---------- Forwarded message ----------
From: *Rodney Van Meter* <[email protected] <mailto:[email protected]>>
Subject: possible attack on Diffie-Hellman key exchange
It seems some researchers have uncovered a way to *pre-compute* part of
the function necessary for breaking D-H, in a way that depends *only* on
the prime number used. It’s a substantial amount of CPU time to do, but
is within the range of plausible for someone like the NSA for 1024 bit
keys. The existing IKE RFC recommends (requires?) use of one of a small
set of prime numbers defined at
https://tools.ietf.org/html/rfc5996#appendix-B and
https://tools.ietf.org/html/rfc3526
Blog post from Scott Aaronson:
http://www.scottaaronson.com/blog/?p=2293
Follow the links to the paper, too:
https://weakdh.org/imperfect-forward-secrecy.pdf
Their website has more information, and a test for whether your browser
is vulnerable to the same attack:
https://weakdh.org/
Of course, the obvious answer is to just raise the key length and/or use
your own prime numbers rather than the ones in the spec, but who knows
what else waits to be discovered? This serves as something of a
motivation for continued work on alternatives to D-H; not because we
believe D-H is inherently busted, or even that we necessarily believe
that quantum key distribution (QKD) has no vulnerabilities of its own,
but simply to have alternatives available as research lurches forward.
We are working on documenting (as an RFC) a method for using
QKD-generated keys with IKE in place of D-H. Our I-D has expired, but
working is continuing, and we are actually generalizing it to support
other methods of creating keys, including one-time pads that are
delivered via some out-of-band mechanism.
https://tools.ietf.org/id/draft-nagayama-ipsecme-ipsec-with-qkd-01.txt
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
