Re: [Curdle] comments on draft-ietf-curdle-rsa-sha2-03.txt
denis bider <denisbider.ietf@gmail.com> Mon, 27 March 2017 00:27 UTC
Return-Path: <denisbider.ietf@gmail.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98DE7120326 for <curdle@ietfa.amsl.com>; Sun, 26 Mar 2017 17:27:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FP8gl6aet8to for <curdle@ietfa.amsl.com>; Sun, 26 Mar 2017 17:27:26 -0700 (PDT)
Received: from mail-pg0-x22c.google.com (mail-pg0-x22c.google.com [IPv6:2607:f8b0:400e:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82E8A1200F1 for <curdle@ietf.org>; Sun, 26 Mar 2017 17:27:26 -0700 (PDT)
Received: by mail-pg0-x22c.google.com with SMTP id 21so22727994pgg.1 for <curdle@ietf.org>; Sun, 26 Mar 2017 17:27:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=E/leq+9CG6UaswMGgUih7MS//sAcw+X2NxB3ZSjR1CA=; b=vIeqmSMP9i70ua9NYP+OYgeA+8Asb/bWv9JYF8Cj028EFSnbGJO9r50JpXw6rEI7Dr z/u+kZNvuxC7HFePDr15rOYjvfa4ZK/9LWL5ie/2j1r4pmWfEmL6z/sz6CiopkurCra9 AzeuNrtuLtShLK9nXMm9tYFlphlN08DLIPaJ9gKeKYGhddmRi6ZiB/lC7VCMYUTPIiRE qjJDPVzqVHbAnQJWUX6YIfY/CZRpfjbq3qqUmwM0jVq8ljfzavw5gC8okNj0FUyWtfLS m8oH2XLFSl4iyDgpfOYNoGQ/NiAzoeSnYR1gAlv+eQfrnN+ihspBYgjDXATVvplUFvhi +z0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=E/leq+9CG6UaswMGgUih7MS//sAcw+X2NxB3ZSjR1CA=; b=PesnHmdWuiP6q4IMX06aIv671EaAvvOFk5q+vhOaix5MPHYwAr+zAplziW9TR28BDd kt/sz9niDbOFl6By87llb3lEagc25kvO3o6xjPW9iEUhkBya8ktyvHgTgPa49sB6p8L2 K+UZQLdx97xgBW9AsSh4Dw3BzogktfWLJfgxnsvFVv6XaYNz6JmYY6tmeBpfxqTGJKqO RUqV5UDOb5U1vtrGaxg12Z8Mwfovb/dqyea+LmsS7SR9uxkmdRrcba9O2Z2qsNQ+V9Ia Kp+VOAWt6TWo7domMw5qKQ1gYAKYxfOuvuXCz1zVjMAY5FbNsF3w0tTGu6+RwRb/etGc eftw==
X-Gm-Message-State: AFeK/H0ewgqLl7hwNH+ntxR6c0D2v3E5wNqGsQH29vlM9pCNNTbc0Lj47SojRDMnI+SpsTrQUik6sSckDl88BA==
X-Received: by 10.98.86.152 with SMTP id h24mr21790106pfj.184.1490574445974; Sun, 26 Mar 2017 17:27:25 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.179.41 with HTTP; Sun, 26 Mar 2017 17:27:25 -0700 (PDT)
From: denis bider <denisbider.ietf@gmail.com>
Date: Sun, 26 Mar 2017 18:27:25 -0600
Message-ID: <CADPMZDByTiWov0vp2Tk1n9dnnkfwepO+UsAnh3rdsrbem2H=VQ@mail.gmail.com>
To: daniel.migault@ericsson.com, curdle@ietf.org
Content-Type: multipart/alternative; boundary="001a1147d6205d1fd0054bab683e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/A9u7FHFFVt-LzeVYNYWe-EIZnCU>
Subject: Re: [Curdle] comments on draft-ietf-curdle-rsa-sha2-03.txt
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Mar 2017 00:28:48 -0000
I created this new address for Curdle to avoid mailing list delivery issues due to DKIM and SPF. Daniel: > I believe it would be good to add rsa-sha2-256-pss, rsa-sha2-512-pss. I can do that, but the next question is, will someone implement it? If someone comes forward and says they'll be adding the PSS variants, I can definitely include them. If we do add them, this will make Peter unhappy. :) If my recollection serves, he disliked the 512 variant, as it is. The objection with additional variants is that if a fraction of deployments are set up to require them, this puts pressure on others to implement them as well. For Peter, this is a cost because his usage cases are extremely constrained. > Maybe that would be good to explain how the option is also > helping to deprecate suites in the security consideration section. OK. I have added the following: "This document is based on the premise that RSA is used in environments where a gradual, compatible transition to improved algorithms will be better received than one that is abrupt and incompatible. It advises that SSH implementations add support for new RSA signature algorithms along with SSH_MSG_EXT_INFO and the "server-sig-algs" extension to allow coexistence of new deployments with older versions that support only "ssh-rsa". Nevertheless, implementations SHOULD start to disable "ssh-rsa" in their default configurations as soon as they have reason to believe that new RSA signature algorithms have been widely adopted." Does this sound well? denis ----- Original Message ----- From: Daniel Migault Sent: Sunday, March 26, 2017 14:39 To: denis bider (Bitvise) Cc: curdle Subject: Re: [Curdle] comments on draft-ietf-curdle-rsa-sha2-03.txt Hi, Thanks for the response. Please see mine inline. In short I agree with your responses. I believe it would be good to add rsa-sha2-256-pss, rsa-sha2-512-pss. Yours, Daniel On Sun, Mar 26, 2017 at 12:56 PM, denis bider (Bitvise) < ietf-ssh3@denisbider.com> wrote: Daniel: Should we consider adding / replacing PKCS1v1.5 by RSA-PSS for the signature format. An early version of the spec called for PSS. After strong objections - most prominently Peter Gutmann's; it is possible there were others - I changed back to PKCS1v1.5. The main objections were: - PSS is not as universally available; - adding a new type of padding would impose costs on highly resource-constrained implementations who would now have to support both. I have no objections to adding PSS. At this point, it would have to be added as separate variants. For example: rsa-sha2-256-pss, rsa-sha2-512-pss. The existing names already have widely implemented / accepted meanings with PKCS1v1.5. I understand the motivations. I personally think it would be good to add rsa-sha2-256-pss, rsa-sha2-512-pss I understand that penalties are encouraging to keep ssh-rsa while the use of sha1 is deprecated. I suggest to provide some recommendations on how to perform penalties. The issue are penalties in software already deployed. Servers are often used for 5-10 years without update. Users actively resist updates, even if we urge otherwise. Often, there's no one to perform an update. The administrator who configured the server has left. The people who use it are afraid, because they don't have anyone who understands their setup if it breaks. A new spec won't fix this deployed base. Software that's aware of this spec is suggested to implement the "server-sig-algs" extension with EXT_INFO. This eliminates any need to guess what signature algorithm to use. That is this spec's recommendation. Agree, my recommendation on penalties was mostly for new implementations that do not implement ext_info. Maybe you are right having ext_info solve this issue better. MGLT: Can we recommend to have penalties only applies when algorithms are weaker than the one supported. The issue does not arise from implementations penalizing known algorithms, it arises from old software penalizing unknown algorithms. Old software cannot know whether an unknown algorithm is stronger or weaker than what it supports. An option we have is to recommend new implementations to not penalize unknown algorithms, because they could be stronger versions of known ones. That could be sensible. But the "server-sig-algs" extension already removes the need to try an algorithm the server doesn't support. > When authenticating with an RSA key against a server > that does not implement the "server-sig-algs" extension, > clients MAY default to an ssh-rsa signature to avoid > authentication penalties. MGLT: ssh-rsa must be deprecated, so I think we should have something different. The fall back should be on the most recommended algorithm, or the authentication penalty should be changed. We can put in instructions that work and will realistically be followed, or we can put in instructions that don’t work. Agree. Due to existing deployed base, falling back to “rsa-sha2-256” when the server does not send “server-sig-algs” will not work. If the spec is made to require this, implementers will ignore it for compatibility. Worse, there will then be poor guidance toward a solution that does work. Agree In my opinion, the way to deprecate ssh-rsa is to implement the new signature methods; implement the "server-sig-algs" extension to allow them to coexist; allow for several years of new deployment; and then, for new implementations to start disabling "ssh-rsa" by default. Maybe that would be good to explain how the option is also helping to deprecate suites in the security consideration section. denis ----- Original Message ----- From: Daniel Migault Sent: Saturday, March 25, 2017 17:40 To: curdle Subject: [Curdle] comments on draft-ietf-curdle-rsa-sha2-03.txt Hi, Please find my comments on draft-ietf-curdle-rsa-sha2-03.txt. In a word my comments are: - 1) Should we consider adding / replacing PKCS1v1.5 by RSA-PSS for the signature format. - 2) I understand that penalties are encouraging to keep ssh-rsa while the use of sha1 is deprecated. I suggest to provide some recommendations on how to perform penalties. Yours, Daniel Use of RSA Keys with SHA-2 256 and 512 in Secure Shell (SSH) draft-ietf-curdle-rsa-sha2-03.txt Abstract This memo defines an algorithm name, public key format, and signature format for use of RSA keys with SHA-2 512 for server and client authentication in SSH connections. MGLT: Maybe we should also add penalty recommendations as well ? 2. Public Key Algorithms This memo adopts the style and conventions of [RFC4253] in specifying how use of a signature algorithm is indicated in SSH. The following new signature algorithms are defined: rsa-sha2-256 RECOMMENDED sign Raw RSA key rsa-sha2-512 OPTIONAL sign Raw RSA key These signature algorithms are suitable for use both in the SSH transport layer [RFC4253] for server authentication, and in the authentication layer [RFC4252] for client authentication. Since RSA keys are not dependent on the choice of hash function, both new algorithms reuse the public key format of the existing "ssh-rsa" algorithm as defined in [RFC4253]: string "ssh-rsa" mpint e mpint n All aspects of the "ssh-rsa" format are kept, including the encoded string "ssh-rsa", in order to allow users' existing RSA keys to be used with the new signature formats, without requiring re-encoding, or affecting already trusted key fingerprints. Signing and verifying using these algorithms is performed according to the RSASSA-PKCS1-v1_5 scheme in [RFC3447] using SHA-2 [FIPS-180-4] as hash; MGF1 as mask function; and salt length equal to hash size. MGLT: Could we also take this opportunity to upgrade the signature to RSA-PSS ? If "rsa-sha2-256" / "rsa-sha2-512" are already deployed in most implementation, maybe this document could also define "rsa-sha2-256-rsassa-pss" and "rsa-sha2-512-rsassa-pss" otherwise we could define rsa-sha2-* with RSA-PSS. 3. Discovery of signature algorithms supported by servers Implementation experience has shown that there are servers which apply authentication penalties to clients attempting signature algorithms which the SSH server does not support. MGLT: Can we recommend to have penalties only applies when algorithms are weaker than the one supported. Servers that accept rsa-sha2-* signatures for client authentication SHOULD implement the extension negotiation mechanism defined in [SSH-EXT-INFO], including especially the "server-sig-algs" extension. When authenticating with an RSA key against a server that does not implement the "server-sig-algs" extension, clients MAY default to an ssh-rsa signature to avoid authentication penalties. MGLT: ssh-rsa must be deprecated, so I think we should have something different. The fall back should be on the most recommended algorithm, or the authentication penalty should be changed. _______________________________________________ Curdle mailing list Curdle@ietf.org https://www.ietf.org/mailman/listinfo/curdle _______________________________________________ Curdle mailing list Curdle@ietf.org https://www.ietf.org/mailman/listinfo/curdle
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Daniel Migault
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Watson Ladd
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… denis bider
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Peter Gutmann
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… denis bider
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Daniel Migault
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Mark D. Baushke
- [Curdle] comments on draft-ietf-curdle-rsa-sha2-0… Daniel Migault
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… denis bider (Bitvise)
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Daniel Migault
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… denis bider
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Peter Gutmann
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Peter Gutmann
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… denis bider
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Daniel Migault
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Ilari Liusvaara
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… denis bider
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Daniel Migault
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Watson Ladd
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Daniel Migault