Re: [Curdle] Looking for comments on draft-ietf-curdle-ssh-kex-sha2

"Mark D. Baushke" <mdb@juniper.net> Mon, 17 August 2020 22:34 UTC

Return-Path: <mdb@juniper.net>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EDA83A12E0 for <curdle@ietfa.amsl.com>; Mon, 17 Aug 2020 15:34:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=BevpDmXm; dkim=pass (1024-bit key) header.d=juniper.net header.b=Z6+ao+aS
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Ud0k1YTay8n for <curdle@ietfa.amsl.com>; Mon, 17 Aug 2020 15:34:40 -0700 (PDT)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D0FB3A12D9 for <curdle@ietf.org>; Mon, 17 Aug 2020 15:34:40 -0700 (PDT)
Received: from pps.filterd (m0108159.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 07HMEsQt012155; Mon, 17 Aug 2020 15:34:39 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=to : cc : subject : in-reply-to : references : from : mime-version : content-type : content-transfer-encoding : date : message-id; s=PPS1017; bh=WSpHUGR7bIEg4CAb7YPz+Kt/DLcqL/S/QNnndNoTO4Q=; b=BevpDmXm4hjkdSNIZcNDJKUHtkMEiNk1KyW/wr5U293A7HmQPHetUoQqY4nQLV5VGsZ0 RtSAkIdWyl4PUPIfEj9C5dJnGz4NrkWpX3OCZCDDkWAYd9vsoLA0HP8YUCizbr3p+JgH lxmZEDcXjX9QT1RkoRSdsh578efpHwHUEx5jdEBTgpLBxH+KJB23k1JJgq/xyLRzNSIo z0+uWGlpVFmh8YNbahf/57FkXph9uyFVpPVXp2CRmvXaYqCleMp43zuQeHVyihB6TZ+m NQnxHdyI2Tn1Clqifc0/BhlrcjNzboOqB9PgMS9H84LESl4BrXsu6xbWje32Yzcynlhc 4A==
Received: from nam11-co1-obe.outbound.protection.outlook.com (mail-co1nam11lp2172.outbound.protection.outlook.com [104.47.56.172]) by mx0a-00273201.pphosted.com with ESMTP id 32xdnxbdr3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 17 Aug 2020 15:34:39 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=czJOFnTEs/3F7hs/wxiDBvJuPoxq4mCD1hOTqTHvfVXp6AOXxuAtSG/oqaOmydJ0llwQXEbGmBrU1jHWTqROjpf2VOExmKTWhcLwUFdERbNzXya414sh5Jileee3Ou2cZb9R4CHUbzhCkfOB+uqP6wr1jDv45MlS+tpO0OFn7IlCPmSXKmSpwb3ZzEYnU6UDvBHkGu7jC6Ka+0QRg9umS/R46PC5v18s1RcgkrYTcVfGQypLjlMoNJHgWsPNCnU48nO5elcFL7Qna36WbllUYj5oUohUT+/jPmhzNlJ1bwdunFa3dM6OxmM96ygRD1lZDaLUkJglIHOUHI3EtpA2UA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WSpHUGR7bIEg4CAb7YPz+Kt/DLcqL/S/QNnndNoTO4Q=; b=lf0r6zeW0bw/MmmD/EIR72SAYa7AOFcUYTjYxa/TgceDe6raBKt1LUlX3G+k7ypeNn1mT26fvKne/cqbWHKC9sbYCoZdbXHHvBFYjO3uE+aLhlKp2ZhKlJBET4kW/WgGXFJoeQ3ttPJ+bBwcLiHYzP66NUkSexW7eUM37eyf9+sDEdARCaaSebaHjhCwwTITIu4ZVeAKTvt81tTwIWbooM0WNYS+ctO0cttjVUCHUxcL519mblDn1C56y5UpwpaSUADjMWy8SMpjgs9Q5k3QSNf+wz1hF3WswHeYtmvpJ62TMpgD8bBR+GceCVzR/5h+7vE9HdnjRYAVSoMkokDuSw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=softfail (sender ip is 66.129.239.12) smtp.rcpttodomain=timeheart.net smtp.mailfrom=juniper.net; dmarc=fail (p=reject sp=reject pct=100) action=oreject header.from=juniper.net; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WSpHUGR7bIEg4CAb7YPz+Kt/DLcqL/S/QNnndNoTO4Q=; b=Z6+ao+aSSptUlWUhdi6jZSccZqwv4nf4/fXIt+3Mew+GP0Ekh6u43//K+FNXg1kKynoE9i5c+TnBUqsrrFcHP7YIE/aBJle8BCNXqrCJknXraQ8JaC1zUnrHSp4VKbqU7fdY1zEBG6EgqdQz+1QvsMVi/aA5FiUDCQKh+b4CBAE=
Received: from DM3PR11CA0021.namprd11.prod.outlook.com (2603:10b6:0:54::31) by SN4PR0501MB3726.namprd05.prod.outlook.com (2603:10b6:803:50::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3305.10; Mon, 17 Aug 2020 22:34:37 +0000
Received: from DM3NAM05FT048.eop-nam05.prod.protection.outlook.com (2603:10b6:0:54:cafe::4a) by DM3PR11CA0021.outlook.office365.com (2603:10b6:0:54::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3283.16 via Frontend Transport; Mon, 17 Aug 2020 22:34:37 +0000
X-MS-Exchange-Authentication-Results: spf=softfail (sender IP is 66.129.239.12) smtp.mailfrom=juniper.net; timeheart.net; dkim=none (message not signed) header.d=none;timeheart.net; dmarc=fail action=oreject header.from=juniper.net;
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.12 as permitted sender)
Received: from P-EXFEND-EQX-01.jnpr.net (66.129.239.12) by DM3NAM05FT048.mail.protection.outlook.com (10.152.98.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.3305.15 via Frontend Transport; Mon, 17 Aug 2020 22:34:37 +0000
Received: from P-EXBEND-EQX-02.jnpr.net (10.104.8.53) by P-EXFEND-EQX-01.jnpr.net (10.104.8.54) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 17 Aug 2020 15:34:36 -0700
Received: from p-mailhub01.juniper.net (10.104.20.6) by P-EXBEND-EQX-02.jnpr.net (10.104.8.53) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Mon, 17 Aug 2020 15:34:36 -0700
Received: from eng-mail01.juniper.net (eng-mail01.juniper.net [10.160.0.88]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id 07HMYZl0030327; Mon, 17 Aug 2020 15:34:35 -0700 (envelope-from mdb@juniper.net)
To: Ron Frederick <ronf@timeheart.net>
CC: <curdle@ietf.org>
In-Reply-To: <D290968F-2733-40CB-918A-452AD74951B6@timeheart.net>
References: <25423.1596646626@eng-mail01.juniper.net> <D290968F-2733-40CB-918A-452AD74951B6@timeheart.net>
Comments: In-reply-to: Ron Frederick <ronf@timeheart.net> message dated "Sun, 16 Aug 2020 14:00:27 -0700."
From: "Mark D. Baushke" <mdb@juniper.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 17 Aug 2020 15:34:35 -0700
Message-ID: <80066.1597703675@eng-mail01.juniper.net>
X-EXCLAIMER-MD-CONFIG: e3cb0ff2-54e7-4646-8a04-0dae4ac7b136
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-HT: Tenant
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: fc917b43-ee76-4c85-80ed-08d842fdb926
X-MS-TrafficTypeDiagnostic: SN4PR0501MB3726:
X-Microsoft-Antispam-PRVS: <SN4PR0501MB3726AAD9C7150332794A423CBF5F0@SN4PR0501MB3726.namprd05.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: H6+WcV6bA3jp81pRBPs/uilElVeh5i6aPut3tOfOAC/qF5bHAVNVrn1pnuft2ovYOgN/KQ7uuSHib1Qc5cFda4YXu/7MwlfTn1xQEhm5pH7V3umLCkPmTkOXVpBvg24ZT1qdMlrvw144XTfMhBuozFMRJYorqjGdL/2To3sRIIe5NbkJgq379Fp3Yt29jQYBEMOD8r0U4C7kJ3qlMZLerCi3JSl8tAybXPIdmo152zKP9Tl28AMSD4FQFJnkx4gZI+5g2arEv9dr8TPyYI3jmzRhK6Quk4iUkxWqPOSLj3WNnMCXIRKQHNh4p0qcqNMaX0wI4IpOad/BJ/H9qAqb7QIHfCk2pY2lC125S7uyz/f7p0/wDbkSg+t5VsgdoGdkRt9gJSG2ploMK232gatR9w==
X-Forefront-Antispam-Report: CIP:66.129.239.12; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:P-EXFEND-EQX-01.jnpr.net; PTR:InfoDomainNonexistent; CAT:NONE; SFS:(4636009)(136003)(346002)(39860400002)(376002)(396003)(46966005)(81166007)(70586007)(47076004)(2906002)(478600001)(70206006)(316002)(7696005)(8936002)(186003)(8676002)(26005)(86362001)(336012)(426003)(5660300002)(4326008)(6916009)(82310400002)(82740400003)(66574015)(83380400001)(356005); DIR:OUT; SFP:1102;
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Aug 2020 22:34:37.2393 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: fc917b43-ee76-4c85-80ed-08d842fdb926
X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.12]; Helo=[P-EXFEND-EQX-01.jnpr.net]
X-MS-Exchange-CrossTenant-AuthSource: DM3NAM05FT048.eop-nam05.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN4PR0501MB3726
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-08-17_15:2020-08-17, 2020-08-17 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 lowpriorityscore=0 mlxlogscore=538 suspectscore=1 priorityscore=1501 bulkscore=0 phishscore=0 adultscore=0 spamscore=0 clxscore=1011 malwarescore=0 impostorscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2008170150
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/-JhBLDtcGSqwgV2Ca6ub2ax1bL4>
Subject: Re: [Curdle] Looking for comments on draft-ietf-curdle-ssh-kex-sha2
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Aug 2020 22:34:42 -0000

Ron Frederick <ronf@timeheart.net> writes:

> This generally looks good to me.

I am still going back over some of the comments that ekr provided...

> Here are a few more detailed comments:
> 
> - Sections 3.14 and 3.15 list the ext-info values as SHOULD (which I
>   agree with). However, your table in section 5 has them marked as
>   MAY.

Updated in my copy.

> - I noticed you dropped diffie-hellman-group14-sha256 back from MUST
>   to SHOULD, leaving no algorithms listed as MUST. I’d still like to
>   see at least one algorithm be listed as MUST, and think this is
>   probably the safest candidate for that.

How long is a 2048-bit prime, even with such a large q-ordered subgroup
likely to remain viable?

1024-bits for:

  a) IFC RSA, 
  b) FFC DSA, and 
  c) FFC DH,
  d) as well as FFC DH group5 (1536-bits)

are all considered too weak now.

3DES with 112-bits of security is being phased out as of January 1, 2024.

When should we expect to see 2048-bit RSA, which also nominally has only
112-bits of security as does 2048-bit DSA become retired?

To me, it looks like the better bet would be the 3072-bit MODP prime of
group15, but I do not see it being adopted by most implementations.

I might suggest Curve25519, as it is pretty fast and has many
implementations.

That said, there are many who have been doing research which seems to
show that ECC is easier to break with Quantum Crypto systems than FFC
and are NOT interested in implementating ANY ECC algorithms.

I believe I have seen some text from implementers who have said they
would NOT adopt ECC for their SSH implementations.

> - I’m also thinking diffie-hellman-group15-sha512 might be a good
>   candidate for a SHOULD rather than a MAY, but I’m not sure we have
>   consensus on that.

Yup, I have not seen any consensus on this issue as yet.

Perhaps we should opt to make diffie-hellman-group-exchange-sha256 a
MUST? This allows implementors to put in whatever MODP groups they wish
as long as q = (p-1)/2 ... so, a maximized q-ordered subgroup... though
I o worry a bit about the way that the generator g is created perhaps
not providing that g^q mod p == 1 is a will formed subgroup. When it is
not a well-formed subgroup, then it will be leaking the first bit of the
key value.

> - I agree with the downgrade of diffie-hellman-group16-sha512 from
>   SHOULD to MAY.

Okay.

> - Regarding possible ECDSA algorithms, I implemented the secp256k1
>   curve as ecdh-sha21.3.132.0.10 in AsyncSSH after seeing it was

I think you mean ecdh-sha2-1.3.132.0.10 here?

>   implemented by Bitvise. I don’t know if it is worth mentioning here
>   explicitly, but it’s one real-world example of an ecdh-sha2-*
>   algorithm not explicitly given a name in RFC 5656. The ‘endsa-sha2’
>   algorithm with this curve is also supported.

The reserved name is for ecdh-sha2-* ... so ecdh-sha2-secp256k1 or
ecdh-sha2-1.3.132.0.10 or ecdh-sha2-oid-1.3.132.0.10 would be better...
depending on what Bitvise uses.

I think you might as well use the name, the Koblitz curve names are
present in RFC 4492.

    b'1.3.132.0.10': (ec.SECP256K1, SHA256),
    b'1.3.132.0.34': (ec.secp384r1, SHA384),
    b'1.3.132.0.35': (ec.secp521r1, SHA512),

For that matter, as long as you are going to use vanity curve for Bitcoin;

Why not use the RFC 7027 ECC Brainpool curves too?

    b'1.3.36.3.3.2.8.1.1.7':  (ec.brainpoolP256r1, SHA256),
    b'1.3.36.3.3.2.8.1.1.11': (ec.brainpoolP384r1, SHA384),
    b'1.3.36.3.3.2.8.1.1.13': (ec.brainpoolP512r1, SHA512),
  
That said, given that they are named in RFC 7027, using their names may
be better too.

Does anyone else want me to add either the Koblitz or Brainpool names or
OIDs to this IETF draft?

	Be safe, stay healthy,
	-- Mark

> --
> Ron Frederick
> ronf@timeheart.net