[Cryptography] IPsec DH parameters, other flaws (fwd)

[Ray Dillinger]

Summary:  MUST NOT isn't unreasonable.  
Extended commentary below the fold.

On Mon, 2020-07-06 at 22:21 -0400, Paul Wouters wrote:
> On Tue, 7 Jul 2020, Peter Gutmann wrote:
> 
> >  Paul Wouters <paul at cypherpunks.ca> writes:
> > 
> > > ....once I investigated the history and lack of justification of
> > > RFC 5114, which Steve Kent admitted to having just forwarded from
> > > NSA/BNN to IETF without explanation....
> > 
> > .... so the RFC 5114 values are NSA-generated rather than NIST as
> >  the RFC implies?  I'd always avoided them because, apart from not
> > serving any obvious purpose, they also use incredibly inefficient
> > values for g, making them a non-starter for any real use.
> 
> Steve's exact words:
> Paul,
> 
> 
> ....I persuaded Matt to generate the RFC because it was a relatively
> easy task a good way for Matt to get acquainted with the RFC process.
> 
> As to your question, I have no info about how the NIST DH values were
> generated. However, I do agree with Yoav and Tero that it seems
> unduly prejudicial to declare these to be a MUST NOT. 

So.  If I am understanding this correctly, someone relatively
unfamiliar with the RFC process obtained a set of parameters from NIST,
which we later discovered got them from the NSA.  These parameters have
nothing to recommend them; they are horribly inefficient.  If they have
been selected for any criteria, that criteria is neither efficiency (or
they would be more tractable) nor security (we know that they *CANNOT*
be more secure than other keys of the same length.  We are left asking,
what criteria have they been selected for?  


The resulting document specifies the use of these parameters rather
than generation of parameters. Security considerations clear to most of
the people on this list indicate that there is better security if
people are generating their own parameters.  Instead this one set of
parameters has seen use so broad that, *IF* there is a back door,
*THEN* these parameters have become a "golden key" to a substantial
fraction of the entire traffic.  That seems like a thing the NSA might
have an interest in selecting for, if it were deliberately weakening
rather than protecting domestic security.


And then there was the Dual_EC_DRBG debacle, in which another NIST
standard (SP 800-90A for anyone who doesn't remember) certified a
pseudorandom generator that has absolutely nothing to recommend it.  It
is slow, inefficient, and hard to implement in a way that doesn't leak.
But like the current construction it admits of jiggered parameters that
could contain a "golden key", and is again certified WITH PARTICULAR
PARAMETERS instead of recommending that people generate their own which
would be better security.  Again we found that these parameters came
from the NSA.  Again people had to ask, what criteria were those
parameters selected for?  We all know the answer, but I'll flog the
horse a little even though said horse isn't breathing any more.  The
Snowden files confirmed the worst suspicions, and now we KNOW what the
parameters were selected for.  That PRNG is no longer certified in the
current version of the standard.


And then there were the Snowden Files and the Bradley Manning leaks,
(yes I know but that was her name at the time) wherein it was
conclusively shown that the NSA is, indeed, in the business of
deliberately and covertly weakening the security of the people whose
security its mission statement says it is supposed to protect, AND
deliberately intercepts, at the time without even a secret warrant, the
same private, proprietary, and domestic traffic it is supposed to be
protecting.


And a bunch of other things I'm gonna skip. They only make two points
relevant to this discussion.  First, the NSA has lousey security by
comparison to non-backdoored crypto, or these things wouldn't have
leaked in the first place.  Second, the NSA has demonstrated an
eagerness to weaken American data security and also demonstrates
various other kinds of bad faith.


So "MUST NOT" isn't an unreasonable thing to say given the
circumstances. 

At the very least those parameters snould be decertified.  In the same
way and for the same reasons that DUAL_EC_DRBG was decertified.  Until
then people need to be warned against using them.

The security evaluation of those parameters should reflect the NSA's
history, not the mathematical expectations due a secure cipher.

Because their security is not the unbiased security of mathematics.
Their security is, at best, the security of the NSA.  Which is
demonstrably lousey compared to the security of secure cryptography.
The NSA has had MANY major leaks in the organization's history that
became public, a steady stream of "minor" leaks, and I have no idea how
many more where some publisher somewhere got something just as dire and
decided not to go with it.  All in less than one ten-thousandth of the
time a solid random key would have taken to break once by using
mathematics.  

And if the standard is a way to facilitate intercepting domestic
traffic, then it's failing in its purpose.  Just as badly as an
organization created to defend the information security of the United
States is failing in its purpose when they're found deliberately
weakening it.

				Bear


P.S. They're still intercepting domestic traffic BTW.  They say they
"haven't intercepted" or "don't intercept" things even when the
complete content of those things are stored on their systems and used
daily. They define "intercept" as wet human eyeballs looking at a
printout of it. But in a big-data operation there is *NO POINT* at
which having wet human eyeballs looking at a printout of it would serve
any purpose.  If the system is even marginally competent they can go to
all the way to trial (or all the way to ops planning) with the evidence
in a sealed envelope, still "unintercepted", on the basis of summaries,
searches, filters, cross-references, automated evaluations, etc that
tell them what the evidence is. So when the NSA says they "don't
intercept domestic traffic", they're using words in a way that has
nothing to do with English, to tell you they don't do something
completely irrelevant.