Re: [Curdle] Looking for comments on draft-ietf-curdle-ssh-kex-sha2

Hubert Kario <> Wed, 25 November 2020 12:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B110A3A1240 for <>; Wed, 25 Nov 2020 04:53:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.121
X-Spam-Status: No, score=-2.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id YKBX068u51q0 for <>; Wed, 25 Nov 2020 04:53:19 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9E7963A123E for <>; Wed, 25 Nov 2020 04:53:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=mimecast20190719; t=1606308798; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PCMRqXlYgBrIfZC/tPhClRPhH0PSh3sziYMPtGISjTQ=; b=Ui0AEuJRB4MzZL1Q52gpaQelzJN5YCv5wo42bnhopIgggWvl78khp+aVK8zEujdStN/mK4 +9Qf0svy7/U2bSeAMC9X1i6pq4OoOLY5ozxf1aCXCgA5Zk03OEoNAexwK77S5243dyG+Lx AGVhoTYYG+0HH7hfPdrhRHZ8ZmPwtUo=
Received: from ( []) (Using TLS) by with ESMTP id us-mta-244-oygkZPYINyufi6CAKl8NPQ-1; Wed, 25 Nov 2020 07:53:16 -0500
X-MC-Unique: oygkZPYINyufi6CAKl8NPQ-1
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7EDD6805BED for <>; Wed, 25 Nov 2020 12:53:14 +0000 (UTC)
Received: from localhost (unknown []) by (Postfix) with ESMTPS id 1474D5C1A3 for <>; Wed, 25 Nov 2020 12:53:13 +0000 (UTC)
From: Hubert Kario <>
To: <>
Date: Wed, 25 Nov 2020 13:53:11 +0100
MIME-Version: 1.0
Message-ID: <>
In-Reply-To: <>
References: <> <> <> <>
Organization: Red Hat
User-Agent: Trojita/0.7-git; Qt/5.13.2; xcb; Linux; Fedora release 31 (Thirty One)
X-Scanned-By: MIMEDefang 2.79 on
Authentication-Results:; auth=pass smtp.auth=CUSA124A263
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [Curdle] Looking for comments on draft-ietf-curdle-ssh-kex-sha2
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 25 Nov 2020 12:53:22 -0000

On Monday, 23 November 2020 22:54:17 CET, Mark D. Baushke wrote:
> Hi Folks,
> I have uploaded draft-ietf-curdle-ssh-kex-sha2-12 which is a large
> rewrite of the text to adress the structural comments made by Eric
> Rescorla.
> It is probably best to review the document from scratch to see if the
> flow and issues with older crypto primitives (sha-1) lead to the
> conclusions being drawn.
> There may not yet be full agreement about the summary guidance for Key
> Exchange Method Names.
> The diffie-hellman-group1-sha1 exchange was a mandatory to implement and
> is now a SHOULD NOT. I could move it to MUST NOT if everyone else thinks
> it best.

+1 for a MUST NOT, though I'm ok with keeping it at SHOULD NOT

people that need it for interoperability, will use it irrespective of what
RFC says, but new deployments should require the user to jump through
at least one hoop to make it work

> The diffie-hellman-group14-sha1 exchange was a mandatory to implement
> MUST and is now a SHOULD. Similarly for gss-group1-sha1-*

no, I think it should be SHOULD NOT, the sha-1 disqualifies it

> The rsa1024-sha1 exchange is now a MUST NOT.
> I have suggested that diffie-hellman-group14-sha256 be a MUST (mandatory
> to implement).
> A plurality of the list seemed to be in favor of this, but if 2048-bit
> (112 bits of security) is falling out of favor (along with 3DES), then
> perhaps a different KeX is desirable to be MUST.

while small security margin of 3DES is a factor for its deprecation, the 
problematic part of 3DES is the 64 bit block size

and AFAIK, we're not even considering deprecation of 2048 bit RSA in the 
PKIX, so, I don't see any arguments against making group14 mandatory

Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic