1 # Diffie-Hellman 2 3 ## Subgroup confinement attacks 4 5 The papers by van Oorshot and Wiener [OW96] rsp. Lim and Lee [LL98] show that 6 Diffie-Hellman keys can be found much faster if the short exponents are used and 7 if the multiplicative group modulo p contains small subgroups. In particular an 8 attacker can try to send a public key that is an element of a small subgroup. If 9 the receiver does not check for such elements then may be possible to find the 10 private key modulo the order of the small subgroup. Several countermeasures 11 against such attacks have been proposed: For example IKE uses fields of order p 12 where p is a safe prime (i.e. $$q=(p-1)/2),$$ hence the only elements of small 13 order are 1 and p-1. 14 15 [NIST SP 800-56A] rev. 2, Section 5.5.1.1 only requires that the size of the 16 subgroup generated by the generator g is big enough to prevent the baby-step 17 giant-step algorithm. I.e. for 80-bit security p must be at least 1024 bits long 18 and the prime q must be at least 160 bits long. A 2048 bit prime p and a 224 bit 19 prime q are sufficient for 112 bit security. To avoid subgroup confinment 20 attacks NIST requires that public keys are validated, i.e. by checking that a 21 public key y satisfies the conditions $$2 \leq y \leq p-2$$ and $$y^q \mod p = 22 1$$ (Section 5.6.2.3.1). Further, after generating the shared secret $$z = 23 y_a^{x_b} \mod p$$ each party should check that $$z \neq 1.$$ RFC 2785 contains 24 similar recommendations. The public key validation described by NIST requires 25 that the order q of the generator g is known to the verifier. Unfortunately, the 26 order q is missing in [PKCS #3]. [PKCS #3] describes the Diffie-Hellman 27 parameters only by the values p, g and optionally the key size in bits. 28 29 The class DHParameterSpec that defines the Diffie-Hellman parameters in JCE 30 contains the same values as [PKCS #3]. In particular, it does not contain the 31 order of the subgroup q. Moreover, the SUN provider uses the minimal sizes 32 specified by NIST for q. Essentially the provider reuses the parameters for DSA. 33 34 Therefore, there is no guarantee that an implementation of Diffie-Hellman is secure against 35 subgroup confinement attacks. Without a key validation it is insecure to use the key-pair 36 generation from [NIST SP 800-56A] Section 5.6.1.1 (The key-pair generation there only requires that 37 static and ephemeral private keys are randomly chosen in the range \\(1..q-1)\\). 38 39 To avoid big disasters the tests below require that key sizes are not minimal. I.e., currently 40 the tests require at least 512 bit keys for 1024 bit fields. We use this lower limit because that 41 is what the SUN provider is currently doing. 42 43 TODO(bleichen): Find a reference supporting or disproving that decision. 44 45 ## Weak parameters 46 47 The DH parameters must be carefully chosen to avoid security issues. A panel at 48 Eurocrypt'92 discussed the possiblity of trapdoors in DL based primitives 49 [Eurocrypt92 panel]. A. Lenstra pointed out that the primes chould be chosen 50 such that the special number field sieve can be used to compute discrete 51 logarithms. Gordon has analyzed methods to generate and detect weak parameters 52 [G92]. Section 4 of Gordons paper describes a method that can detect some 53 special cases, but no general method was given. Recently Fried et al. showed 54 that 1024 bit discrete logarithms with the special number field sieve are 55 feasible [FGHT16]. Moreover some libraries use primes that are susceptible to 56 this attack [FGHT16]. 57 58 TODO(bleichen): So far not test for weak DH parameters has been implemented. 59 Possibly we should at least implement a test that detects special cases, so 60 that weak primes (such as the one used in libtomcrypt) are detected. 61 62 DH implementations are sometimes misconfigured. Adrian et al. [WeakDh] analyzed 63 various implementations and found for example the following problems in the 64 parameters: p is sometimes composite, p-1 contains no large prime factor, q is 65 used instead of the generator g. 66 67 ## References 68 [Eurocrypt92 panel]: "The Eurocrypt'92 Controversial Issue Trapdoor Primes and Moduli", 69 EUROCRYPT '92, LNCS 658, pp. 194-199. 70 71 [G92]: D. M. Gordon. "Designing and detecting trapdoors for discrete log 72 cryptosystems." CRYPTO92, pp. 6675. 73 74 \[FGHT16]: J. Fried, P. Gaudry, N. Heininger, E. Thome. "A kilobit hidden SNFS 75 discrete logarithm computation". http://eprint.iacr.org/2016/961.pdf 76 77 [OW96]: P. C. van Oorschot, M. J. Wiener, "On Diffie-Hellman key agreement with short exponents", 78 Eurocrypt 96, pp 332343. 79 80 [LL98]: C.H. Lim and P.J. Lee, 81 "A key recovery attack on discrete log-based schemes using a prime order subgroup", 82 CRYPTO' 98, pp 249263. 83 84 [WeakDh]: D. Adrian, K. Bhargavan, Z. Durumeric, P. Gaudry, M. Green, 85 J. A. Halderman, N. Heninger, D. Springall, E. Thom, Luke Valenta, 86 B. VanderSloot, E. Wustrow, S. Zanella-Bguelink, P. Zimmermann, 87 "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice" 88 https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf 89 90 [NIST SP 800-56A], revision 2, May 2013 91 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar2.pdf 92 93 [PKCS #3]: "DiffieHellman Key Agreement", 94 http://uk.emc.com/emc-plus/rsa-labs/standards-initiatives/pkcs-3-diffie-hellman-key-agreement-standar.htm 95 96 [RFC 2785]: R. Zuccherato, 97 "Methods for Avoiding 'Small-Subgroup' Attacks on the Diffie-Hellman Key Agreement Method for S/MIME", 98 March 2000 99 https://www.ietf.org/rfc/rfc2785.txt 100 101 <!-- 102 ## Sources that might be used for additional tests: 103 104 CVE-2015-3193: The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl 105 in OpenSSL 1.0.2 before 1.0.2e on the x86_64 platform, as used by the BN_mod_exp function, 106 mishandles carry propagation 107 https://blog.fuzzing-project.org/31-Fuzzing-Math-miscalculations-in-OpenSSLs-BN_mod_exp-CVE-2015-3193.html 108 109 CVE-2016-0739: libssh before 0.7.3 improperly truncates ephemeral secrets generated for the 110 (1) diffie-hellman-group1 and (2) diffie-hellman-group14 key exchange methods to 128 bits ... 111 112 CVE-2015-1787 The ssl3_get_client_key_exchange function in s3_srvr.c in OpenSSL 1.0.2 before 113 1.0.2a, when client authentication and an ephemeral Diffie-Hellman ciphersuite are enabled, 114 allows remote attackers to cause a denial of service (daemon crash) via a ClientKeyExchange 115 message with a length of zero. 116 117 CVE-2015-0205 The ssl3_get_cert_verify function in s3_srvr.c in OpenSSL 1.0.0 before 1.0.0p 118 and 1.0.1 before 1.0.1k accepts client authentication with a Diffie-Hellman (DH) certificate 119 without requiring a CertificateVerify message, which allows remote attackers to obtain access 120 without knowledge of a private key via crafted TLS Handshake Protocol traffic to a server that 121 recognizes a Certification Authority with DH support. 122 123 CVE-2016-0701 The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2 before 124 1.0.2f does not ensure that prime numbers are appropriate for Diffie-Hellman (DH) key exchange, 125 which makes it easier for remote attackers to discover a private DH exponent by making multiple 126 handshakes with a peer that chose an inappropriate number, as demonstrated by a number in an 127 X9.42 file. 128 129 CVE-2006-1115 nCipher HSM before 2.22.6, when generating a Diffie-Hellman public/private key 130 pair without any specified DiscreteLogGroup parameters, chooses random parameters that could 131 allow an attacker to crack the private key in significantly less time than a brute force attack. 132 133 CVE-2015-1716 Schannel in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 134 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and 135 Windows RT Gold and 8.1 does not properly restrict Diffie-Hellman Ephemeral (DHE) key lengths, 136 which makes it easier for remote attackers to defeat cryptographic protection mechanisms via 137 unspecified vectors, aka "Schannel Information Disclosure Vulnerability. 138 139 CVE-2015-2419: Random generation of the prime p allows Pohlig-Hellman and probably other 140 stuff. 141 --> 142