Chapter 0: October 2007

Chapter I: January 2016





Informational RTC that "describes eight Diffie-Hellman groups that can be used in conjunction with IETF protocols to provide security for Internet communications." . In short RFC5114 is an IETFRTC that "" .

One of the thing about this RTC that attracted the attention of many (and also mine) is that violates the Nothing up my sleeve principle.

s specified for groups 22/23/24 were not safe primes but were indeed DSA primes adapted to Diffie Hellman. So far so good. Except that all the p-1 specified for those groups factored in a really nice way! So I decided to intensify a bit my research and found something The other peculiar thing about this RTC (that caught my attention) was that the Pspecified for groups 22/23/24 were not safe primes but were indeed DSA primes adapted to Diffie Hellman. So far so good. Except that all the p-1 specified for those groups factored in a really nice way! So I decided to intensify a bit my research and found something here (emphasis mine):





...a semi-mysterious RFC 5114 – Additional Diffie-Hellman Groups document. It introduces new MODP groups not with higher sizes, but just with different primes.

and

the odd thing is that when I talked to people in the IPsec community, no one really knew why this document was started. Nothing triggered this document, no one really wanted these, but no one really objected to it either, so the document (originating from Defense contractor BBN) made it to RFC status.



It was than that I posted this question in my blog post and other places in the web (including randombit) hoping for an answer. Well it turned out I got a pretty decent one (thanks again Paul Wouters BTW!!). This answer was pointing to an old IETF mailing thread that contained a really interesting part (emphasis mine) :

NOTE: it turned out that this factorization listed here is actually wrong (more about it below).





At this point we started to look for some usage of the specification in the wild and with surprisingly we found was kind of commonly used!! In turn it was:

the default choice for Bouncy Castle and Exim

OpenSSL has built-in support for RFC5114 in OpenSSL 1.0.2

and much more...





Interlude: February 2016- June 2016

Back in January I posed a question "to the Internet": What the heck is RFC 5114? It looks like a lot happened since then around it. I would like to use this post to recollect some of the stuff around RFC5114 RFC5114 draft was submitted to the IETF .Longer answer: FIPS 186-3 was written about generating values for DSA,not DH. Now, for DSA, there is a known weakness if the exponents youuse are biased; these algorithms used in FIPS 186-3 were designed tomake sure that the exponents are unbiased (or close enough not tomatter). DH doesn't have similar issues, and so these steps aren'trequired (although they wouldn't hurt either).[...]For these new groups, (p-1)/q is quite large, and in all three cases,has a number of small factors (now, NIST could have defined groups where(p-1)/q has 2 as the only small factor; they declined to do so).The attacker could use this (again, ifyou don't validate the peer value) to effective cut your exponent sizeby about 137 bits with using only O(2**42) time);Obviously, this is notacceptable.