In the revision of this draft
(https://tools.ietf.org/pdf/draft-bartle-tls-deprecate-ffdh-00.pdf), which was
unfortunately not the revision sent out on this call for adoption, we cite
invalid curve attacks as a reason to advise against ECDH:
https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.704.7932&rep=rep1&type=pdf
These attacks seem to me to indicate that ephemeral-static ECDH is inherently
insecure. Do you disagree? If so, why?
> On Aug 27, 2021, at 8:25 AM, Rene Struik <rstruik....@gmail.com> wrote:
>
> {officially on vacation till Labor Day, but weighing-in briefly}
>
> Hi Filippo:
>
> I had a brief look at the CVEs you referenced and at your Blackhat 2018
> presentation.
>
> Some observations on your Blackhat 2018 presentaton: (a) the attack seems to
> be a reincarnation of the so-called Goubin attack presented 19 years earlier
> (in 1999); (b) the attack requires many (100s) of reuses of the same private
> key string. Both the 1999 attack and your Blackhat 2018 version can be easily
> prevented if one uses blinded private keys.
>
> A closer look at your referenced CVEs suggests these can be classified as (i)
> lack of checking for improperly generated DH groups; (ii) exploiting
> overflow/underflow/carry bugs. To me, nothing seems to be new here and more
> likely a failure of implementers to heed to results and advice predating the
> CVEs by years (and sometimes decades) or in QA processes. E.g., with respect
> to (i), one had not gotten oneself into trouble if one had actually bothered
> to implement domain parameter checks. In the literature of implementation
> attacks, OpenSSL has proven to be an excellent "implementation security flaw
> paper generator".
>
> I have yet to see evidence that ephemeral-static ECDH would be inherently
> insecure.
>
> Rene
>
> On 2021-08-27 9:34 a.m., Filippo Valsorda wrote:
>> [snip]
>>
>> This is empirically disproved by a number of vulnerabilities that are
>> exploitable (or near-misses for other reasons) only in ephemeral-static
>> mode, such as CVE-2016-0701, CVE-2016-7055, CVE-2017-3732, CVE-2017-3736,
>> CVE-2017-3738, CVE-2019-1551 just in the past 5 years in OpenSSL, and
>> CVE-2017-8932 and CVE-2021-3114 in Go. https://eprint.iacr.org/2011/633
>> <https://eprint.iacr.org/2011/633> gives a good explanation of how these
>> attacks work, and you might find
>> https://i.blackhat.com/us-18/Wed-August-8/us-18-Valsorda-Squeezing-A-Key-Through-A-Carry-Bit-wp.pdf
>>
>> <https://i.blackhat.com/us-18/Wed-August-8/us-18-Valsorda-Squeezing-A-Key-Through-A-Carry-Bit-wp.pdf>
>> interesting as well.
>> OpenSSL:
>>
>> CVE-2016-0701: improper generation of Diffie-Hellman group
>>
>> The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2
>> before 1.0.2f does not ensure that prime numbers are appropriate for
>> Diffie-Hellman (DH) key exchange, which makes it easier for remote attackers
>> to discover a private DH exponent by making multiple handshakes with a peer
>> that chose an inappropriate number, as demonstrated by a number in an X9.42
>> file.
>>
>> CVE-2016-7055: carry-propagation bug
>>
>> There is a carry propagating bug in the Broadwell-specific Montgomery
>> multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that
>> handles input lengths divisible by, but longer than 256 bits. Analysis
>> suggests that attacks against RSA, DSA and DH private keys are impossible.
>> This is because the subroutine in question is not used in operations with
>> the private key itself and an input of the attacker's direct choice.
>> Otherwise the bug can manifest itself as transient authentication and key
>> negotiation failures or reproducible erroneous outcome of public-key
>> operations with specially crafted input. Among EC algorithms only Brainpool
>> P-512 curves are affected and one presumably can attack ECDH key
>> negotiation. Impact was not analyzed in detail, because pre-requisites for
>> attack are considered unlikely. Namely multiple clients have to choose the
>> curve in question and the server has to share the private key among them,
>> neither of which is default behaviour. Even then only clients that chose the
>> curve will be affected.
>>
>> CVE-2017-3732: carry-propagation bug
>>
>> There is a carry propagating bug in the x86_64 Montgomery squaring procedure
>> in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0d. No EC algorithms are
>> affected. Analysis suggests that attacks against RSA and DSA as a result of
>> this defect would be very difficult to perform and are not believed likely.
>> Attacks against DH are considered just feasible (although very difficult)
>> because most of the work necessary to deduce information about a private key
>> may be performed offline. The amount of resources required for such an
>> attack would be very significant and likely only accessible to a limited
>> number of attackers. An attacker would additionally need online access to an
>> unpatched system using the target private key in a scenario with persistent
>> DH parameters and a private key that is shared between multiple clients. For
>> example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites.
>> Note: This issue is very similar to CVE-2015-3193 but must be treated as a
>> separate problem.
>>
>> CVE-2017-3736: carry-propagation bug
>>
>> There is a carry propagating bug in the x86_64 Montgomery squaring procedure
>> in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are
>> affected. Analysis suggests that attacks against RSA and DSA as a result of
>> this defect would be very difficult to perform and are not believed likely.
>> Attacks against DH are considered just feasible (although very difficult)
>> because most of the work necessary to deduce information about a private key
>> may be performed offline. The amount of resources required for such an
>> attack would be very significant and likely only accessible to a limited
>> number of attackers. An attacker would additionally need online access to an
>> unpatched system using the target private key in a scenario with persistent
>> DH parameters and a private key that is shared between multiple clients.
>> This only affects processors that support the BMI1, BMI2 and ADX extensions
>> like Intel Broadwell (5th generation) and later or AMD Ryzen.
>>
>> CVE-2017-3738: overflow bug
>>
>> There is an overflow bug in the AVX2 Montgomery multiplication procedure
>> used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
>> Analysis suggests that attacks against RSA and DSA as a result of this
>> defect would be very difficult to perform and are not believed likely.
>> Attacks against DH1024 are considered just feasible, because most of the
>> work necessary to deduce information about a private key may be performed
>> offline. The amount of resources required for such an attack would be
>> significant. However, for an attack on TLS to be meaningful, the server
>> would have to share the DH1024 private key among multiple clients, which is
>> no longer an option since CVE-2016-0701. This only affects processors that
>> support the AVX2 but not ADX extensions like Intel Haswell (4th generation).
>> Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732
>> and CVE-2015-3193. OpenSSL version 1.0.2-1.0.2m and 1.1.0-1.1.0g are
>> affected. Fixed in OpenSSL 1.0.2n. Due to the low severity of this issue we
>> are not issuing a new release of OpenSSL 1.1.0 at this time. The fix will be
>> included in OpenSSL 1.1.0h when it becomes available. The fix is also
>> available in commit e502cc86d in the OpenSSL git repository.
>>
>> CVE-2019-1551: overflow bug
>>
>> There is an overflow bug in the x64_64 Montgomery squaring procedure used in
>> exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis
>> suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024
>> as a result of this defect would be very difficult to perform and are not
>> believed likely. Attacks against DH512 are considered just feasible.
>> However, for an attack the target would have to re-use the DH512 private
>> key, which is not recommended anyway. Also applications directly using the
>> low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed
>> in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected
>> 1.0.2-1.0.2t).
>>
>> Go:
>>
>> CVE-2017-8932: arithmetic bug
>>
>> A bug in the standard library ScalarMult implementation of curve P-256 for
>> amd64 architectures in Go before 1.7.6 and 1.8.x before 1.8.2 causes
>> incorrect results to be generated for specific input points. An adaptive
>> attack can be mounted to progressively extract the scalar input to
>> ScalarMult by submitting crafted points and observing failures to the derive
>> correct output. This leads to a full key recovery attack against static
>> ECDH, as used in popular JWT libraries.
>>
>> CVE-2021-3114: underflow bug
>>
>> In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can
>> generate incorrect outputs, related to an underflow of the lowest limb
>> during the final complete reduction in the P-224 field.
>>
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org <mailto:TLS@ietf.org>
>> https://www.ietf.org/mailman/listinfo/tls
>> <https://www.ietf.org/mailman/listinfo/tls>
>
> --
> email: rstruik....@gmail.com <mailto:rstruik....@gmail.com> | Skype: rstruik
> cell: +1 (647) 867-5658 | US: +1 (415) 287-3867
> _______________________________________________
> TLS mailing list
> TLS@ietf.org <mailto:TLS@ietf.org>
> https://www.ietf.org/mailman/listinfo/tls
> <https://www.ietf.org/mailman/listinfo/tls>
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
