3.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
6 Medium
AI Score
Confidence
Low
2.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:N/A:N
0.119 Low
EPSS
Percentile
95.2%
Back in January I posed a question “to the Internet”: What the heck is RFC 5114?
It looks like a lot happened since then around it. I would like to use this post to recollect some of the stuff around RFC5114 .
RFC5114 draft was submitted to the IETF .
In short RFC5114 is an IETF Informational RTC that “describes eight Diffie-Hellman groups that can be used in conjunction with IETF protocols to provide security for Internet communications.” .
One of the thing about this RTC that attracted the attention of many (and also mine) is that violates the Nothing up my sleeve principle.
The other peculiar thing about this RTC (that caught my attention) was that the P_s _specified for groups 22/23/24 were not safe primes but were indeed DSA primes adapted to Diffie Hellman. So far so good. Except that all the p-1 specified for those groups factored in a really nice way! So I decided to intensify a bit my research and found something here (emphasis mine):
_…a semi-mysterious RFC 5114 – Additional Diffie-Hellman Groups document. It introduces new MODP groups not with higher sizes, but just with different primes. _
_ _
and_ _
_the odd thing is that when I talked to people in the IPsec community, no one really knew why this document was started. Nothing triggered this document, no one really wanted these, but no one really objected to it either, so the document (originating from Defense contractor BBN) made it to RFC status. _
It was than that I posted this question in my blog post and other places in the web (including randombit) hoping for an answer. Well it turned out I got a pretty decent one (thanks again Paul Wouters BTW!!). This answer was pointing to an old IETF mailing thread that contained a really interesting part (emphasis mine) :
Longer answer: FIPS 186-3 was written about generating values for DSA,
not DH. Now, for DSA, there is a known weakness if the exponents you
use are biased; these algorithms used in FIPS 186-3 were designed to
make sure that the exponents are unbiased (or close enough not to
matter). DH doesn't have similar issues, and so these steps aren't
required (although they wouldn't hurt either).
[...]
For these new groups, (p-1)/q is quite large, and in all three cases,
has a number of small factors (now, NIST could have defined groups where
(p-1)/q has 2 as the only small factor; they declined to do so). **For
example, for group 23 (which is the worse of the three), (p-1)/q == 2 *
3 * 3 * 5 * 43 * 73 * 157 * 387493 * 605921 * 5213881177 * 3528910760717
* 83501807020473429349 * C489 (where C489 is a 489 digit composite
number with no small factors). ** The attacker could use this (again, if
you don't validate the peer value) to effective cut your exponent size
by about 137 bits with using only O(2**42) time);**if you used 224 bit
exponents, then the attacker would cut the work used to find the rest
of the exponent to about O(2**44) time.** Obviously, this is not
acceptable.
NOTE: it turned out that this factorization listed here is actually wrong (more about it below).
At this point we started to look for some usage of the specification in the wild and with surprisingly we found was kind of commonly used!! In turn it was:
One of the outcome of this analysis was OpenSSL Key Recovery Attack on DH small subgroups (CVE-2016-0701) (easy explanation in this ArsTechnica article). In turn we had:
In the meantime another news came into the game. It was indeed discovered that Socat (a versatile command line utility that builds bi-directional communication) contained an hard-coded Diffie-Hellman 1024-bit prime number that was NOT prime!! This story is covered here. All this brought David Wong to write “How to Backdoor Diffie-Hellman”
All this happened toward the first half of the year and the situation was kind of quiet until really recently when Fried et al. released “A kilobit hidden SNFS discrete logarithm computation” that made some people wake up. What is so special about this paper you might ask? An easy explanation can be found in this article. In a nutshell the authors of the paper were able to reuse some theory from the '90s and introduce a backdoor into a 1024 prime such that:
Another thing present in the paper is a complete factorization of group 22 and improved factorization for the other groups:
3.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
6 Medium
AI Score
Confidence
Low
2.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:N/A:N
0.119 Low
EPSS
Percentile
95.2%