Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2
Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 29 March 2017 07:11 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0818F129666 for <curdle@ietfa.amsl.com>; Wed, 29 Mar 2017 00:11:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nZaon6pwXYdj for <curdle@ietfa.amsl.com>; Wed, 29 Mar 2017 00:11:44 -0700 (PDT)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C91FC129677 for <curdle@ietf.org>; Wed, 29 Mar 2017 00:11:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1490771503; x=1522307503; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=/mL3xqSbZtMrll0ZpNrAttMp4w0mc5UiX3hWrcn/7m4=; b=nQ6QaYHyhSI0QUwUKwBSwch37y8oELljAlLGobG5ZaQ6Qdk55nUWuQyD KRzy6qZbTSgWg8dCPNXxsKyQEvTZbbBJnzV/QvImsooljox+4Sey+6m34 HBw7OdYHC8IJRRoAt00dZO5vPogqZNFWU5fJ4DVnH2GLgJi6dfhhtV2MX 7aXKqzmOHi2NuoU7jMsBe8oNhONF/UN94iLfSc0oc0vphwVqpXtSMLAA2 YkXrQ4aXcoo4uk1B2obIE6QwTvgRICRGFwT8fm4mTSJ3l983M3e2/Tjiv N1ayr80IGYeHxoAlSGv4rHgES4FyXnTagCcUj2zlnQUuVGPp5pzLd1eBu g==;
X-IronPort-AV: E=Sophos;i="5.36,240,1486378800"; d="scan'208";a="146368814"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.3.2 - Outgoing - Outgoing
Received: from exchangemx.uoa.auckland.ac.nz (HELO uxcn13-tdc-a.UoA.auckland.ac.nz) ([10.6.3.2]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 29 Mar 2017 20:11:25 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-tdc-a.UoA.auckland.ac.nz (10.6.3.2) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Wed, 29 Mar 2017 20:11:25 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1263.000; Wed, 29 Mar 2017 20:11:24 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "Mark D. Baushke" <mdb@juniper.net>
CC: "Salz, Rich" <rsalz@akamai.com>, curdle <curdle@ietf.org>
Thread-Topic: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2
Thread-Index: AQHSqFQvvMzLgbWgOUKICwAKgZV7EKGrZcGX
Date: Wed, 29 Mar 2017 07:11:24 +0000
Message-ID: <1490771481840.11723@cs.auckland.ac.nz>
References: <CADZyTkmr0WF3BOBby3rObBGGQaqMUq=0Ssc7NB9PAgPFDrk7dA@mail.gmail.com> <30381.1490720068@eng-mail01.juniper.net>, <6ab576118c6945f4ba888dd403cf2471@usma1ex-dag1mb1.msg.corp.akamai.com> <1490766071333.6018@cs.auckland.ac.nz>, <57287.1490768257@eng-mail01.juniper.net>
In-Reply-To: <57287.1490768257@eng-mail01.juniper.net>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/7O56kETUQHVChnsP6jHsApsBuIM>
Subject: Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Mar 2017 07:11:46 -0000
Mark D. Baushke <mdb@juniper.net> writes: >Another possibility would be pre-generate a number of provable primes that >are NOT safe primes and pass {FSeed,vPseed, Qseed, Pgen_counter, >Qgen_counter, g, Q, P} from the server to the client to prove to the client >that P and Q are primes and then commence the key exchange. That would require both a change in the SSH protocol and for everyone to implement the full FIPS 186 / Shawe-Taylor algorithms, which seems unlikely. The point of NUMS values is that anyone can verify them, not that everyone should have to implement the code to verify them. You do however need to get one or more people to actually verify them. Until I asked about this a few years ago and Henrick Hellström (who probably doesn't work for the NSA or CIA :-) kindly obliged by running the tests, I don't know if anyone else had ever independently verified the values in RFC 2409 and 3526 (someone may have, but if they did they didn't publish the fact). I would go for the most generic form, safe prime, g = 2, and generation from some NUMS seed in a manner that doesn't require implementing an exotic algorithm for verification. (And we can debate whether "2^2048 - 2^1984 + {[2^1918 * e] + 560316 } * 2^64 - 1 + kitchen_sink - pink_flamingo + speed_of_light_in_a_glass_of_milk" qualifies as NUMS or not). >Would a Draft RFC dealing with the creation of such provable primes be >something that is useful to the Curdle WG? This came up a while back and but fizzled out based on an inability to agree on how NUMS the generation method should be. So I'd say there's interest, but we'd need to sort out how to do the NUMS in a manner that everyone would find comfortable. Also, I'm not sure whether you're proposing publishing a HOWTO or the values themselves, but what's needed isn't so much a discussion of how to do it, it's for someone to actually do it in a NUMS manner and publish the results. >Is it likely that something like this would be adopted by more than just SSH? Uhh, that's kinda missing the point, you want values that *won't* be adopted by everything else out there. Unless you compartmentalised and said "these values are for SSH, these are for SSL, these are for IKE, these are for everything else". I certainly don't want my SSH keyex to become collateral damage in some government agency that really just set out to break IKE, or VoIP, or SSL. Peter.
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 denis bider
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Peter Gutmann
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Daniel Migault
- [Curdle] minutes for IETF98 Daniel Migault
- [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Mark D. Baushke
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Salz, Rich
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Martin Thomson
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Yoav Nir
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Peter Gutmann
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Mark D. Baushke
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Peter Gutmann
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Yoav Nir
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Tero Kivinen
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Tero Kivinen
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Tero Kivinen
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Anna Johnston
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Anna Johnston
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Peter Gutmann
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Peter Gutmann
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Salz, Rich
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Tero Kivinen
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Tero Kivinen
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Hubert Kario
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Hubert Kario
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Anna Johnston
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Hubert Kario
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Ilari Liusvaara
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Hubert Kario
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Ilari Liusvaara
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Kyle Rose
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Hubert Kario
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Mark D. Baushke
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Kyle Rose
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Ilari Liusvaara
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Mark D. Baushke
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Kyle Rose
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Hubert Kario
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Tero Kivinen
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Peter Gutmann
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Peter Gutmann
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Peter Gutmann
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Hubert Kario
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Tero Kivinen
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Anna Johnston
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Hubert Kario
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Anna Johnston
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Hubert Kario
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Anna Johnston
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 denis bider
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Hubert Kario