IETF Logo Mail Archive

Re: [Curdle] Comments on draft-ietf-curdle-ssh-ext-info

Peter Gutmann <pgut001@cs.auckland.ac.nz> Sat, 25 March 2017 10:02 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2D6D124BE8 for <curdle@ietfa.amsl.com>; Sat, 25 Mar 2017 03:02:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dq0pTAwXfXBU for <curdle@ietfa.amsl.com>; Sat, 25 Mar 2017 03:02:43 -0700 (PDT)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E576124281 for <curdle@ietf.org>; Sat, 25 Mar 2017 03:02:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1490436163; x=1521972163; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=b0F4i/tQYtgb4tfCPPs4Kr4l51EGMZwXAa7TE1fH0Tg=; b=eyCP5qqs36uax7TkosBQGahCE7gi0EBrGXSgjkrOFVEZoScy3md3gfBE JSKUfGWZOybQke5QHW293LpGlunwH0XQ5xrk92ex49ZD3DGThLN9VV4Bt boFzgaC++JrR9214erwRVQA0vedghy5RNvCq4vjGZ/p86zbSO6mHF/44g r3f+Pm58XDtaaPjIK4xVmNcW8XWFCAxxv/1XIVHSH6ncPo1+tU0AHqhRq 4DLIFdGgJDeEiXmaAKMxzPvgyW6KapQakxWH8Ker6LIs6n123C/H9UdUc u0M1I/pgNC6rL+DLxZvz5lTrp3RIajCIt0Hv5F1ybpWt1I1nGz59Phm3A g==;
X-IronPort-AV: E=Sophos;i="5.36,219,1486378800"; d="scan'208";a="145350603"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.3.2 - Outgoing - Outgoing
Received: from exchangemx.uoa.auckland.ac.nz (HELO uxcn13-tdc-a.UoA.auckland.ac.nz) ([10.6.3.2]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 25 Mar 2017 23:02:41 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-tdc-a.UoA.auckland.ac.nz (10.6.3.2) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Sat, 25 Mar 2017 23:02:28 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1263.000; Sat, 25 Mar 2017 23:02:28 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "denis bider (Bitvise)" <ietf-ssh3@denisbider.com>, Daniel Migault <daniel.migault@ericsson.com>, curdle <curdle@ietf.org>
Thread-Topic: [Curdle] Comments on draft-ietf-curdle-ssh-ext-info
Thread-Index: AQHSn+vj75AP59wDbUy5ryRiOFPQYKGb4DhQgAWgX4CAA91JyQ==
Date: Sat, 25 Mar 2017 10:02:27 +0000
Message-ID: <1490436136828.60577@cs.auckland.ac.nz>
References: <2DD56D786E600F45AC6BDE7DA4E8A8C118BA5A70@eusaamb107.ericsson.se> <1489827654266.43895@cs.auckland.ac.nz>, <50977E6A3D174856B8DAF264C3CB81E8@Khan> <1489914378158.63423@cs.auckland.ac.nz>, <74B4C5B2AFD644748A0E1B0957A22C96@Khan>
In-Reply-To: <74B4C5B2AFD644748A0E1B0957A22C96@Khan>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/EuS2ZNa_4NOD2m9Ew8FwLtqJ1No>
Subject: Re: [Curdle] Comments on draft-ietf-curdle-ssh-ext-info
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Mar 2017 10:02:46 -0000

denis bider (Bitvise) <ietf-ssh3@denisbider.com> writes:

>I'm not sure that I see the threat here, or how the described behavior would
>resolve it.

I was thinking of it in terms of SSL's Change Cipherspec, the same as SSH's
Newkeys, where there's all sorts of subtle problems if you send data before
getting the other side's CCS to confirm that both sides are using the same
crypto parameters.  I'd always assumed that SSH's use of the redudant
SSH_MSG_SERVICE_REQUEST followed by a SSH_MSG_USERAUTH_REQUEST was that you
checked that the SSH_MSG_SERVICE_REQUEST succeeded, in other words that both
sides had scuccessfully agreed on the same crypto parameters, before sending
sensitive data in the SSH_MSG_USERAUTH_REQUEST.  So the point of the
SSH_MSG_SERVICE_REQUEST wasn't so much getting back the "yeah, sure, whatever"
response from the server, it was being able to verify that you could decrypt
and MAC the response you got.

>2. Send SERVICE_REQUEST, immediately followed by a USERAUTH message.
>
>This can all be sent potentially in the same transmission as the client's
>NEWKEYS. 

Ugh.  So there are implementations that will send a NEWKEYS + SERVICE_REQUEST
+ USERAUTH all in one block without having any idea wheteher the crypto
handshake process has succeeded?

>But I don't see what this would achieve, since NEWKEYS is still unencrypted.
>As-is, the server doesn't send an encrypted piece of information until it's
>replying to SERVICE_ACCEPT.

See above, I was using the SERVICE_REQUEST + SERVICE_ACCEPT to verify that
client and server are on the same page cryptographically.

>When re-adding "no-flow-control", I realized that the original definition is
>deficient, and allows no room for implementations that support this
>extension, but still prefer not to use it.
>
>Ours would be an implementation like that. If this needs two implementations
>to be added, I will implement it to make life easier for implementers of
>simpler SSH software, but I would prefer not to use it.
>
>I have therefore changed the definition as follows:
>
>  string  "no-flow-control"
>  string  choice of: "p" for preferred | "s" for supported
>
>To take effect, this extension MUST be:
>
>- Sent by both parties.
>- At least one party MUST have sent the value "p" (preferred).

That seems a bit wierd... the fact that a client or server is sending no-flow-
control already says "supported".  So you really just need at least one side
to set a boolean flag saying "yes, I really want this".  In other words no-
flow-control + boolean = false says the option is available, and boolean =
true says you must enable the option.

Peter.

v2.23.0 | Report a Bug | By Email