IETF Logo Mail Archive

Re: [Curdle] draft-ietf-curdle-ssh-kex-sha2 and diffie-hellman-group1-sha1 (1024-bit DH)

"Mark D. Baushke" <mdb@juniper.net> Mon, 24 July 2017 03:26 UTC

Return-Path: <mdb@juniper.net>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9498B126B71 for <curdle@ietfa.amsl.com>; Sun, 23 Jul 2017 20:26:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mzv2Uz_n1ScM for <curdle@ietfa.amsl.com>; Sun, 23 Jul 2017 20:26:09 -0700 (PDT)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0133.outbound.protection.outlook.com [104.47.36.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15254120227 for <curdle@ietf.org>; Sun, 23 Jul 2017 20:26:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=BbXDO31CYcWCn/VqMQ+jc0DIVl/bZEGrRzvUN8c6PPQ=; b=JA/hmJfVl4vMQ2S6Gyf4DAq/fYc/hmcO99m+lCsV8CmtEe0cyUdjzkaz3x6DB6MYkh9hx7DZtHjTIavvyf/jfDk1omjauk5adiaQJXyZD7ZAXcsC75kZsjCQ49ETbP9cPcsfHGer+e1MxA/uL4guqq5KGp62ea4kdypTnsRrS2Q=
Received: from DM5PR05CA0002.namprd05.prod.outlook.com (10.173.226.12) by BY2PR05MB2310.namprd05.prod.outlook.com (10.166.112.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1304.10; Mon, 24 Jul 2017 03:26:06 +0000
Received: from CO1NAM05FT009.eop-nam05.prod.protection.outlook.com (2a01:111:f400:7e50::208) by DM5PR05CA0002.outlook.office365.com (2603:10b6:3:d4::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1304.10 via Frontend Transport; Mon, 24 Jul 2017 03:26:06 +0000
Authentication-Results: spf=softfail (sender IP is 66.129.239.12) smtp.mailfrom=juniper.net; gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=fail action=none header.from=juniper.net;
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.12 as permitted sender)
Received: from p-emfe01a-sac.jnpr.net (66.129.239.12) by CO1NAM05FT009.mail.protection.outlook.com (10.152.96.116) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.1261.15 via Frontend Transport; Mon, 24 Jul 2017 03:26:06 +0000
Received: from p-mailhub01.juniper.net (10.160.2.17) by p-emfe01a-sac.jnpr.net (172.24.192.21) with Microsoft SMTP Server (TLS) id 14.3.123.3; Sun, 23 Jul 2017 20:26:05 -0700
Received: from eng-mail01.juniper.net (eng-mail01.juniper.net [172.17.28.114]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id v6O3Q4TL020221; Sun, 23 Jul 2017 20:26:04 -0700 (envelope-from mdb@juniper.net)
Received: from eng-mail01.juniper.net (localhost [127.0.0.1]) by eng-mail01.juniper.net (Postfix) with ESMTP id 7D74E1144E; Sun, 23 Jul 2017 20:26:03 -0700 (PDT)
To: "curdle@ietf.org" <curdle@ietf.org>
CC: Peter Gutmann <pgut001@cs.auckland.ac.nz>, Damien Miller <djm@mindrot.org>, Deb Cooley <debcooley1@gmail.com>, Tero Kivinen <kivinen@iki.fi>, denis bider <denisbider.ietf@gmail.com>, Russ Housley <housley@vigilsec.com>, Eric Rescorla <ekr@rtfm.com>
In-Reply-To: <alpine.BSO.2.20.1707211413070.14080@haru.mindrot.org>
References: <22892.35863.542104.942153@fireball.acr.fi> <82005.1500305248@eng-mail01.juniper.net>, <alpine.BSO.2.20.1707201053511.14080@haru.mindrot.org> <1500519070842.37117@cs.auckland.ac.nz>, <alpine.BSO.2.20.1707201345030.14080@haru.mindrot.org> <1500524115986.58764@cs.auckland.ac.nz>, <alpine.BSO.2.20.1707211053360.14080@haru.mindrot.org> <1500607284832.92144@cs.auckland.ac.nz> <alpine.BSO.2.20.1707211413070.14080@haru.mindrot.org>
Comments: In-reply-to: Damien Miller <djm@mindrot.org> message dated "Fri, 21 Jul 2017 14:14:27 +1000."
From: "Mark D. Baushke" <mdb@juniper.net>
X-Phone: +1 408 745-2952 (Office)
X-Mailer: MH-E 8.6; nmh 1.2; GNU Emacs 24.3.1
X-Face: #8D_6URD2G%vC.hzU<dI&#Y9szHj$'mGtUq&d=rXy^L$-=G_-LmZ^5!Fszk:yXZp$k\nTF? 8Up0!v/%1Q[(d?ES0mQW8dRCXi18gK)luJu)loHk, }4{Vi`yX?p?crF5o:LL{6#eiO:(E:YMxLXULB k|'a*EjN.B&L+[J!PhJ*aX0n:5/
Date: Sun, 23 Jul 2017 20:26:03 -0700
Message-ID: <398.1500866763@eng-mail01.juniper.net>
Sender: mdb@juniper.net
MIME-Version: 1.0
Content-Type: text/plain
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-HT: Tenant
X-Forefront-Antispam-Report: CIP:66.129.239.12; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(39450400003)(39840400002)(39860400002)(39850400002)(39400400002)(39410400002)(2980300002)(199003)(189002)(305945005)(53936002)(4743002)(6266002)(38730400002)(93886004)(6246003)(110136004)(229853002)(7846003)(117636001)(47776003)(6392003)(2501003)(39060400002)(356003)(106466001)(6916009)(2950100002)(2351001)(478600001)(76176999)(4326008)(50986999)(2906002)(8936002)(97876018)(81166006)(69596002)(81156014)(189998001)(1730700003)(50226002)(86362001)(2810700001)(5003940100001)(105596002)(76506005)(53416004)(5660300001)(77096006)(48376002)(7696004)(68736007)(230783001)(54906002)(5640700003)(626005)(7126002)(50466002)(55016002)(97736004)(8676002)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR05MB2310; H:p-emfe01a-sac.jnpr.net; FPR:; SPF:SoftFail; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; CO1NAM05FT009; 1:CBiMMKjSAhCGgIt+QlVdvGEDHY6ohnXGsE5St4iWCKseaU/XXNp1D3Y7Me88iIVrherfH5D6tj/J5Kg2Sltcy8GAsztrgoVhYBkpEjreRRkKUixbY0s6S6+jr5wQCi/n0iM9CxoYl7lpTGYEyhLJk18a5TN8pyvp7N4GaoO0Z+R2Top81mwyXX5bq+TEw8/QhqDVFXnu9RGCAvOU+P0X9D9Ejb5sz9+JiavChMQJ4wjlMt1kKZBAJrigChWOyQlApClwFmGdXuXgjmGOTy6qpKlH7pc6gD31WrOE3vSKoHWccqv/eHe4r+NQXivVkzElUSkUzow8FoQrtluZYRPGBJkP1QymDJymjpgIeyvwWva1dKl8wHY+Xef86sV4r18cbdhpwoY5zohwD84PeAD3A/RCpHDNjO2OD8eHlBNCn/h1gBaSkgOwBh0yRmO5779avsw7K068gXLGLbSR1lE1Mz2UjeG7YCcJvk1s/zDQAcK1ofmhvzZqJZsR6S01Qi36Oacr6XsRT0pjmT6qIUjIsFPp1Jg46cnXARxrsd9u85nhB3t0WfxzIuD+BdWKF63iM1gYYWYVH5Nm1TOk1NiItvnj8GXMLwVtP+YmMiLr07M02V6601/bNAwDvT8LqUXN8G/GOMzKrL0e/iSYWrIL7t153jsmQQlgg6kIH24UlXvtb5NhOrTlNfl20VYW+qGbDJGw0KphKkZ1fh97I44+jcSTmhEQtAoPfeXHqQHqzGp/LunZx5ROT7e6KcdNv0qHORFI25Qdvw3WRq/O5EeRcygIhbaL2ll5A3dFF9DaEiyQA9+VwRX07r9eKk++hlSnEDwNqSNzmCf/qsgr4aJdz13t0ZO00nhqURQiMz1wbO4fDE18cMF7RO/jVbmwCMr32k1ZTwqYq3r3o9T+86GUoA==
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 28830a13-ff20-4863-a1ff-08d4d243b868
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254075)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:BY2PR05MB2310;
X-Microsoft-Exchange-Diagnostics: 1; BY2PR05MB2310; 3:yDRPDjDfkS8m/6nYcwWjOe0rujwElX1gZbCQymvZ+NawZvBYpn3DcziASi0Bwg3LZYD8FcxXARKY+qbLWWNrdFN8RrbHalbKCyHjHy+qM4u0KgscgpMbC7UzXOJrV5P1hPZYdUQ1Jg4u0ZpdtwE2NRxJOZjKHaGwSqIx8NZz80t0RY1b+CY8BWmNWoil+s8bad9aOBc1AQrFUc7QfOBOLz/Efwu1CD+6PeF3rjAQAkjQZx2/HCdb6RGNwbadqHN+/MJ2isqxVzozZW6bt7wXWe7HK32nqDItozJtQZZ1WpRB9+JT6fPCdoe7RRUBEW/BpnifFIpYajAnv50/Xj4KrA8+1JsUPIMMXTZx+8ECngNIuhbpd/seFmAGtYMqe7g9+YWlM0i+IZM8DewlCReKqLyGRiQApMHnay9tN3qEFhSa/bAwzuCQWc6GMN+xIfvxwvSiUhVo8rpNBtt6hv7f0LTf79zXcfwR+HX8nP82E/f4g/3hud/QE+e4AEVoR+zUOiyUAmy7+B4Ut6vYgkkRCSeCxnJh7fMJJ4jpSROt21M8x9Hjf8gejNKkuNl31QyYQrHh1OS1Xmu5HEzhAYL2V+XbnTS9hUny1DLJ15DqkGPD5eR5ZuuHN7RBg2oEWJOc6K2YSEXbZv5rMTjBk8zlJ8GvymQ60P1fkrEO5wX9BYn0UhH0JBcNJyDsUY4NFoBud6D27+I2cGR80Ei1Db/7QLFFuYScr6NOMo2NwNuNO1lU++vKqhF5VM7ukgPMU58aOdFP2xopnuMI2zBsJGu3ERo3zT6VewJtm91+tign6eOPfufwHAA6pBCuzlaAqkP1F6DLgxLQBr7a8eEU0TP3QjAXgf1H1Hqh3xNI6AAr0JiPraEOISpbBXqLDlDorRYP8XHYrDBNAV2jNlGSxQV3Ew==
X-MS-TrafficTypeDiagnostic: BY2PR05MB2310:
X-Microsoft-Exchange-Diagnostics: 1; BY2PR05MB2310; 25:TERJZy7dVefPYZJVx+1fN+UfpICcKreS2kodF2eIQMtiaYN3IiiCiy4KzXJ3xoT24ej+tpCP0xEm1fsBMGrgl2U8c49jeMhqUaJze3HdYpBFXFheZtREKFSuzEuqDXOIVcRy9XJFJo4ZNbjmm8GY8Zu8yyJje7RudaVbgXk+uSfM5oSiXsrwxoTTKwD/NRK9dVFFNS0hSULyJecgWqiJpNwqy8dL3UDWTxsnq5ndQUBpiMiYOAYlHu3oimgZ5twzqD9oXaICDVu4Lg2/tTsUO52ZGcoPW1qj3LSdSLCdeV04bcLFNXnhJO0jOQUm3hPR1JtowOlx1es8zlk5ONEDlMthSlXiBEntijRIii4JNOev4d+aO+DfQ0PpNdi0W47F6l7Hj922HolX4oi9dS0z/bxh8bmn5DDBBOfEoeDLWd0HMff/QdJNeOBNgsUiyED1cRSlcvAjttsMmdYc8uq7cHd5xm8JVjcZ3BeY2JSX1YOnZFifBtiLeOFnCZqR+te5tpdgVtyA9U/hhWu/SH9HWUS00fMNciWcaCOUY5/NstDs+yOM2OMNIVOFaRpqn0gfIdhafTBMYEwE+f/TYoZ9+N8Wn/b1tswLLWl9RSrfdhquawRXOOeb3K96lJGKCoijjtoSG8QD2zMc2mDEXRrviYzJ2rIqN8PI0FPzansozsPRXdWt75m05EIJgOwaozwIw+MHBROt1DYqXBmJ6n91cilRHP4tEOtVtfQQFOIPfwMdkOdHWEuiGilPXaD/NiFmOPx0I4ZmbUwdmIdAehG7hmmWGBjJrfVB9vIT1q+Xs7yQQX4m1rVDvNA7MfQRflROBIQGfwywmIN1utScH8MdF9G36OiQYX81fs7DRoWVnfupoID2g44Tbm/fOaE72YmXGyvvV57dtSC1ZFE8SJIAwqO5AhdjsVuPkNNg94mfO/I=
X-Microsoft-Exchange-Diagnostics: 1; BY2PR05MB2310; 31:YHWMsG3sjdG3xrDO389BFMKeYZ5POCi7UufEwJUxYai1+DKGtmWu6wCiG+Xt5yx3uLvMI/QE3bdv0qMwrm/7tFA3o/CImG4VhizZJuRTah0kxdkSid5Nek0svfMg2BPy65Ujgofzz85+Fyq85MoUM6gA8gZib6sEJ0Nb30aGVQQPPydU1qFKT9r+tas8lSfu1ElEIEqRFBsRyNUv6iPXWrWhtAL3H0qLvpbYT4fvn4s82VOr5vw5CLHLN/anSaT5RU4WVc/1cCwBoezSMQ7FTwtPMyknoG3fLeyvpYb9YZnpmI8BbIL7ZPTSCj1Kerm+4dLuDYG/Uo3QuWYz69xSy/AMojj3JDfrvvEh022WY8NyEszokNliw4exMlSCRqsgjr6Q6ABnOQ69rVX++hsSgDwcwCJQx5aESA4IeGVYvoU7GF6nE9M3Xoh8gIYYiShJZSUtZzYG/VAdG++UL1MDRA2UBK8BYPUoOXEJ01TkcAxEE9xzwppHkhKXnmURmHgiOBYZRsV58PnV+RddKugbxjp3Pxeh9A3Txvx7/1dPb2wKz9yk4q33SC1S49ksIuKnyH6VBu1hpG3XaCt0WI1vHpZ6A5XnSeMykJw9i0BJhablyZgBCNEiZsrJN76lQ8Iqbxa5CQ1kkRUBTFCfXz1Vf/tzqXvBO2Hgk3ncrDLq1OiThjhHGHfvDNbTzV/KUOGhd67Kv3samT0l0CvFYnkxZw==
X-Microsoft-Exchange-Diagnostics: 1; BY2PR05MB2310; 20:SJZ74fjSnjQFoTIZtdjFujlV1SQURyddFoIn5LfIxUjgb+luFIBmxQZuXNBlr3UcEwYrJSG7qdGg5mIehKBET//HFiFTnn0xKTvn1jdoF9lf3DZgBMNKExw5G0Ton73Qlel0qGU+G2FIYjX7bJZ5I0KRxXIfQ75jtkjg4yUB9L15tyxU8h43src/QEmg/exeh8pCQqOj7F0cyMROIAeShx42XUzCH2v2FRBHkHSU/A0IGtdBOrBsEAkHtQ9/aIwm2UMNQE4JW+K/MPg+++T2RiqPru+ZLmRikiW7ijJrKhnq/XkQzZvp7AIk6JQnlHCXH5/KBmd5zODNECMUFd471CP98xJjFOx85PQ5hSwJa5ore1iyw8I8HGBbQsDtVYhspgkH/NViBAfwAcKEvT2UtUiWn89Y2nqTTSN8p3k/OBDwG7VHrKaijZRHg6Kt5Mju/JARCZ/VPlR4/yXVNGlhbYz31m7iphuQRhijQmsiKmNC3in3CSR7Chcro5vKSJc+
X-Exchange-Antispam-Report-Test: UriScan:(192374486261705)(100405760836317);
X-Microsoft-Antispam-PRVS: <BY2PR05MB2310B0F2438E371FD014A9C7BFBB0@BY2PR05MB2310.namprd05.prod.outlook.com>
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(13018025)(8121501046)(13016025)(5005006)(100000703101)(100105400095)(10201501046)(93006095)(93003095)(3002001)(6055026)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123555025)(20161123562025)(20161123564025)(20161123560025)(20161123558100)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BY2PR05MB2310; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BY2PR05MB2310;
X-Microsoft-Exchange-Diagnostics: 1; BY2PR05MB2310; 4:yo+om0KmTY3hYFB6/pfE7Q/vvYlXayXr1KIhzjygeVlfLYWkGxnQ7tTws6SV360owJ9+55QzLBMHy9ilITjer6TjkY/d9HgvkDx9wuFdcoO2rt0tXr6lDDTfNcxt6EK4bl4CDDVuBnT8OgorEiCkyePg8s3svWbpCRUNY4bAELyAmMlgM17lZY/ytLOBqcJahLPq33VUjvfYsZuUvn3pKqwpZwXwrfjrRKdH7EFNBaGgHkA71dnJxb5EGMpsa4XGpauwQnLmSiBcvUx9WmyvU/ilaO6jXWW2WADshGtDpCkB8tBGH6CoaPFhb/ha9GXjWl8xg4wFvkjqKIVFYNU5Z7IAIMBb4/RnuXiaOwS2QgNXOJOZ7J0gu/eyUXuIxFIEYSeHvnZULHsefJI4KMr6ibkslzFQ0Yb/DfZIFzg8is4aJg5kvVp/+JVUCB6mUZFOw6n2nQRYkc7pqiGDINfPbFY5lGCx1RL7K7oGRm1ceXFo7g4kBDs9AbvgURpXuA2L68e07pmYGn/Cvjp2JqV83QDDmcwbgldjfVInrMWhJFkRnFCk3yqiXO7HGoWMjIpDwQThI+KPjOUq4j3FeY0Mz//BTIGo6AimjhdI95EYwjPwH9C1wGL9IoLz8zgk2nGSgQWWJROtn+zMKPHbeLJY3Zp6YomtBKWTFugqM8OuOFL9Ytf8/MQTui3M9OXOrTlN5Rvb0P3gcXlSKkhG8h0zor9H0hsRzmATSh/M4huMQ+7RkJZCbkfdh4IQUjgO4oNDXFkDM0+HbNUuaQxL0yd4RDTVkunqlpyTRTf+sJ/Ui7uERSSV4A+94u8w+tFozX/XsjcQ4gTMyLVDyT/jCE82uqPVjGnmITb0Shl+NvJrxnJglFmUIzUhrW6Eyy04cSpINO7lUXhQKIUTRPJ3ZHS+ug7v39fjmXvZWJULcQauH3W551GLwZJNMuoQ8sc5Q5eiSvA/eliIXlY/kXudftsAL8T3PyR+++uKeJyAB96LbiT3k1qlP52+CEWiyxOwvZNgsCMHd+l6OVq/B9SZz9klnCoSzsNVZRxhHPvYc79YBs3xsfJjKeTfBvtRRwILTMhz9t78RM3Aka2eslhra62W9/2pR+mp+SvVcxy9RtiY13jd097ze1CG+crwxwvCf+0fc7rDZX5WjrWdbZaqQokuaU1Eayjd41ddl8I6fpX/Jsy5STOxcAqIwcaKooZPMvVCH4Y4nTbRcqQoSoBRIOtuX8u0Y846XjeX8OBPgaznolBItRruMUqoUnwsvCyFHTQ6C80cBsT0waYahtQB1yE03g==
X-Forefront-PRVS: 0378F1E47A
X-Microsoft-Exchange-Diagnostics: 1; BY2PR05MB2310; 23:eMWvFwvB4hyJe1C2YVLiTbTmYCo72rBfcf48wOtLuqQBDQ6mma5g+HgilrHYQzcHRc2Nmt/auRfXG2ZW7vf2X5E/rRx7pElsz5bD4ghCdiQhLAxeQqarYx8OwroQdzGiupmkT8NqibMSQyPgmTUWJbsRAqraqAkD5bAxfdq4ADNDM3YGCNNB4ZS8grvu8Ez5ZBYwfnkL8zatxvETaPCXr4c/8WHD3vkTWyYevIp6gRt+5rS28nSioBhIOtBKxiy9VihHmnYRVwtk4MaiI2gDsE8OwXkzSvIIxIKPtRcIjl/EReMICRVojoE9UP3ukFPbfahErTjm6ot8cIiqSxoHBhXQKz1ObapQIxEicKileM94OlbH3JhHqu49r3nHr0qNIi5TNxFMBYzvBgV7/pjMLRjDVjhlw7bNNdyqyv6c8bimtZDp95+IoPYi3Eie0expJ5vb0b3XZp/QsbcZ7V1DVoArO4EsbMwSeUfC+dr4+7BbsjwcV3sOLuWFeIPQzQG071V+c8trW6waaI/2sunvFNE2Y6QzWDbUwQ8CQ/cVavN2Oi60UvSale8bDGa1t7oVs7dxKrZS/ZQUZmjv5iAwOYCmzxeX1Kuvu0/+w2nreHDy5OaFsn59f5YUVrtZZmeRyuG+JJmOGiULeYKaXz5iTPFfH3Twn/OxahTM3XxvuwxAntUhwFptIYQ7GOLo8Hci9d7UPHiL6wyh7/Ha0/pKaLouZKSsRSr60fugXuFLDoV8B8uzS/SF+OKdtviDBsTwOTgsD0qEPD/2sLzyYEtis+uG3lw7lxrR+5t9yKnAMewR6wiSbGfi8R0jQMh6rK3UQ3RxAahNBZ/ytqnsl7lHhcDJ8TCEk11KPrXArSPE56wJnKCxUHlRM6A/YmhKUHYhclM6S/JhaOXUSmEDBHD2HSZw2LMh/ngMnlybiQAImcm7ej7cHlwLx+HOmrDnCN8Nu25oyFKMj/YFdlgBCeEFvRuGvxS+hWPZLNmpzxS1JnQiAacZYyAcg9GfKkBiJRfaFa3deZVqKU8KSs/l6mYvF57jFHFon9m30L7B+OlkEttlPszPn4mJRi7znK492lgNywvdz8wB5jcUrj0PI31qhhOfSxnBKyvphfNpMQGL3q4fFJ1tHyeqADLH/h6dDXN/SMrHtZBBzlK5IP1lDsIdEUuLHlsjAlt13WXtniP2kaRXxvNHhbhg7Q35tqJniRKnxaBLR/pS5QNcU1t7z638uzN5s9NQLbnh6h9Bjdn2p8nl4TBg+7CJQO7IBdvZQ/zSkayn0OgFUeor+lYkGMA6m66wkGlQZYItCMgD250EZtMevEXt8VT+jfsGVkd0M9ssk0pFnWmI5i3sP4wFvvsw7mV5Y4Mk6LTpbtdRoXBU4LPmnu3ar19VWuY9Veo2zKkdb36r8fSN1Vh2W3t/+hukoqWcUl4iJNRUWXsxF/xHjq4BtIDQ5MOZs/B1df7cJrMorK1SImLbs3NdSDYJTyZa8lBH9iqCoyTIy3h2/ox10dhcV4h16OO7JVckU5ItR6iz
X-Microsoft-Exchange-Diagnostics: 1; BY2PR05MB2310; 6:tV5/gKyAj8H1a35b2tJ7bZYCKBHgfIIYD8qM0vlGai7JfiVJMlS23Legg+3iuVo5ZrTZ7XLmnP6fNMylzknqZ5FlZVSl37cpfAIjg/+e1t9KQ7PXVOJkAJQKtI1xJLvrLAjVBBtpYCNSGrXnTyeMXU8s4NqRTPsOJpMrrt3Qeyp1AZL9OYGlNd/7d4GtHB4REpRX9eItdCXyhaX+47kyng5P8g5cM9ChQLrIyZOIb48w3nyq+8siz127lP+6ZmP4QxvbkAEmpY1cvf1NHdmBD8Pqznfp4WXpG8WYA6rKSSKSg/HVr3O57le1cs3XHHohLnRETd/AeYlU/RoYPNFoUQTwBBH1HOL+oa69CaVTXhrALtePmYC3/2AyH2eFDr4WgcRL5kujRmrfHbV+19eWD2ARM0vlFMWRcRoA7POkSCMEZ/ZMLN7N4buZM7AnQI1JCjbK2S3ENXmB21GGBR1nYAQe0rTLn3yROAQo/zm7MrVTD4/rPxRsO3PrKmKd+fVGkrwHF/+Q/cp/K1K2dJM9BtKi0LlmcJUfhSGcOLUKP5Xkk6UqXZ40rsYU/cwMenkj0tFvpJFh+WG/dj9bD/JC4ig/+VdwoVJqGCFb1h51AG24OUnIM4NQaNv+XXDgH8ISbR/Mzh2xAjEcLA7dZgaodEvOtVgEwQncJGZS5SN3BvmCqAVH6Dve1x4l7MnqxI+bVk9X7qCmpK+MvVqMl3Z5mxBoFKhEDaTFgcHUtmVCIVGbEaCrqO6Zkr3J0rBITXw4uCWjwFXcIuURha3HZTvu9M1KX+e9aRlhbrDjBDh0K/i1irTIsRpQNZaLQq2xl9IyLATGCsYR4JDWHHek615lvUnD3P0gqwoUzYfTY6JEg5LhSe73QmQ2louJ7VdP3klYoNI0C5IiVDcj0zkrj1Xl9TJNwBP9SLCiEA8qBp5lzOwbCiSM5qUZkRx1LN8HfeoARX7usHrZ9+4aeCZV1dj/+IBXPc6jv4nS83soSdtIjnvWjcuFPArunvIMN3uIcaMZ
X-Microsoft-Exchange-Diagnostics: 1; BY2PR05MB2310; 5:JqOXORex040y30aGSS456OJsSHocJT52kuAhxp7LipsI2dwLfL8MMagSkbESat251TyzEw+vTFXsPup/SJe5xMY4/U94kDbYR0rY5/qkWidMb+3ziGn55gnMNgDT7nzRI8q1MXn/fqM/T8Lscbndwk510iukW9Z1Olur7FFZCVoWlOPHDLPsGa7mhL+RQDFvLbjNtF5QftKSvz35fby26vFqmwGnjEfP+j3Uw1BdezO8S1hh89i7j2mQiMJ3U+oOpiOViKV2ONegp1c/3aPETbaBubXOmdiJs4cyyulmz92/uzd/8WeNm8R/xq0TSU89LA8shgFA4v2TXi8VXYy3lXdOfbCcqe30M302S0H5ZYF27mjdVIX7CmetBUkoKhaw79mWbT3CU8VBvr9wd5pZImWFNEE3qS7TSg68Crc7mApJodIj3HsYPzOP5cpZx/3hrqEZHJtAoN1ZhVnl1GLtsjWWuGuF+dEKuUBgbRUO7eBUXjbfBe4X3+MAodjFXdge; 24:5/6q4P/vtHm1TzX1FbFfZ5iEeR1N8Erq5xnCkvReJ9AWDGoX7TtiMd9r4K/FO1JNaV/FcL4z9+l4dvFYzBocWt8zmtC/zeiBj+BR3599mHY=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; BY2PR05MB2310; 7:EiyP1Z0NC47jqabKXvE9aEHiLbon4cb1oT1SOR19CWhT+sGFy0sHr21NF8WZCrGv/RgNcnCU7o9HceUV5//kCctWonB1jAgRlRAkwJwf8s+VMeT2m8HXrAtdfTunqnex9FxkKZvS7AxJFeo42ETocxbraS4fnQV+RotfazXEEdl6CzVLIpWf9mFpjcUqM6uwgZPRoJGP4b182MpyRe6iA25gEoJzUk5rN6/uZIlu/JqMFZKEAFmC1AJiAYY7SHKiV56EVmeIjMd9W1GqNxIo+t/C80TLcFGTboEZahbY8hB0FM6LGzi1a19j5R7nOZts5xyI9dFMynHuib8fsn1UJfCOroGN+Phti+nkc3MbPqAEzSjRLzet1YFl+7vQp7AKT37rD+bmfcyma0CScWP5SkqgP0lLjEOLwMfjiRnuMz9rjncObxTzmKmuR9LYiqyWPwqg7+iB5BzPavzj/4pp6xxssp/Rdiy3wV10e70fk0N71eFcKTQyTI0I9JuazxI1dMhOi1zn0STDEniGxYOPnXhKRh6/O8lNDvU4yMKp4Y/r4CbfSULTKyzV59wBDJpOdWPi0vaNJqv+ImQdqDhck83+Lhn/yJRypMWsj8F5wGH32tOSs0BLLGQVucedW+jH95eutxn0qC/wgFsnUgmbGXOdvFBblPQ6zOvs1uLWwgHKcTHJhq38duHUa5BXe1bs8WQqa8F7QwGlLvWJWwZLhYRZaE8+jiCVDhxk6r855g8iS3s2+XAGBYxGc7Za8WPbOn25AhqeR7P3zA2EOSk+dK8X2vrkf45sn7r02DLq0+w=
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Jul 2017 03:26:06.2089 (UTC)
X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.12]; Helo=[p-emfe01a-sac.jnpr.net]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR05MB2310
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/8oIPDjD3U6-KlhLkEDc2lW3B_70>
Subject: Re: [Curdle] draft-ietf-curdle-ssh-kex-sha2 and diffie-hellman-group1-sha1 (1024-bit DH)
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jul 2017 03:26:12 -0000

Hi Folks,

In the wake of the IETF 99 Curdle meeting, I am in the process of
updating the draft-ietf-curdle-ssh-kex-sha2 draft. The following are the
summary of changes:

 - remove use of SHOULD+ and SHOULD-

 - enumerate all of the Key exchange methods. The table will still have
   only the non-default "MAY" values, but all entries will exist with a
   brief indication stating that they MAY be implemented instead of
   the stronger SHOULD or MUST or SHOULD NOT or MUST NOT.

 - I am listing diffie-hellman-group1-sha1 as a SHOULD NOT (because it
   was a MUST preiously), but I am also listing gss-group1-sha1-* as a
   SHOULD NOT for consistency. Is this okay? Or, should I list the gss
   group as a MUST NOT?

 - I am thinking that gss-group14-sha1-* is better as a MAY than a
   SHOULD.

Everything else is MAY, here is the suggested new guidance:

         Key Exchange Method Name           Reference  Implement
         ---------------------------------- ---------- ----------
         curve25519-sha256                  ssh-curves SHOULD
         diffie-hellman-group-exchange-sha1 RFC4419    SHOULD NOT
         diffie-hellman-group1-sha1         RFC4253    SHOULD NOT
         diffie-hellman-group14-sha1        RFC4253    SHOULD
         diffie-hellman-group14-sha256      new-modp   MUST
         diffie-hellman-group16-sha512      new-modp   SHOULD
         ecdh-sha2-nistp256                 RFC5656    SHOULD
         ecdh-sha2-nistp384                 RFC5656    SHOULD
         gss-gex-sha1-*                     RFC4462    SHOULD NOT
         gss-group1-sha1-*                  RFC4462    SHOULD NOT
         gss-group14-sha256-*               gss-keyex  SHOULD
         gss-group16-sha512-*               gss-keyex  SHOULD
         gss-nistp256-sha256-*              gss-keyex  SHOULD
         gss-nistp384-sha384-*              gss-keyex  SHOULD
         gss-curve25519-sha256-*            gss-keyex  SHOULD
         rsa1024-sha1                       RFC4432    MUST NOT

I also have a new piece of text that tries to describe the section of
SHA256 vs SHA384 vs SHA512. However, I am not sure it is reasonable.
I provide it here for your comments:

    Selecting an appropriate hashing algorithm

       As may be seen from the above, the Key Exchange Methods area
       all using either SHA256 or SHA512 with the exception of the
       ecdh-sha2-nistp384 which uses SHA384.

       The cited CNSA Suite specifies the use of SHA384 and says that
       SHA256 is no longer good enough for TOP SECRET. Nothing is said
       about the use of SHA512. It may be that the internal state of
       1024 bits in both SHA384 and SHA512 makes the SHA384 more
       secure because it does not leak an additional 128 bits of
       state. Of course, use of SHA384 also reduces the security
       strength to 192 bits instead of being 256 bits or more. This
       seems to contradict the desire to double the symmetric key
       strength in order to try to be safe from Post Quantum Computing
       (PQC) attacks given a session key derived from the key
       exchange will be limited to the security strength of the hash
       being used.

       The move away from SHA256 to SHA512 for the newer key exchange
       methods is more to try to slow Grover's algorithm (a PQC
       attack) slightly. It is also the case that SHA2-512 may, in
       many modern CPUs, be implemented more efficiently using 64-bit
       arithmetic than SHA256 which is faster on 32-bit CPUs. The
       selection of SHA384 vs SHA512 is more about reducing the number
       of code point alternatives to negotiate. There seemed to be
       consensus in favor of SHA2-512 over SHA2-384 for key exchanges.

Before I publish -09, it would be nice to see if this list
is reasonable or not for other folks on the list.

Interesting note: I did not find a gss-gex-sha2-* defined in RFC4462.
It is also not found in the I-D.ietf-curdle-gss-keyex-sha2 draft.

	Thank you,
	-- Mark

PS: For completness, here is the list of all of the Key Exchanges
methods in my current copy of the draft.

     3.1.  curve25519-sha256 . . . . . . . . . . . . . . . . . . . .   4
     3.2.  curve448-sha512 . . . . . . . . . . . . . . . . . . . . .   4
     3.3.  diffie-hellman-group-exchange-sha1  . . . . . . . . . . .   4
     3.4.  diffie-hellman-group-exchange-sha256  . . . . . . . . . .   4
     3.5.  diffie-hellman-group1-sha1  . . . . . . . . . . . . . . .   4
     3.6.  diffie-hellman-group14-sha1 . . . . . . . . . . . . . . .   5
     3.7.  diffie-hellman-group14-sha256 . . . . . . . . . . . . . .   5
     3.8.  diffie-hellman-group15-sha512 . . . . . . . . . . . . . .   5
     3.9.  diffie-hellman-group16-sha512 . . . . . . . . . . . . . .   5
     3.10. diffie-hellman-group17-sha512 . . . . . . . . . . . . . .   6
     3.11. diffie-hellman-group18-sha512 . . . . . . . . . . . . . .   6
     3.12. ecdh-sha2-nistp256  . . . . . . . . . . . . . . . . . . .   6
     3.13. ecdh-sha2-nistp384  . . . . . . . . . . . . . . . . . . .   6
     3.14. ecdh-sha2-nistp521  . . . . . . . . . . . . . . . . . . .   6
     3.15. gss-gex-sha1-*  . . . . . . . . . . . . . . . . . . . . .   6
     3.16. gss-group1-sha1-* . . . . . . . . . . . . . . . . . . . .   7
     3.17. gss-group14-sha1-*  . . . . . . . . . . . . . . . . . . .   7
     3.18. gss-group14-sha256-*  . . . . . . . . . . . . . . . . . .   7
     3.19. gss-group15-sha512-*  . . . . . . . . . . . . . . . . . .   7
     3.20. gss-group16-sha512-*  . . . . . . . . . . . . . . . . . .   7
     3.21. gss-group17-sha512-*  . . . . . . . . . . . . . . . . . .   8
     3.22. gss-group18-sha512-*  . . . . . . . . . . . . . . . . . .   8
     3.23. gss-nistp256-sha256-* . . . . . . . . . . . . . . . . . .   8
     3.24. gss-nistp384-sha384-* . . . . . . . . . . . . . . . . . .   8
     3.25. gss-nistp521-sha512-* . . . . . . . . . . . . . . . . . .   8
     3.26. gss-curve25519-sha256-* . . . . . . . . . . . . . . . . .   8
     3.27. gss-curve448-sha512-* . . . . . . . . . . . . . . . . . .   8
     3.28. rsa1024-sha1  . . . . . . . . . . . . . . . . . . . . . .   8
     3.29. rsa2048-sha256  . . . . . . . . . . . . . . . . . . . . .   9

v2.23.0 | Report a Bug | By Email