[Cryptography] IPsec DH parameters, other flaws (fwd)
Paul Wouters
paul at cypherpunks.ca
Mon Jul 6 22:21:54 EDT 2020
On Tue, 7 Jul 2020, Peter Gutmann wrote:
> Paul Wouters <paul at cypherpunks.ca> writes:
>
>> And if it makes you feel better, once I investigated the history and lack
>> of
>> justification of RFC 5114, which Steve Kent admitted to having just
>> forwarded
>> from NSA/BNN to IETF without explanation, I pushed to kill the whole thing.
>> It's now dead.
>
> Interesting, so the RFC 5114 values are NSA-generated rather than NIST as
> the
> RFC implies? I'd always avoided them because, apart from not serving any
> obvious purpose, they also use incredibly inefficient values for g, making
> them a non-starter for any real use.
Steve's exact words:
Date: Tue, 18 Oct 2016 10:47:00
From: Stephen Kent <kent at bbn.com>
Cc: "ipsec at ietf.org WG" <ipsec at ietf.org>, Security Area Advisory Group
<saag at ietf.org>
To: Paul Wouters <paul at nohats.ca>, Yoav Nir <ynir.ietf at gmail.com>
Subject: Re: [IPsec] [saag] trapdoor'ed DH (and RFC-5114 again)
Paul,
It's been over 8 years since this RFC was published, and I have not looked at
it since then. My recollection is that we wrote 5114 because an IPsec developer
approached me and said that he wanted to support
these groups in a product. He said that he wanted test vectors for the groups,
consistent with what we have done for many other algs. I persuaded Matt to
generate the RFC because it was a relatively easy
task a good way for Matt to get acquainted with the RFC process.
As to your question, I have no info about how the NIST DH values were
generated. However, I do agree with Yoav and Tero that it seems unduly
prejudicial to declare these to be a MUST NOT. The fact that one
can generate trap-doored DH values that cannot be detected is not the same as
having proof that a given set of values have been generated in that fashion.
Moreover, if one interprets a MUST NOT in this
context to mean that an implementation supporting any of these groups is
non-compliant, then that unfairly penalizes existing implementations, as Tero
noted. Moreover, if the concern raised by the paper
(which I have read) is with MODP groups of size 1024 (or smaller), only 1 of
the groups in 5114 fits that criteria (section 2.1).
I have not tracked the status of these NIST groups re evaluation criteria like
FIPS 140-2. If these groups are approved for use in products evaluated under
that FIPS (I don't know if they are), deprecating
them creates a possible conundrum for vendors who want to comply with RFCs and
with FIPS evaluation criteria. Thus I suggest a less dramatic response than
declaring all of the groups in 5114 to be MUST NOT.
I'm not a vendor of any crypto products (these days), and I've never been a
crypto mathematician. So my views are based only on what I recall about the
creation of 5114 and about IETF crytpo standards
practices in general.
Steve
More information about the cryptography
mailing list