47.189.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37D7F3A0BE6 for <tls@ietf.org>; Fri, 11 Sep 2020 20:48:35 -0700 (PDT)
Received: from AUS01-ME1-obe.outbound.protection.outlook.com (mail-me1aus01lp2054.outbound.protection.outlook.com [104.47.116.54]) (Using TLS) by relay.mimecast.com with ESMTP id au-mta-74-UDf7BsEMPjG9n1p3NaxG2w-1; Sat, 12 Sep 2020 13:48:32 +1000
X-MC-Unique: UDf7BsEMPjG9n1p3NaxG2w-1
Received: from SG2PR06CA0167.apcprd06.prod.outlook.com (2603:1096:1:1e::21) by MEAPR01MB3046.ausprd01.prod.outlook.com (2603:10c6:201:4::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3370.17; Sat, 12 Sep 2020 03:48:28 +0000
Received: from SG2APC01FT008.eop-APC01.prod.protection.outlook.com (2603:1096:1:1e:cafe::58) by SG2PR06CA0167.outlook.office365.com (2603:1096:1:1e::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3370.16 via Frontend Transport; Sat, 12 Sep 2020 03:48:28 +0000
X-MS-Exchange-Authentication-Results: spf=none (sender IP is 130.216.95.208) smtp.mailfrom=cs.auckland.ac.nz; ml.filippo.io; dkim=none (message not signed) header.d=none;ml.filippo.io; dmarc=none action=none header.from=cs.auckland.ac.nz;
Received: from uxcn13-tdc-a.UoA.auckland.ac.nz (130.216.95.208) by SG2APC01FT008.mail.protection.outlook.com (10.152.250.99) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.3370.16 via Frontend Transport; Sat, 12 Sep 2020 03:48:27 +0000
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-tdc-a.UoA.auckland.ac.nz (10.6.3.2) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sat, 12 Sep 2020 15:48:25 +1200
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.5]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.5]) with mapi id 15.00.1497.006; Sat, 12 Sep 2020 15:48:25 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Filippo Valsorda <filippo@ml.filippo.io>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Static DH timing attack
Thread-Index: AQHWhrp+9EGmAKHnM0S2YOV3OYQKzqlhmhsF//998wCAAZtd6v///2UAgAA+bQCAAW7+LA==
Date: Sat, 12 Sep 2020 03:48:25 +0000
Message-ID: <1599882506352.56326@cs.auckland.ac.nz>
References: <5595BB40-3AFD-4327-B7B7-5E63FFC594DD@akamai.com> <1599729784370.87441@cs.auckland.ac.nz> <fff1a66a-0a49-cfbd-461a-c1d0ed3aeaaa@gmx.net> <1599790864561.88777@cs.auckland.ac.nz> <6B1CC8B1-C497-4E80-9067-3147124F7AE4@vigilsec.com>, <9ef4ed20-2ad1-40f0-86c6-6970e7db8b4b@www.fastmail.com>
In-Reply-To: <9ef4ed20-2ad1-40f0-86c6-6970e7db8b4b@www.fastmail.com>
Accept-Language: en-NZ, en-GB, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 810791ef-5fff-4885-79cd-08d856ceb505
X-MS-TrafficTypeDiagnostic: MEAPR01MB3046:
X-Microsoft-Antispam-PRVS: <MEAPR01MB30463D71DB00341541740F9BEE250@MEAPR01MB3046.ausprd01.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:628;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: OPN8n67KnTcx26ye1TVGZnLDhl1EQvUxe6Iko2+lLRfmeFcOGiCDm6yC6D+cmcL6/tHBUAcazDrIMwU81LfU9AIMByBs32Q2bgauL6J6gR+uEUKgl/jLObvecSBAJGb0RUVyMpOdy+hktx808cGyD3nO/womjuh9R72rMOfrxsRqYq8eAwV/38GLHLHAw3FPCS38fVoS9FSIyd2PW6n3QnfU3kZIh4OL2HVWrnorf6cQcet/EyAjrr+sGjv+VMffPrumLFIwIuPHLbF7baFJ8O3kdzz4D/A2Ogn6JOcPYQXO4lz/5fLFxNmZ6C9WxYQ5QNKCCZnzBkfHXgIkiKO20dlplcVUmZBnD0RNhonFwBNPA1mO7qY05xzYUg2sADK7V4cf+EJj4Kj7iL0XbjYA4A==
X-Forefront-Antispam-Report: CIP:130.216.95.208; CTRY:NZ; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:uxcn13-tdc-a.UoA.auckland.ac.nz; PTR:natgate1-1.auckland.ac.nz; CAT:NONE; SFS:(4636009)(136003)(376002)(346002)(39860400002)(396003)(46966005)(110136005)(316002)(336012)(26005)(70206006)(70586007)(86362001)(82310400003)(82740400003)(356005)(7636003)(186003)(47076004)(478600001)(2906002)(36906005)(786003)(2616005)(8936002)(5660300002)(8676002); DIR:OUT; SFP:1101;
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Sep 2020 03:48:27.0453 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 810791ef-5fff-4885-79cd-08d856ceb505
X-MS-Exchange-CrossTenant-Id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=d1b36e95-0d50-42e9-958f-b63fa906beaa; Ip=[130.216.95.208]; Helo=[uxcn13-tdc-a.UoA.auckland.ac.nz]
X-MS-Exchange-CrossTenant-AuthSource: SG2APC01FT008.eop-APC01.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MEAPR01MB3046
X-Mimecast-Spam-Score: 0.0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Type: text/plain; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable
Content-Language: en-NZ
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/yMTH-el8d973x6mQGqwp1jyfo7U>
Subject: Re: [TLS] Static DH timing attack
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Sep 2020 03:48:38 -0000

Filippo Valsorda <filippo@ml.filippo.io> writes:

>I feel like there should be nothing controversial in the context of TLS.
>
>   Non-ephemeral FFDHE ciphersuites in TLS 1.0–1.2 (TLS_DH_*) ought to be a
>	MUST NOT, because they can't be implemented securely.
>
>   Reusing ephemeral shares for ECDHE and DHE ought to be a MUST NOT in all
>	TLS versions, because it's unnecessary and has been a requirement for many
>	attacks now.
>
>   Non-ephemeral ECDH ciphersuites (TLS_ECDH_*) ought to be a SHOULD NOT,
>	because again ECDH share reuse enables a whole class of attacks.
>
>   FFDHE ciphersuites in TLS 1.0–1.2 (TLS_DHE_*) ought to be a SHOULD NOT,
>	because they are specified in a dangerous way that is not secure if shares
>	are reused.

I agree with the first two but not the last.  Why is non-ephemeral DH a MUST
NOT but non-ephemeral ECDH a SHOULD NOT?  There's nothing magic about the EC
form that makes it any better or safer.

And for the FFDHE ciphersuites, they're not specified in a dangerous way,
people implement them in a dangerous way.  You really have to go out of your
way to get it wrong, in the case of RACCOON it's actually more effort to get
it wrong (keep old copies of values floating around and reuse them over and
over) than to get it right (generate a fresh value every time).  So it doesn't
need a "don't do FFDHE", it needs a "here's a lot of stupid things you can do
with FFDHE if you put your mind to it.  Don't do any of them".

Or maybe it can be turned into a more general "here are some dumb things that
people have done with TLS over the years.  Check your server to make sure
you're not doing them".  Posting your web server's private key as a .p12 file
in a subdirectory below $DocumentRoot, for example, would be high on my list.

Peter.