[saag] Possible backdoor in RFC 5114

Watson Ladd <watsonbladd@gmail.com> Thu, 06 October 2016 15:56 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A8641296FC for <saag@ietfa.amsl.com>; Thu, 6 Oct 2016 08:56:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yEJFCUsxA-vZ for <saag@ietfa.amsl.com>; Thu, 6 Oct 2016 08:56:49 -0700 (PDT)
Received: from mail-ua0-x230.google.com (mail-ua0-x230.google.com [IPv6:2607:f8b0:400c:c08::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFCE2129701 for <saag@ietf.org>; Thu, 6 Oct 2016 08:56:46 -0700 (PDT)
Received: by mail-ua0-x230.google.com with SMTP id p102so21694260uap.0 for <saag@ietf.org>; Thu, 06 Oct 2016 08:56:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=C3pqvqib2x9d0QrqhsnU3PXYNMJl6ZW0y5LXvbjYmPI=; b=Xwr+DXvkkdCFoJDl5JZljruY75RdSTXZfnyHmPh8V56nX6r1knRuE5pl2/QFg+G/bS fcXYgpfv1K0kTf/lgImb3deJxqsbOqTHGY4d7I5ZHcIvu93iRXwYre0n0tF2mDvQSYC/ 525sXZVX35NegbYXZgWApOgDBoEaXInMjfjzFES0Glx4DBS0bDr5Mu6ISEaji+f3CSrz LOzNG4S4w7G5urxE7K/usfiBa56aU0+ETXt/gq0R3Nifvlbo77HxxPVL3nQFJwU0Z1N8 7Hu7ha6gNYJdmpIPG5Wr/hNfLy+hOgkMdD+sa5TCjn9OAyUKExDA4q+tFy/9rM2x3Jft 1cJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=C3pqvqib2x9d0QrqhsnU3PXYNMJl6ZW0y5LXvbjYmPI=; b=kSr9bkxRwGdoH2Lihsh1iQtwR6RwsKl3DTvPh0xswyM0W6kXfO3dgRBhNoYElTUCWV AgDF52oHF9CJsPGEKy2I6nqfYe0EjG3B6GMbBlotPuIqjoUAsGroHhKHS+MvC2F5BaMX dIrNZHyjPUICBPsIrJeUaSn3kpG+TRMhJXHmAiEVvu+8n624pEZjtDRcjY6pZV9AtkAC HouCDwkq3Y7R3R3RuTLxA5dYV4LQB5Nq7QD8KmAOUgiDob6hZ9A2ZGNCrzwifTDaflwG puVF9qv3s07kDPwtdE3eWc1+H5h5U6Enm96tVU9xkVB2pVvQ1SAGi4kL1l4VuAHUKY9N Ow3g==
X-Gm-Message-State: AA6/9RkOwqNGVl2TSjhRvA+hGBjhHDiDLdRAc67T8KR31svEFezWG4FQUJvXI6G4sO0EI+nsIk4WCZr61gIorQ==
X-Received: by 10.176.82.161 with SMTP id v30mr11342576uav.28.1475769405894; Thu, 06 Oct 2016 08:56:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.159.37.41 with HTTP; Thu, 6 Oct 2016 08:56:45 -0700 (PDT)
From: Watson Ladd <watsonbladd@gmail.com>
Date: Thu, 06 Oct 2016 08:56:45 -0700
Message-ID: <CACsn0ck9u3ct3wD7xWXtDZ89Q1R6OKTQFMYuZ56_vY2ys+1=YQ@mail.gmail.com>
To: "saag@ietf.org" <saag@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/GYTtVmXjUdIPZtS_vHmf8MzrJMg>
Subject: [saag] Possible backdoor in RFC 5114
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Oct 2016 15:56:50 -0000

https://tools.ietf.org/html/rfc5114

Let's review some publicly known facts:

1) BBN is a defense contractor

2) The NSA subverts crypto standards

3) It is possible to design primes so the discrete log problem is easy

4) The primes in RFC 5114 are not generated in verifiable manner: it
is possible they
are hidden SNFS primes.

At minimum we should obsolete RFC 5114 in favor of primes generated in
a verifiable manner. The fact that there already were primes for IKE
use makes me wonder why this was even needed in the first place.

Sincerely,
Watson