Re: [Curdle] Roman Danyliw's No Objection on draft-ietf-curdle-ssh-curves-11: (with COMMENT)
"Mark D. Baushke" <mdb@juniper.net> Thu, 05 September 2019 00:17 UTC
Return-Path: <mdb@juniper.net>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDD31120830; Wed, 4 Sep 2019 17:17:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7VP_jW5T0GNJ; Wed, 4 Sep 2019 17:17:01 -0700 (PDT)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 529C41200B4; Wed, 4 Sep 2019 17:17:01 -0700 (PDT)
Received: from pps.filterd (m0108156.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id x8509C4M004300; Wed, 4 Sep 2019 17:16:53 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=to : cc : subject : in-reply-to : references : from : mime-version : content-type : content-transfer-encoding : date : message-id; s=PPS1017; bh=P4KdJ55LAj+vMCVjt381ioM2U3pKpxz+nWnhP5FUQ7w=; b=vTYEvNpTMFte2w8TclIjDOq7lZ2T9YZul4CKgOV2R9eJwyQdoEEzqwWqKqgFPFg2hEIS yNrGVWPA6jqXoPsbKpXhGnMlZtFXfHFgyOrmt5YijPXd2HJE/pVGcbb1ev4WKdwrICjg SFPKVDD8FBJKmKo+6R/8V6CSvGjUjDjyuJOm35NdTypUOV6goOXRHtiu92adzKhXjrgm EWtUAJi5vtEytpALGzh1lxaqSdSd6MSANbnDeXP6AoKnN7Cvw/Fy2RCciMTdDUWi1rwL pugDdOVZPAiZC2tO3HSQCEkwj9VVrAXaF6ap7rCcmY7atSvkau4h7WX6uBigmC6+Th8W rw==
Received: from nam02-cy1-obe.outbound.protection.outlook.com (mail-cys01nam02lp2051.outbound.protection.outlook.com [104.47.37.51]) by mx0a-00273201.pphosted.com with ESMTP id 2utqg380w8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 04 Sep 2019 17:16:53 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LnfnbQFzL+th5CnZw98QrPKltcp47LdFCti+AVkkyucX/5b72Rbj4Xd46LfKsx6+X3HnMH4o20PqDRDKx17Xj2h9s3EJ3tDYTx6OMK0sfJnbL8wOfHpm//BCb4PeyqBNt8b8XjWmB7aDpU+u3n1bNCKI4xike6aY9yoVObd3SDqOCXwjDXF/JwcZ90R6tdgs3rXumrWzojkHBoz6gtO+ND3CpkBHmfq7mMcdE8hGt3quS8wwSBuhovsSUmf/3cEIbkbeijrgfYmPZdKoYPMk7+P9ffqEGJ0j4hQ1cIHXpTq09bawX9yWweEGADg99AhNDpHPRTiL/p5zdkE5E1o6/g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=P4KdJ55LAj+vMCVjt381ioM2U3pKpxz+nWnhP5FUQ7w=; b=JUVUHByPc74vxE6k2DGIy0fGUSOjlU7teh2Tnsewb5OvcwsNOMMWwGwBX65H8VPZ4KQZ+bAdr+n0gn4LpoP+yMByjhPZ1FBMX5TADG2M1dxadLG/i99VQ7mEsIBpMvZo0I/u2Snk3qJRzUgOwTrWgBNSbTM8LGargppURtnrfEOJgv5ppUdiAFFPQP5uBaz/yMwyi6ZABuSutaFhmRgLtUA4HP62UASGuVDP1H8A2RZJ+qq0DmrHp3cVSAmpUZ6/YHVQumoTScEOFmMAfA1gJ7rARwVj8I/urGU2Ik8oeG5bqK3MmWv8cnqxB0hMll6VG+KWlJ/qZs5s0FPMidYffg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=softfail (sender ip is 66.129.239.13) smtp.rcpttodomain=ietf.org smtp.mailfrom=juniper.net; dmarc=fail (p=reject sp=reject pct=100) action=oreject header.from=juniper.net; dkim=none (message not signed); arc=none
Received: from BN6PR05CA0023.namprd05.prod.outlook.com (2603:10b6:405:39::36) by BL0PR05MB4803.namprd05.prod.outlook.com (2603:10b6:208:5f::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2241.6; Thu, 5 Sep 2019 00:16:50 +0000
Received: from CO1NAM05FT055.eop-nam05.prod.protection.outlook.com (2a01:111:f400:7e50::206) by BN6PR05CA0023.outlook.office365.com (2603:10b6:405:39::36) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2263.6 via Frontend Transport; Thu, 5 Sep 2019 00:16:50 +0000
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.13 as permitted sender)
Received: from P-EXFEND-EQX-02.jnpr.net (66.129.239.13) by CO1NAM05FT055.mail.protection.outlook.com (10.152.96.171) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2241.7 via Frontend Transport; Thu, 5 Sep 2019 00:16:50 +0000
Received: from P-EXBEND-EQX-01.jnpr.net (10.104.8.52) by P-EXFEND-EQX-02.jnpr.net (10.104.8.55) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 4 Sep 2019 17:16:48 -0700
Received: from p-mailhub01.juniper.net (10.104.20.6) by P-EXBEND-EQX-01.jnpr.net (10.104.8.52) with Microsoft SMTP Server (TLS) id 15.0.1367.3 via Frontend Transport; Wed, 4 Sep 2019 17:16:48 -0700
Received: from contrail-ubm16-mdb.svec1.juniper.net ([10.163.18.199]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id x850GklG022278; Wed, 4 Sep 2019 17:16:46 -0700 (envelope-from mdb@juniper.net)
To: Roman Danyliw <rdd@cert.org>
CC: The IESG <iesg@ietf.org>, draft-ietf-curdle-ssh-curves@ietf.org, Daniel Migault <daniel.migault@ericsson.com>, curdle-chairs@ietf.org, curdle@ietf.org
In-Reply-To: <156762006020.22702.1038136592868419822.idtracker@ietfa.amsl.com>
References: <156762006020.22702.1038136592868419822.idtracker@ietfa.amsl.com>
Comments: In-reply-to: Roman Danyliw via Datatracker <noreply@ietf.org> message dated "Wed, 04 Sep 2019 11:01:00 -0700."
From: "Mark D. Baushke" <mdb@juniper.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 04 Sep 2019 17:16:46 -0700
Message-ID: <25783.1567642606@contrail-ubm16-mdb.svec1.juniper.net>
X-EXCLAIMER-MD-CONFIG: e3cb0ff2-54e7-4646-8a04-0dae4ac7b136
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-HT: Tenant
X-Forefront-Antispam-Report: CIP:66.129.239.13; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(4636009)(396003)(39860400002)(346002)(376002)(136003)(2980300002)(189003)(199004)(6916009)(316002)(50466002)(5660300002)(478600001)(70586007)(6246003)(426003)(53936002)(8746002)(8936002)(70206006)(97876018)(486006)(126002)(117636001)(47776003)(2906002)(11346002)(7696005)(86362001)(14444005)(26005)(81156014)(4326008)(76176011)(229853002)(476003)(2486003)(23676004)(54906003)(186003)(81166006)(356004)(6306002)(336012)(446003)(305945005)(8676002)(62816006); DIR:OUT; SFP:1102; SCL:1; SRVR:BL0PR05MB4803; H:P-EXFEND-EQX-02.jnpr.net; FPR:; SPF:SoftFail; LANG:en; PTR:InfoDomainNonexistent; MX:1; A:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: e97d95d8-da38-46eb-c0fb-08d73196590d
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(711020)(4605104)(4710121)(4711137)(1401327)(4618075)(2017052603328); SRVR:BL0PR05MB4803;
X-MS-TrafficTypeDiagnostic: BL0PR05MB4803:
X-MS-Exchange-PUrlCount: 2
X-Microsoft-Antispam-PRVS: <BL0PR05MB4803A99A5EF130C2B4B7371CBFBB0@BL0PR05MB4803.namprd05.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:5236;
X-Forefront-PRVS: 015114592F
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: AensN7sS7h1CT/kCWalJ/dmIChHBCHHNGfmpyqGzWcLxfzH4ZEprAEnSC2tG22dN3sAXgaMDsWrtQiWVTvLYAMCyNfuMT+qOfHhfSb8d9E2b5nkIjR+IbosZBP+GTjTvVmc3pIJPbbo+enEkrTH0Yy4vnRDKdviF7rdKUytnTFhxMf4CmDmWMpG6ynzF5DoxNRRgmxH90CAl8bWw89ImIfUWCBp9ZvsCYBqChpoJDm5y6iaRc2OvGQP1TMjsqq5cXc/yqhKZ2HeDTBnUFzF0woaBKE2J0992PFuuUMLQEi8QXqGt8Th+cvwEOcAHVczxBTKf8Eb77CcjQihGuHErtNRnelCryFDvpEU0Wm565Z88GnslIbP1v5TLmOezaTELHJEzDIOghAP60MfTkXaVJmTOhUwutSQZ6BxXKsRlSmM=
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Sep 2019 00:16:50.3302 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: e97d95d8-da38-46eb-c0fb-08d73196590d
X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.13]; Helo=[P-EXFEND-EQX-02.jnpr.net]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR05MB4803
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.70,1.0.8 definitions=2019-09-04_06:2019-09-04,2019-09-04 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 bulkscore=0 adultscore=0 mlxscore=0 lowpriorityscore=0 spamscore=0 clxscore=1011 priorityscore=1501 phishscore=0 impostorscore=0 malwarescore=0 mlxlogscore=999 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1906280000 definitions=main-1909050000
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/GIc5kh8GaqdykKIyjDwQqqIc5ak>
Subject: Re: [Curdle] Roman Danyliw's No Objection on draft-ietf-curdle-ssh-curves-11: (with COMMENT)
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Sep 2019 00:17:04 -0000
Hi Roman, Roman Danyliw via Datatracker <noreply@ietf.org> writes: > (1) Section 1. Please provide informative reference to libssh and OpenSSH. Will add both ...elided... libssh <xref target="libssh"/> and OpenSSH <xref target="OpenSSH"/>. ...elided... <reference anchor="libssh" target="https://www.libssh.org/"> <front> <title>The SSH Library</title> <author> <organization>libssh</organization> </author> <date month="September" year="2019"/> </front> </reference> <reference anchor="OpenSSH" target="https://www.openssh.com/"> <front> <title>The OpenSSH Project</title> <author> <organization>OpenSSH group of OpenBSD</organization> </author> <date month="September" year="2019"/> </front> </reference> I am not sure these references are all that helpful...? > (2) Section 5. Per the second paragraph of this section, I would recommend > being clearer on the differences and similarities of both algorithms so > implementers understand the tradeoffs. Specifically: > > -- Curve25519 is “strong” (Section 1 says ~128 bits) and Curve448 “hasn't > received the same cryptographic review” – these seem like unequal statements. Okay. > -- Curve 25519 makes the claims of being “efficient on a wide range of > architecture” and “better implementations properties compared to traditional > elliptical curves”. Curve448 “is similar … and is slower”. So is it > inefficient across architectures? Worst implementation properties? Can > anything be said to qualify “slower”? I believe it is slower because it is processing more bits of key and uses a larger hash (SHA-256 is faster than SHA-512 on i386 hardware and about the same in X86_64 hardware due to native word lengths). > -- I recommend moving the guidance on what is recommend and why to be > in this section so the rational is in one place (rather than also > being in Section 1, “This document provide Curve25519 as the preferred > choice, …”) I have removed the last paragraph of section 1 (Introduction). I have updated section 5 (Security Considerations) as follows: <t> The security considerations of <xref target="RFC4251"/>, <xref target="RFC5656"/>, and <xref target="RFC7748"/> are inherited. </t> <t> Curve25519 with SHA-256 provides strong (~128 bits) security and is efficient on a wide range of architectures, and has properties that allows better implementation properties compared to traditional elliptic curves. Curve448 with SHA-512 provides stronger (~224 bits) security with similar implementation properties, but has not received the same cryptographic review as Curve25519, and is slower (larger key material and larger secure hash algorithm), but it is provided as a hedge to combat unforeseen analytical advances against Curve25519 and SHA-256 due to the larger number of security bits. </t> <t> The way the derived binary secret string is encoded into a mpint before it is hashed (i.e., adding or removing zero-bytes for encoding) raises the potential for a side-channel attack which could determine the length of what is hashed. This would leak the most significant bit of the derived secret, and/or allow detection of when the most significant bytes are zero. For backwards compatibility reasons it was decided not to address this potential problem. </t> <t> This document provides "curve25519-sha256" as the preferred choice, but suggests that the "curve448-sha512" is implemented to provide more than 128 bits of security strength should that become a requirement. </t> > (3) Appendix A: As other ballots have noted, is this section needed? Appendix A has been removed. > (4) Editorial Nits: > -- Section 3. s/chapter 4/section 4/g Fixed. > -- Section 3.1. The text “… passed to the ECDH code in SSH that …” > reads like a given implementation is being discussed. Perhaps “passed > to the ECDH function” (or ECDH algorithm). Fixed. Using: s/ECDH code/ECDH function/ > -- Section 1. Per “The Curve448 key exchange method is similar but > uses SHA-512 [RFC6234] to further separate it from the Curve25519 > alternative.”, I recommend dropping the ending clause of “to further > separate it from the Curve22519 alternative”. The subsequent text (in > the Security Considerations) appear to already cover that it is an > alternative. Adopted. -- Mark
- [Curdle] Roman Danyliw's No Objection on draft-ie… Roman Danyliw via Datatracker
- Re: [Curdle] Roman Danyliw's No Objection on draf… Mark D. Baushke
- Re: [Curdle] Roman Danyliw's No Objection on draf… Mark D. Baushke
- Re: [Curdle] Roman Danyliw's No Objection on draf… Roman Danyliw