IETF Logo Mail Archive

Re: [Curdle] comments on draft-ietf-curdle-rsa-sha2-03.txt

denis bider <denisbider.ietf@gmail.com> Mon, 27 March 2017 00:27 UTC

Return-Path: <denisbider.ietf@gmail.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98DE7120326 for <curdle@ietfa.amsl.com>; Sun, 26 Mar 2017 17:27:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FP8gl6aet8to for <curdle@ietfa.amsl.com>; Sun, 26 Mar 2017 17:27:26 -0700 (PDT)
Received: from mail-pg0-x22c.google.com (mail-pg0-x22c.google.com [IPv6:2607:f8b0:400e:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82E8A1200F1 for <curdle@ietf.org>; Sun, 26 Mar 2017 17:27:26 -0700 (PDT)
Received: by mail-pg0-x22c.google.com with SMTP id 21so22727994pgg.1 for <curdle@ietf.org>; Sun, 26 Mar 2017 17:27:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=E/leq+9CG6UaswMGgUih7MS//sAcw+X2NxB3ZSjR1CA=; b=vIeqmSMP9i70ua9NYP+OYgeA+8Asb/bWv9JYF8Cj028EFSnbGJO9r50JpXw6rEI7Dr z/u+kZNvuxC7HFePDr15rOYjvfa4ZK/9LWL5ie/2j1r4pmWfEmL6z/sz6CiopkurCra9 AzeuNrtuLtShLK9nXMm9tYFlphlN08DLIPaJ9gKeKYGhddmRi6ZiB/lC7VCMYUTPIiRE qjJDPVzqVHbAnQJWUX6YIfY/CZRpfjbq3qqUmwM0jVq8ljfzavw5gC8okNj0FUyWtfLS m8oH2XLFSl4iyDgpfOYNoGQ/NiAzoeSnYR1gAlv+eQfrnN+ihspBYgjDXATVvplUFvhi +z0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=E/leq+9CG6UaswMGgUih7MS//sAcw+X2NxB3ZSjR1CA=; b=PesnHmdWuiP6q4IMX06aIv671EaAvvOFk5q+vhOaix5MPHYwAr+zAplziW9TR28BDd kt/sz9niDbOFl6By87llb3lEagc25kvO3o6xjPW9iEUhkBya8ktyvHgTgPa49sB6p8L2 K+UZQLdx97xgBW9AsSh4Dw3BzogktfWLJfgxnsvFVv6XaYNz6JmYY6tmeBpfxqTGJKqO RUqV5UDOb5U1vtrGaxg12Z8Mwfovb/dqyea+LmsS7SR9uxkmdRrcba9O2Z2qsNQ+V9Ia Kp+VOAWt6TWo7domMw5qKQ1gYAKYxfOuvuXCz1zVjMAY5FbNsF3w0tTGu6+RwRb/etGc eftw==
X-Gm-Message-State: AFeK/H0ewgqLl7hwNH+ntxR6c0D2v3E5wNqGsQH29vlM9pCNNTbc0Lj47SojRDMnI+SpsTrQUik6sSckDl88BA==
X-Received: by 10.98.86.152 with SMTP id h24mr21790106pfj.184.1490574445974; Sun, 26 Mar 2017 17:27:25 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.179.41 with HTTP; Sun, 26 Mar 2017 17:27:25 -0700 (PDT)
From: denis bider <denisbider.ietf@gmail.com>
Date: Sun, 26 Mar 2017 18:27:25 -0600
Message-ID: <CADPMZDByTiWov0vp2Tk1n9dnnkfwepO+UsAnh3rdsrbem2H=VQ@mail.gmail.com>
To: daniel.migault@ericsson.com, curdle@ietf.org
Content-Type: multipart/alternative; boundary="001a1147d6205d1fd0054bab683e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/A9u7FHFFVt-LzeVYNYWe-EIZnCU>
Subject: Re: [Curdle] comments on draft-ietf-curdle-rsa-sha2-03.txt
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Mar 2017 00:28:48 -0000

I created this new address for Curdle to avoid mailing list delivery issues
due to DKIM and SPF.

Daniel:


> I believe it would be good to add rsa-sha2-256-pss, rsa-sha2-512-pss.

I can do that, but the next question is, will someone implement it?

If someone comes forward and says they'll be adding the PSS variants, I can
definitely include them.

If we do add them, this will make Peter unhappy. :) If my recollection
serves, he disliked the 512 variant, as it is.

The objection with additional variants is that if a fraction of deployments
are set up to require them, this puts pressure on others to implement them
as well. For Peter, this is a cost because his usage cases are extremely
constrained.


> Maybe that would be good to explain how the option is also
> helping to deprecate suites in the security consideration section.

OK. I have added the following:

"This document is based on the premise that RSA is used in environments
where a gradual, compatible transition to improved algorithms will be
better received than one that is abrupt and incompatible. It advises that
SSH implementations add support for new RSA signature algorithms along with
SSH_MSG_EXT_INFO and the "server-sig-algs" extension to allow coexistence
of new deployments with older versions that support only "ssh-rsa".
Nevertheless, implementations SHOULD start to disable "ssh-rsa" in their
default configurations as soon as they have reason to believe that new RSA
signature algorithms have been widely adopted."

Does this sound well?

denis


----- Original Message -----
From: Daniel Migault
Sent: Sunday, March 26, 2017 14:39
To: denis bider (Bitvise)
Cc: curdle
Subject: Re: [Curdle] comments on draft-ietf-curdle-rsa-sha2-03.txt

Hi,


Thanks for the response. Please see mine inline. In short I agree with your
responses. I believe it would be good to add rsa-sha2-256-pss,
rsa-sha2-512-pss.


Yours,

Daniel





On Sun, Mar 26, 2017 at 12:56 PM, denis bider (Bitvise) <
ietf-ssh3@denisbider.com> wrote:

Daniel:



Should we consider adding / replacing PKCS1v1.5
by RSA-PSS for the signature format.


An early version of the spec called for PSS. After strong objections - most
prominently Peter Gutmann's; it is possible there were others - I changed
back to PKCS1v1.5. The main objections were:

- PSS is not as universally available;
- adding a new type of padding would impose costs on highly
resource-constrained implementations who would now have to support both.

I have no objections to adding PSS. At this point, it would have to be
added as separate variants. For example: rsa-sha2-256-pss, rsa-sha2-512-pss.

The existing names already have widely implemented / accepted meanings with
PKCS1v1.5.


I understand the motivations. I personally think it would be good to add
rsa-sha2-256-pss, rsa-sha2-512-pss


I understand that penalties are encouraging to
keep ssh-rsa while the use of sha1 is deprecated.
I suggest to provide some recommendations on how
to perform penalties.


The issue are penalties in software already deployed. Servers are often
used for 5-10 years without update. Users actively resist updates, even if
we urge otherwise. Often, there's no one to perform an update. The
administrator who configured the server has left. The people who use it are
afraid, because they don't have anyone who understands their setup if it
breaks. A new spec won't fix this deployed base.

Software that's aware of this spec is suggested to implement the
"server-sig-algs" extension with EXT_INFO. This eliminates any need to
guess what signature algorithm to use. That is this spec's recommendation.



Agree, my recommendation on penalties was mostly for new implementations
that do not implement ext_info. Maybe you are right having ext_info solve
this issue better.


MGLT: Can we recommend to have penalties only applies
when algorithms are weaker than the one supported.


The issue does not arise from implementations penalizing known algorithms,
it arises from old software penalizing unknown algorithms. Old software
cannot know whether an unknown algorithm is stronger or weaker than what it
supports.

An option we have is to recommend new implementations to not penalize
unknown algorithms, because they could be stronger versions of known ones.
That could be sensible. But the "server-sig-algs" extension already removes
the need to try an algorithm the server doesn't support.



> When authenticating with an RSA key against a server
> that does not implement the "server-sig-algs" extension,
> clients MAY default to an ssh-rsa signature to avoid
> authentication penalties.

MGLT: ssh-rsa must be deprecated, so I think we should
have something different. The fall back should be on
the most recommended algorithm, or the authentication
penalty should be changed.


We can put in instructions that work and will realistically be followed, or
we can put in instructions that don’t work.


Agree.


Due to existing deployed base, falling back to “rsa-sha2-256” when the
server does not send “server-sig-algs” will not work. If the spec is made
to require this, implementers will ignore it for compatibility. Worse,
there will then be poor guidance toward a solution that does work.

Agree

In my opinion, the way to deprecate ssh-rsa is to implement the new
signature methods; implement the "server-sig-algs" extension to allow them
to coexist; allow for several years of new deployment; and then, for new
implementations to start disabling "ssh-rsa" by default.


Maybe that would be good to explain how the option is also helping to
deprecate suites in the security consideration section.


denis



----- Original Message -----
From: Daniel Migault
Sent: Saturday, March 25, 2017 17:40
To: curdle
Subject: [Curdle] comments on draft-ietf-curdle-rsa-sha2-03.txt

Hi,

Please find my comments on draft-ietf-curdle-rsa-sha2-03.txt.

In a word my comments are:
  - 1) Should we consider  adding / replacing PKCS1v1.5 by RSA-PSS for  the
signature format.
  - 2) I understand that penalties are encouraging to keep ssh-rsa while
the use of sha1 is deprecated. I suggest to provide some recommendations on
how to perform penalties.

Yours,
Daniel

     Use of RSA Keys with SHA-2 256 and 512 in Secure Shell (SSH)
                  draft-ietf-curdle-rsa-sha2-03.txt


Abstract

 This memo defines an algorithm name, public key format, and signature
 format for use of RSA keys with SHA-2 512 for server and client
 authentication in SSH connections.

MGLT: Maybe we should also add penalty recommendations as well ?

2.  Public Key Algorithms

 This memo adopts the style and conventions of [RFC4253] in specifying
 how use of a signature algorithm is indicated in SSH.

 The following new signature algorithms are defined:

   rsa-sha2-256    RECOMMENDED    sign    Raw RSA key
   rsa-sha2-512    OPTIONAL       sign    Raw RSA key

 These signature algorithms are suitable for use both in the SSH transport
 layer [RFC4253] for server authentication, and in the authentication
 layer [RFC4252] for client authentication.

 Since RSA keys are not dependent on the choice of hash function, both
 new algorithms reuse the public key format of the existing "ssh-rsa"
 algorithm as defined in [RFC4253]:

   string    "ssh-rsa"
   mpint     e
   mpint     n

 All aspects of the "ssh-rsa" format are kept, including the encoded
 string "ssh-rsa", in order to allow users' existing RSA keys to be
 used with the new signature formats, without requiring re-encoding,
 or affecting already trusted key fingerprints.

 Signing and verifying using these algorithms is performed according to
 the RSASSA-PKCS1-v1_5 scheme in [RFC3447] using SHA-2 [FIPS-180-4] as
 hash; MGF1 as mask function; and salt length equal to hash size.

MGLT: Could we also take this opportunity to upgrade the signature to
RSA-PSS ?
If "rsa-sha2-256" / "rsa-sha2-512" are already deployed in most
implementation, maybe this document could also define
"rsa-sha2-256-rsassa-pss" and "rsa-sha2-512-rsassa-pss" otherwise we could
define rsa-sha2-* with RSA-PSS.


3.  Discovery of signature algorithms supported by servers

 Implementation experience has shown that there are servers which apply
 authentication penalties to clients attempting signature algorithms
 which the SSH server does not support.

MGLT: Can we recommend to have penalties only applies when algorithms are
weaker than the one supported.

 Servers that accept rsa-sha2-* signatures for client authentication
 SHOULD implement the extension negotiation mechanism defined in
 [SSH-EXT-INFO], including especially the "server-sig-algs" extension.

 When authenticating with an RSA key against a server that does not
 implement the "server-sig-algs" extension, clients MAY default to an
 ssh-rsa signature to avoid authentication penalties.

MGLT: ssh-rsa must be deprecated, so I think we should have something
different. The fall back should be on the most recommended algorithm, or
the authentication penalty should be changed.




_______________________________________________
Curdle mailing list
Curdle@ietf.org
https://www.ietf.org/mailman/listinfo/curdle

_______________________________________________
Curdle mailing list
Curdle@ietf.org
https://www.ietf.org/mailman/listinfo/curdle

v2.23.0 | Report a Bug | By Email