[gnutls-devel] concerning RFC5114 and gnutls

[Nikos Mavrogiannopoulos]

Hi,
 There is a paper called "Measuring small subgroup attacks against
Diffie-Hellman", which contained quite several inaccuracies regarding
the support of RFC5114 primes in GnuTLS. Note that RFC5114 parameters
although are published by IETF, are believed to be backdoored by NSA.

I have only checked the inaccuracies mentioned for GnuTLS not other
libraries or other claims of the paper.

 * It mentions: "RFC 5114 Support: Yes, configurable"
That's misleading since GnuTLS doesn't include the RFC5114 primes,
there is no configuration option to enable them. GnuTLS among other
options, allows the application to specify arbitrary primes/groups for
Diffie-Hellman. That got translated into the document as RFC5114 primes
are supported. 

 * It mentions: "GnuTLS allows users to enter their own parameters
rather than using randomly generated ones."
That's also inaccurate. GnuTLS even on its basic server examples
instructs applications to generate random parameters:
http://bit.ly/2eiRtZM

That's also apparent in the manual text: http://bit.ly/2eiTWDP


So while I understand the authors' pressure to show discovered issues,
they shouldn't do that by spreading misinformation. GnuTLS does not
support the RFC5114 parameters, any more than it supports applications
broadcasting their sessions keys over the Internet.

There was indeed an example of a GnuTLS application which explicitly
used the RFC5114 parameters with GnuTLS (Exim), but that was an
intentional application choice (not to generate random ones and copy
parameters from an IETF published document). That is why why we are
improving the interfaces to no longer require the application
developers to consider DH parameter generation at all [0].


[0]. https://lists.gnupg.org/pipermail/gnutls-devel/2016-October/008197.html

regards,
Nikos