Re: [Curdle] Last Call: <draft-ietf-curdle-ssh-kex-sha2-14.txt> (Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH)) to Proposed Standard
"Mark D. Baushke" <mdb@juniper.net> Thu, 25 February 2021 02:16 UTC
Return-Path: <mdb@juniper.net>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA1423A0C82; Wed, 24 Feb 2021 18:16:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.669
X-Spam-Level:
X-Spam-Status: No, score=-2.669 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.57, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=NTdu24c4; dkim=pass (1024-bit key) header.d=juniper.net header.b=VCaCs0yo
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hJfiimVJEerD; Wed, 24 Feb 2021 18:16:10 -0800 (PST)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C98AF3A0C7B; Wed, 24 Feb 2021 18:16:10 -0800 (PST)
Received: from pps.filterd (m0108159.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 11P2FRRL026514; Wed, 24 Feb 2021 18:16:05 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=to : cc : subject : in-reply-to : references : from : mime-version : content-type : content-id : date : message-id; s=PPS1017; bh=O2Ki6FEjxgrVQCdd9HdB/3nILR25G31EjJK70UrpSdA=; b=NTdu24c4h2AlcWbxeUEal20CiUCHhyyqvxCXwKKohhLI3aF7aaB9Z9a8SXWYjLd8UY2w HDiE2URHCrelmIGfYI+T20WV0tzsJbXAowEeYliBhm6P17fw+4h850ThLvo0PxXlWwzY PhRfL+oU+GWxd+QoGzfiv8ptW2W5Rgjdap+/JkuPQiLfsWFiht5BKFCTzgydzMGaz/Hl EzSl0QObF9ItGdDUL+SmTYPZj0zcMLGKYi7yEhxgCOzArkabz4AGmdOOAWh213h39m8H 1fFHPQ8ceCf8riAYQ8ybBY449Zsc+hru85dWKZaZiKD4fEz9q5nNretVMiRUsl+jQczf Lw==
Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2049.outbound.protection.outlook.com [104.47.66.49]) by mx0a-00273201.pphosted.com with ESMTP id 36wus3rs67-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 24 Feb 2021 18:16:05 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eQ8BiBbxDdaBBpbv9HwJUgNjMYKyJifHQXLFIVi4Au0qudp0xVzCc1GPXNOE7PUji8z8iqJuWUUIqCKgiu2s14boXhVkU7FGXJIraZWLKAFc26f9gX/V78YHMNcxLBFtg6FirdRbu2O/nF2C9Iev+E0UvK4gbZbSM/odr3pqnfesVvka4jINstsNR30bOPy6Rd+zqQPXxpwHysGf/QFg+bK2y87A7FIvOJ/loY09XAFy5ow88THHbsB4o5EA57aJtpmjUH/mEp1vBHXhZgml/0qWG7yO2pQB6Kr5jNId9uuKS1AF98M23Y6q4IeTYtvSsCh/KLLXZC9OK86jK7DL1w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=O2Ki6FEjxgrVQCdd9HdB/3nILR25G31EjJK70UrpSdA=; b=Ysiq6BrkFilBoM6uhUSd5Ql0E8rYP0ncZspZqUWAz1xBmMPmY9frUhlqyS5HY5wHLmUl/j+nibQpdGI8lTXThYQTXAPtyMfoKF22Q+qq9ehGhg4BbjSsAdKoale2HrrtgSEUioaaHSSQ1M58/T6V/wlynL04PBmdt2SPBGhSq1rJ3vSPKJLiacSZu6BwoSDtb7f6B/FLt0vmLdOA5R8PSSKHvd4yGxSZUo0PcjOHWNJDlSkB3sCnWUnyERAm3f7Gsz4iDkIgazQx8Ryumsp4xwFJXyY9tFZEVRkx1Aq4sURzDB2q0Zn11AnbUUlPlF444xnveI1shEAngBZ0+LkPng==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=softfail (sender ip is 66.129.239.12) smtp.rcpttodomain=ietf.org smtp.mailfrom=juniper.net; dmarc=fail (p=reject sp=reject pct=100) action=oreject header.from=juniper.net; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=O2Ki6FEjxgrVQCdd9HdB/3nILR25G31EjJK70UrpSdA=; b=VCaCs0yoIxiQEmwF4a6Ln11sS49SZN9KpKSTlCBYf/jYjdlFZ879z7WicR967qT4brTgN0rFCItDg+swf+9lXbs0yxP0fvtTwrpwoQ4Q727V5nHHg14NIxxv4AS044JsUSuCZzJ31+QXTVxDFBOZwNrehHzVHshrHxTUkpTf2VY=
Received: from DS7PR03CA0035.namprd03.prod.outlook.com (2603:10b6:5:3b5::10) by BN8PR05MB6129.namprd05.prod.outlook.com (2603:10b6:408:64::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3890.16; Thu, 25 Feb 2021 02:16:01 +0000
Received: from DM6NAM12FT014.eop-nam12.prod.protection.outlook.com (2603:10b6:5:3b5:cafe::bb) by DS7PR03CA0035.outlook.office365.com (2603:10b6:5:3b5::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3890.19 via Frontend Transport; Thu, 25 Feb 2021 02:16:01 +0000
X-MS-Exchange-Authentication-Results: spf=softfail (sender IP is 66.129.239.12) smtp.mailfrom=juniper.net; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=fail action=oreject header.from=juniper.net;
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.12 as permitted sender)
Received: from P-EXFEND-EQX-01.jnpr.net (66.129.239.12) by DM6NAM12FT014.mail.protection.outlook.com (10.13.178.128) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.3890.8 via Frontend Transport; Thu, 25 Feb 2021 02:16:00 +0000
Received: from P-EXBEND-EQX-01.jnpr.net (10.104.8.52) by P-EXFEND-EQX-01.jnpr.net (10.104.8.54) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 24 Feb 2021 18:15:59 -0800
Received: from p-mailhub01.juniper.net (10.104.20.6) by P-EXBEND-EQX-01.jnpr.net (10.104.8.52) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Wed, 24 Feb 2021 18:15:59 -0800
Received: from eng-mail03.juniper.net (eng-mail03.juniper.net [10.108.22.11]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id 11P2Fx0g025516; Wed, 24 Feb 2021 18:15:59 -0800 (envelope-from mdb@juniper.net)
Received: from eng-mail03 (localhost [127.0.0.1]) by eng-mail03.juniper.net (8.16.1/8.14.9) with ESMTP id 11P2J8wS088330; Wed, 24 Feb 2021 18:19:08 -0800 (PST) (envelope-from mdb@juniper.net)
To: Rene Struik <rstruik.ext@gmail.com>
CC: last-call@ietf.org, IETF-Announce <ietf-announce@ietf.org>, curdle@ietf.org, daniel.migault@ericsson.com, curdle-chairs@ietf.org, draft-ietf-curdle-ssh-kex-sha2@ietf.org
In-Reply-To: <ef2702b2-deec-9d7f-2641-0d2b79e819c4@gmail.com>
References: <161297636786.23628.11474505782744804904@ietfa.amsl.com> <ef2702b2-deec-9d7f-2641-0d2b79e819c4@gmail.com>
Comments: In-reply-to: Rene Struik <rstruik.ext@gmail.com> message dated "Wed, 24 Feb 2021 17:46:29 -0500."
From: "Mark D. Baushke" <mdb@juniper.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <88328.1614219543.1@eng-mail03>
Date: Wed, 24 Feb 2021 18:19:03 -0800
Message-ID: <88329.1614219543@eng-mail03>
X-EXCLAIMER-MD-CONFIG: e3cb0ff2-54e7-4646-8a04-0dae4ac7b136
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-HT: Tenant
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: c4d4063b-90a7-4eb8-7044-08d8d9334bb0
X-MS-TrafficTypeDiagnostic: BN8PR05MB6129:
X-Microsoft-Antispam-PRVS: <BN8PR05MB6129C17227E1A727A2DC89CEBF9E9@BN8PR05MB6129.namprd05.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: QJLKc+Q+AJfjZVGi+0hM/oy3qqWCLqDDjUzQ9xudxZpAPrmbnqB5Rb2RKXu5Ix10KsdpfUOl6vFZ07Kpe+HU/CvS1qxzFhOfN55pGvhxosrigeJ69q95WkX4MEmYbsR2HHu9dP+LYI9mB6VxBk954CF6yTdVTsy0AJlbZ70E2VoNjJ9HSCM+QGLa5Ls5058iZ8nUSpxYjeNEFQ09BRVFadZDACOjmNxFg3PTtAAaW0D4kUbEaaTZXSEAO8N0GSbqXBO4dvE8Gkqn56bRAXfkiCrbJqEbH10gc9r96LWxjCskXFjBcLjhKhXJLdDwMxbxVUdjjmBp25/2szv32+HA18LJAOLNcdXg8PrrTWdMvLaeRf2NH3plbq3oXjj7Yy545HaHH0qxOPVKtu+s97/DwDNMk1diHDmyibkTV8itQeuSN0vqE1gMUstwVpQCf7bdI4827eaDX8k5zohuImBgefZQ5BeA7Hf1xzIon5aw+lP1zCcgeaf6ESsGw52sSHxf7iMl7LelTWDHGXoyh2n5bbSrPzVPV3L5X+AwSvnWZg9NViqm2etaxEtBfv2mw4j67B8G2nV3Gj7sQT3g2c461Qz6lOlPGRTIWXLz+nZOzQD68vFGfxjrcDzsHk9v+ZAK76gehtSMpscTMWy+f1AniAyEXge3qJX3XaD6PQDkJBliB2QgX9COEcI4EsNWREHuxflGH+BWcuLsSfmmcnoTkw==
X-Forefront-Antispam-Report: CIP:66.129.239.12; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:P-EXFEND-EQX-01.jnpr.net; PTR:InfoDomainNonexistent; CAT:NONE; SFS:(4636009)(346002)(376002)(39860400002)(136003)(396003)(46966006)(36840700001)(70206006)(6916009)(356005)(26005)(70586007)(8676002)(81166007)(5660300002)(6666004)(4326008)(36860700001)(82740400003)(186003)(7126003)(86362001)(47076005)(9686003)(54906003)(316002)(33716001)(82310400003)(478600001)(8936002)(336012)(83380400001)(15650500001)(2906002)(426003)(62816006)(36900700001); DIR:OUT; SFP:1102;
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Feb 2021 02:16:00.7979 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: c4d4063b-90a7-4eb8-7044-08d8d9334bb0
X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.12]; Helo=[P-EXFEND-EQX-01.jnpr.net]
X-MS-Exchange-CrossTenant-AuthSource: DM6NAM12FT014.eop-nam12.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR05MB6129
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-02-24_13:2021-02-24, 2021-02-24 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 suspectscore=0 phishscore=0 lowpriorityscore=0 bulkscore=0 impostorscore=0 spamscore=0 priorityscore=1501 mlxlogscore=999 clxscore=1015 adultscore=0 mlxscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2102250016
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/7YzIg_xqyfE7nnL7a5W3E-S5BIA>
Subject: Re: [Curdle] Last Call: <draft-ietf-curdle-ssh-kex-sha2-14.txt> (Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH)) to Proposed Standard
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2021 02:16:13 -0000
[I got some email bounces... please pardon any duplication... trying again -- mdb] Hi Rene, I have tried to address all of your comments below. Rene Struik <rstruik.ext@gmail.com> writes: > Dear colleagues: > > I did have a brief look at this draft and have the following (small) > comments: > > Draft: draft-ietf-curdle-ssh-kex-sha2-14 > > Comments: > - the document seems to take a half-hearted stance on deprecating the > use of SHA1. Why not simply strike all key exchange methods that use it > off Table 6 altogether? MDB: As the draft author, my original intention was to move all of the *-sha1 key exchanges to either deprecated or disallowed. In RFC keyword terms, this is SHOULD NOT or MUST NOT. If you look at Table 6, the only one that was missed was the former "MUST" algorithm "diffie-hellman-group14-sha1" which has been moved from "MUST" by RFC4253 to "MAY by this draft. The WG consensus was that this "MAY" allows for a transition period to the new "MUST", "SHOULD", and "MAY" guidelines for key exchange methods. > - in Section 1.1 (p. 3, forelast para), it is suggested to not use > SHA-224 since it has the same compression function as SHA-256 (and only > differs from it by the initialization vector and truncation in the end). > Shouldn't one add similar language for SHA-384 vs. SHA-512? MDB: I can add it if it is desired by the community. Or, I could remove any mention of SHA-224 if that would make the community happier. I will note that RFC5656 section 6.3 mandates that ecdh-sha2-nistp384 use SHA-384 which is why there is no similar language for that hashing algorithm. > - in Section 1.2.1, the bit security of Curve25519 and Curve448 is > somewhat smaller than stated (126-bit and 223-bit) {although perhaps not > that important a change}. MDB: I do say 'approximately 128 bits' in the text. I could add the word 'approximately' to the table if that is needed for consistency. Do you have an informative reference for Curve448 being at 223 bits of security rather than 224 bits? If so, I could add it to the informational references and update the table. > - in Section 3.2.2, I am somewhat puzzled by the suggested use of > Curve448 with SHA512, since RFC8709 introduces Ed448 (which uses a > 4-isogenous curve Edwards448 to Curve448, but which uses SHAKE256/d=914 > internally). Why not align the underlying hash functions, so that > implementations with this curve would be able to use a single hash > function implementation? MDB: I thought the section 3.2.2 text was clear that the key exchange method names were those found in RFC8731. Section 3.2.2 specifies curve25519-sha256 for two reasons: a) it is a direct documentation of curve25519-sha256@libssh.org which is deployed in many SSH implementations and is documented in RFC8731. b) SHA-3 implementation were not as widely deployed as SHA-2 when the curve25519-sha256@libssh.org implementation was created. If you have any suggestions for how to make section 3.2.2 clearer, I have no pblems with updating the section with such a consideration to help readers of the RFC. > - in Section 3.3, I am wondering about the underlying philosophy of > still aiming for implementation of ordinary discrete log groups (Note: > it is the only method with a MUST). MDB: Yes, and it is only FFC group14 which already in fielded implementations due to RFC4253 mandating it (for use with SHA-1). The only change was to move from SHA-1 to SHA256. This was considered to be a simple code change as compared to trying to add EC to implementations that do not have it and are not interested in implementing it. > Shouldn't one give a nudge towards implementing elliptic curve-based > methods (which all have a MAY or SHOULD only). It seems more > appropriate to switch this order and label DLP groups as MAY at most > (if sufficiently large)? MDB: The nudge I used was marking them as "SHOULD" ... I was unable to get consensus on MUST for any of the EC key exchange methods. That said, there are again two plausible reasons for this: a) In a Post Quantum Cryptography (PQC) world (which I do not expect to happen in my lifetime), it is easier to break EC than FFC because EC uses fewer bits. b) If you look at the archives, you will find a number of implementors refuse to consider a move to EC key exchanges at all. So, one reason is technical and one reason is mistrust of EC... or maybe they are both anxious about PQC. I feel happy I was able to make rsa1024-sha1 a MUST NOT as there are still a lot of folks that enjoy using RSA. and I would have no problems if rsa2048-sha256 were removed due to a lack of perfect forward security. > - (not really in this document, but I thought to ask nevertheless) some > representations, such as "mpint", do not seem to be such a smart choice > any more, since variable-size encodings may leak info on secret > parameters in crypto processing. Is there any reason this still, in > 2021, should be kept as is? MDB: Given the key exchange method names are sent in the clear of the fixed sized prime fields for FFC and curves for EC and key size for RSA, I am unclear on your point. There is not really anything secret about the sizes of these crypto variables. If you are talking about mpint for other parts of the SSH protocol, then that may be worth a larger discussion. > I do realize that not all these comments are directly fixable with this > draft (e.g., the last one). However, it makes me wonder whether it may > be time for a more general design update of ssh-related protocols? (in > my mind, crypto agility should have a complement in general design > agility... [even if one would just only get rid of mpint etc.]) MDB: At this time, the CURves, Deprecating and a Little more Encryption (curdle) working group is winding down. I believe that the this draft is the second to the last one for the WG. (The only one still waiting is draft-kampanakis-curdle-pq-ssh-00) I would suggest that the ietf SSH working group would need to be restarted if there was going to be a design update to move from SSHv2 to SSHv3. However, that is just my opinion. > Best regards, Rene > I hope that my answers have addressed your questions and concerns and look forward to any suggested textual changes to make the document better. ...elided the rest of the message... Be safe, stay healthy, -- Mark
- [Curdle] Last Call: <draft-ietf-curdle-ssh-kex-sh… The IESG
- Re: [Curdle] Last Call: <draft-ietf-curdle-ssh-ke… Rene Struik
- Re: [Curdle] Last Call: <draft-ietf-curdle-ssh-ke… Mark D. Baushke
- Re: [Curdle] Last Call: <draft-ietf-curdle-ssh-ke… Mark D. Baushke
- Re: [Curdle] Last Call: <draft-ietf-curdle-ssh-ke… Rene Struik
- Re: [Curdle] Last Call: <draft-ietf-curdle-ssh-ke… Salz, Rich
- Re: [Curdle] Last Call: <draft-ietf-curdle-ssh-ke… Rene Struik
- Re: [Curdle] Last Call: <draft-ietf-curdle-ssh-ke… Salz, Rich
- Re: [Curdle] Last Call: <draft-ietf-curdle-ssh-ke… denis bider
- Re: [Curdle] Last Call: <draft-ietf-curdle-ssh-ke… Benjamin Kaduk