IETF Logo Mail Archive

Re: [Curdle] Genart last call review of draft-ietf-curdle-ssh-curves-09

"Mark D. Baushke" <mdb@juniper.net> Mon, 26 August 2019 16:28 UTC

Return-Path: <mdb@juniper.net>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F36601200DF; Mon, 26 Aug 2019 09:28:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X_PUrncQ2WjD; Mon, 26 Aug 2019 09:28:55 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6066120072; Mon, 26 Aug 2019 09:28:54 -0700 (PDT)
Received: from pps.filterd (m0108157.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id x7QGONFF028813; Mon, 26 Aug 2019 09:28:47 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=to : cc : subject : in-reply-to : references : from : mime-version : content-type : content-transfer-encoding : date : message-id; s=PPS1017; bh=Mn5qYR7o09KULipCg0c+n6cn1UKaqZ4LOwf1bDX2of0=; b=MI4jvZKQEYriuvSIelyMcz1kMxRliRD86TihxRNaeBJcvZR9ZSopuAR6Ygysxys+lf2h tlQxY2BS3wmFzSQyNvcECo72l1zd0Dpjg2+7QzINUXdwtww3zIlj42zkv/q5fOhllTDQ 5gy0vTzPWjGS0Yy6pkznBhsk2R6/8PGjG7fDgjVBF6m9rwp3i7yr0/YphZ/cSDuZnymZ cvbodVUVDs+M33evYAu1j43ov9EkrVdrz50cKTcZcSf8evbwcOej7t0ON+vjQv2tMQc7 oAM/3SIImEFShUcRS4/eQqImmXXWfMAG7OAY7tmlwJfW6FAwEs0rX3CKxMsvEOpFWwzr 1Q==
Received: from nam01-by2-obe.outbound.protection.outlook.com (mail-by2nam01lp2053.outbound.protection.outlook.com [104.47.34.53]) by mx0a-00273201.pphosted.com with ESMTP id 2uknf6t0fc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 26 Aug 2019 09:28:46 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=b7aFetXTYJRRnXRFgw8Zr+4FKoH+jp08+Ub8DYV6Zcf6iPX4zGctp6iw3hF6sF8RL/cArO5HHLCUUXCr4X4qYqkRPmz6i883JH5zIAY3kK4GNNDVzY86N64q0IIPClW8VAQh7BTkKcLd5AyoZVsQZC2eqn3aImNEiVINv+rv7oS2dWSEY0XGLnMZcX4FMzoNgTewl3B4bMonj3OEBCwV4ypYpr8K4wR2Uhai31WYiQnYy3U8Pb7nx/N9EP8ABrsyfcxoigVthgvMmJZJuNBZsVSjfcjTph+Zk1uS/oIwrbjtO0JCXK+LjW+S80SEAOquDkDEO4WjeDty3Q6cFpkcvA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Mn5qYR7o09KULipCg0c+n6cn1UKaqZ4LOwf1bDX2of0=; b=YON8GR03Ih8OPU7aVrYGfNXXvFWBn0X/iQ0N6qLz66bX1jHBebsi+Rvzh92pqQJR9t/LGVVX+o0C7RqJMP5vhjxU7ebcpqTX/2Da90S+LNknk/LPQkUg12gjQZCb+czd98yDUkaNYAYiYCis9Jz65piAArdngk2B1rJ/1aD8NP5MI54bFVxJfR9GZNc1DNLptHdbfMa9I876WyE8rLLswJ1qpU3dlRRa2yvkd3moKgOLvGcxpvJbpmeAoaEKI84YsCr0nuGSGyYwuQ2opj1YtNjQT3TjGfJYnHkinxPOR/+evYWMV2X7BEjE4YdSjKaBiW0IUjzMs0GHu4A3wrHBJw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=softfail (sender ip is 66.129.239.12) smtp.rcpttodomain=ietf.org smtp.mailfrom=juniper.net; dmarc=fail (p=reject sp=reject pct=100) action=oreject header.from=juniper.net; dkim=none (message not signed); arc=none
Received: from SN4PR0501CA0078.namprd05.prod.outlook.com (2603:10b6:803:22::16) by BN3PR05MB2706.namprd05.prod.outlook.com (2a01:111:e400:7bb4::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2220.13; Mon, 26 Aug 2019 16:28:45 +0000
Received: from BY2NAM05FT005.eop-nam05.prod.protection.outlook.com (2a01:111:f400:7e52::208) by SN4PR0501CA0078.outlook.office365.com (2603:10b6:803:22::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2220.7 via Frontend Transport; Mon, 26 Aug 2019 16:28:45 +0000
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.12 as permitted sender)
Received: from P-EXFEND-EQX-01.jnpr.net (66.129.239.12) by BY2NAM05FT005.mail.protection.outlook.com (10.152.100.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2220.7 via Frontend Transport; Mon, 26 Aug 2019 16:28:44 +0000
Received: from P-EXBEND-EQX-01.jnpr.net (10.104.8.52) by P-EXFEND-EQX-01.jnpr.net (10.104.8.54) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Mon, 26 Aug 2019 09:28:44 -0700
Received: from P-EXBEND-EQX-01.jnpr.net (10.104.8.52) by P-EXBEND-EQX-01.jnpr.net (10.104.8.52) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Mon, 26 Aug 2019 09:28:43 -0700
Received: from p-mailhub01.juniper.net (10.104.20.6) by P-EXBEND-EQX-01.jnpr.net (10.104.8.52) with Microsoft SMTP Server (TLS) id 15.0.1367.3 via Frontend Transport; Mon, 26 Aug 2019 09:28:43 -0700
Received: from contrail-ubm16-mdb.svec1.juniper.net ([10.163.18.199]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id x7QGSgqT028384; Mon, 26 Aug 2019 09:28:42 -0700 (envelope-from mdb@juniper.net)
To: Christer Holmberg <christer.holmberg@ericsson.com>
CC: gen-art@ietf.org, curdle@ietf.org, ietf@ietf.org, draft-ietf-curdle-ssh-curves.all@ietf.org
In-Reply-To: <156647523885.14827.16394888562228822662@ietfa.amsl.com>
References: <156647523885.14827.16394888562228822662@ietfa.amsl.com>
Comments: In-reply-to: Christer Holmberg via Datatracker <noreply@ietf.org> message dated "Thu, 22 Aug 2019 05:00:38 -0700."
From: "Mark D. Baushke" <mdb@juniper.net>
X-Phone: +1 408 745-2952 (Office)
X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 24.5.1
X-Face: #8D_6URD2G%vC.hzU<dI&#Y9szHj$'mGtUq&d=rXy^L$-=G_-LmZ^5!Fszk:yXZp$k\nTF? 8Up0!v/%1Q[(d?ES0mQW8dRCXi18gK)luJu)loHk, }4{Vi`yX?p?crF5o:LL{6#eiO:(E:YMxLXULB k|'a*EjN.B&L+[J!PhJ*aX0n:5/
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 26 Aug 2019 09:28:42 -0700
Message-ID: <19556.1566836922@contrail-ubm16-mdb.svec1.juniper.net>
X-EXCLAIMER-MD-CONFIG: e3cb0ff2-54e7-4646-8a04-0dae4ac7b136
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-HT: Tenant
X-Forefront-Antispam-Report: CIP:66.129.239.12; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(4636009)(136003)(376002)(346002)(39860400002)(396003)(2980300002)(189003)(199004)(97876018)(4326008)(6916009)(305945005)(126002)(966005)(5660300002)(11346002)(446003)(2486003)(7696005)(23676004)(76176011)(117636001)(336012)(8936002)(6306002)(47776003)(50226002)(53936002)(6246003)(81166006)(316002)(478600001)(54906003)(14444005)(476003)(70586007)(70206006)(2906002)(229853002)(356004)(486006)(186003)(86362001)(50466002)(26005)(8676002)(81156014)(426003)(8746002)(62816006); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR05MB2706; H:P-EXFEND-EQX-01.jnpr.net; FPR:; SPF:SoftFail; LANG:en; PTR:InfoDomainNonexistent; MX:1; A:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 4baaac91-dca0-49d1-99fe-08d72a4276d0
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(711020)(4605104)(4710121)(4711137)(1401327)(4618075)(2017052603328); SRVR:BN3PR05MB2706;
X-MS-TrafficTypeDiagnostic: BN3PR05MB2706:
X-MS-Exchange-PUrlCount: 1
X-Microsoft-Antispam-PRVS: <BN3PR05MB2706D91B10EAE287D21829D1BFA10@BN3PR05MB2706.namprd05.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-Forefront-PRVS: 01415BB535
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: aOVISmlSZBLOxTAAVNz7r1oYmwcUAn/kUyWijQoNp9Xa4VSr0AnuIttuaxpJQiKSpBEKyKGnwf8xhYqJ94TVFH0eiDh/MQxaZ88NsCB0DgF42KAczqori5fVQDQBltEe8JwNur4aXP7Sgl8sllw6pH4WkbemicfQYAYDREntFnV55T2USpqpgt1d5xwngz/gpec9F7dY4l05E/xjHELC2YX1QEwPlW/bpf+3ovfi53pxV0GG4MBXhUdHup19HUGwWj7WOYKLmZh/6oUOfePIpkT66EJluLEQmxrAalXZ1ePTlojAVCZJYgGy7lPt5LjaYpvcA8NMJV2tSXQGEZOrbVlHHesTyr42Alz95DOViKr3V+wYCvg6wI3y60kL4EvUrXz3aHR2jMTs6/zQMKY9mLyt6PeI6P3b2UaufOx45LA=
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Aug 2019 16:28:44.5304 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 4baaac91-dca0-49d1-99fe-08d72a4276d0
X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.12]; Helo=[P-EXFEND-EQX-01.jnpr.net]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR05MB2706
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:5.22.84,1.0.8 definitions=2019-08-26_08:2019-08-26,2019-08-26 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 bulkscore=0 clxscore=1011 priorityscore=1501 malwarescore=0 phishscore=0 spamscore=0 impostorscore=0 lowpriorityscore=0 mlxscore=0 suspectscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1906280000 definitions=main-1908260162
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/KK2YvK56StiOVI_ctV1Li7Iaujc>
Subject: Re: [Curdle] Genart last call review of draft-ietf-curdle-ssh-curves-09
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Aug 2019 16:28:58 -0000

Hi Christer,

Christer Holmberg via Datatracker <noreply@ietf.org> writes:

> Reviewer: Christer Holmberg
> Review result: Ready with Nits
>
> I am the assigned Gen-ART reviewer for this draft. The General Area
> Review Team (Gen-ART) reviews all IETF documents being processed
> by the IESG for the IETF Chair.  Please treat these comments just
> like any other last call comments.

Okay.

> For more information, please see the FAQ at
>
> https://trac.ietf.org/trac/gen/wiki/GenArtfaq
>
> Document: draft-ietf-curdle-ssh-curves-09
> Reviewer: Christer Holmberg
> Review Date: 2019-08-22
> IETF LC End Date: 2019-08-26
> IESG Telechat date: Not scheduled for a telechat
>
> Summary:
>
> The document is almost ready for publication. I have no technical issues, but
> there are some issues in Section 1 that I'd like to authors to address.
>
> Major issues: N/A
>
> Minor issues: N/A
>
> Nits/editorial comments:
>
> General:
> ---------
>
> QGEN_1:
>
> - The document uses “as discussed in”, “as defined in”, “as described”
> in terminology. It might be justified to use different terminology in
> some cases, but in general I suggest trying to use consistent
> terminology.

I understand.

Only occurance of "as discussed in" is found in this text:

    "Alternative implementations of these functions SHOULD abort when
    either input forces the shared secret to one of a small set of
    values, as discussed in Section 7 of [RFC7748]."

Section 7 of RFC7748 is the Security Considerations section and is a
discussion of the elements which are potentially a security issue during
implementation. This draft provides a SHOULD recommendation to abort the
connection when one of these raised security considerations is found.

That said, I am okay with changing the text to

    "Alternative implementations of these functions SHOULD abort when
    either input forces the shared secret to one of a small set of
    values, as described in Section 7 of [RFC7748]."

The only other time the word discussed is used is in

    No further validation is required beyond what is discussed in <xref
    target="RFC7748"/>.

which may be replaced with

    No further validation is required beyond what is described in <xref
    target="RFC7748"/>.

I was unable to find any "as defined in" statements. I found declarative
statements "is defined in" "are defined in" "is defined as" which were
references to normative protocol elements.

The use of "as described in" is found in the standard boilerplate
copyright notice and the boilerplate Requirements language sections.
So, I have migrated from "discussed" to described" for consistentcy.

> Section 1:
> ----------
>
> Q1_1:
>
> The text says:
>
>    ”[RFC5656] describes how elliptic curves are
>    integrated in SSH, and this document reuses those protocol messages.”
>
> …and:
>
>    “This document describes how to implement key exchange based on
>    Curve25519 and Curve448 [RFC7748] in SSH.”
>
> -       It is unclear to me what “integrated in SSH” means.

The title of RFC 5656 is "Elliptic Curve Algorithm Integration in the
Secure Shell Transport Layer" and this Draft intents to augment the
Elliptic Curve methods defined there.

> Does it mean that RFC 5656 describes the generic procedures for
> performing SSH key exchanges using elliptic curves, or does it also
> cover other things?

RFC5656 covers three specific constructions:

   a) Elliptic Curve Diffie-Hellman (ECDH),
   b) Elliptic Curve Menezes-Qu-Vanstone (ECMQV) key agreement, and
   c) Elliptic Curve Digital Signature Algorithm (ECDSA).

This draft does not cover the use of a digital signature algoirthm or
apply the Curve25519 or Curve448 constructions to the use of ECMQV and
focuses entirely on ECDH key exchange extensions for a different
construction of elliptic curves.

> - I think the “this document reuses those protocol messages” sounds a
> little confusing because I don't know what “those protocol message”
> refers to. Perhaps say something like “reuses the protocol messages
> defined in that specification”.

This draft resuses the SSH_MSG_KEX_ECDH_INIT and SSH_MSG_KEX_ECDH_REPLY
messages which apply to the ECDH construction as in in section 4 of this
draft.

Does this paragraph work as a better replacement for the first paragraph
of the introduction? Or, is it too detailed for a summary introduction?

        Secure Shell (SSH) <xref target="RFC4251"/> is a secure remote
        login protocol. The key exchange protocol described in <xref
        target="RFC4253"/> supports an extensible set of methods. <xref
        target="RFC5656"/> defines how elliptic curves are integrated
        into this extensible SSH framework, and this document reuses the
        Elliptic Curve Diffie-Hellman (ECDH) key exchange protocol
        messages defined in section 7.1 "ECDH Message Numbers" <xref
        target="RFC5656"/>.

It seems a bit detailed to me for an introduction. Let me know if you
have any suggestions on a revision.

> Q1_2:
>
> - I don't think you should use “we” terminology (“we describe”, “we chose”,
> etc..). Please talk about the document, and if you want to refer to a choice
> made by the WG please indicate that.

Fixed.

> Q1_3:
>
> - Instead of “currently”, I suggest to say something like “at the time of
> publication”. Because, the meaning of “currently” changes every second :)

Fixed.

> Q1_4:
>
> The text says:
>
> “The Curve448 key exchange method is novel but similar in spirit,”
>
> - I don't know what this means, since there is now further explanation.

The paragraph now reads:

        This document describes how to implement key exchange based on
        Curve25519 and Curve448 <xref target="RFC7748"/> in SSH. For
        Curve25519 with SHA-256 <xref target="RFC6234"/>, the algorithm
        described is equivalent to the privately defined algorithm
        "curve25519-sha256@libssh.org", which at the time of publication
        was implemented and widely deployed in libssh and OpenSSH. The
        Curve448 key exchange method is similar but uses SHA-512 <xref
        target="RFC6234"/> to further separate it from the Curve25519
        alternative.

Would you rather that I use 'This document defines ...' here and in the
abstract rather than 'This document describes ...' ? Please advise.


> Q1_5:
>
> The text says:
>
>    “This document provide Curve25519 as the preferred choice, but
>    suggests that the fall back option Curve448 is implemented to provide
>    an hedge against unforeseen analytical advances against Curve25519
>    and SHA-256.”
>
> - Is the only reason why one should implement Curve448 that something
> MAY happen to Curve25519 in the future?

No, the Curve448 also has a stronger cryptographic security strength. If
it becomes a requirement to use a minimum of 128 bits of security
strength, then Curve25519 may be rejected by some and thus the need to
provide for something stronger.

> - Also, is there anything preventing unforeseen analytical advances
> against Curve448?

There is nothing preventing any unforeseen analytical advances against
any of the current public key implementations. This is why
Post-Quantum-Cryptographic (PQC) is such a host topic today.

However, the same tools which may be able to exploit EcDSA may not be as
quickly pointed at these curves. Cryptographic agility is the key here.

Let me know if you which to have me remove the entire paragraph or not.

        This document provide Curve25519 as the preferred choice, but
        suggests that the fall back option Curve448 is
        implemented to provide an hedge against unforeseen
        analytical advances against Curve25519 and SHA-256. Due
        to different implementation status of these two curves
        (high-quality free implementations of Curve25519 has
        been in deployed use for several years, while Curve448
        implementations are slowly appearing), it is accepted
        that adoption of Curve448 will be slower.

Should I upload my updated draft-ietf-curdle-ssh-curves-10.xml or
do you have additional suggestions?

	Thank you,
	-- Mark

v2.23.0 | Report a Bug | By Email