IETF Logo Mail Archive

Re: [Curdle] draft-ietf-curdle-ssh-kex-sha2 and diffie-hellman-group1-sha1 (1024-bit DH)

Damien Miller <djm@mindrot.org> Thu, 20 July 2017 01:00 UTC

Return-Path: <djm@mindrot.org>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1392126E64 for <curdle@ietfa.amsl.com>; Wed, 19 Jul 2017 18:00:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V_fb-fvcClEZ for <curdle@ietfa.amsl.com>; Wed, 19 Jul 2017 18:00:19 -0700 (PDT)
Received: from newmailhub.uq.edu.au (mailhub2.soe.uq.edu.au [130.102.132.209]) by ietfa.amsl.com (Postfix) with ESMTP id 6EB001200ED for <curdle@ietf.org>; Wed, 19 Jul 2017 18:00:18 -0700 (PDT)
Received: from smtp1.soe.uq.edu.au (smtp1.soe.uq.edu.au [10.138.113.40]) by newmailhub.uq.edu.au (8.14.5/8.14.5) with ESMTP id v6K10FAU039353; Thu, 20 Jul 2017 11:00:16 +1000
Received: from mailhub.eait.uq.edu.au (hazel.eait.uq.edu.au [130.102.60.17]) by smtp1.soe.uq.edu.au (8.14.5/8.14.5) with ESMTP id v6K10Fov051621 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 20 Jul 2017 11:00:15 +1000
Received: from haru.mindrot.org (haru.mindrot.org [130.102.96.5]) by mailhub.eait.uq.edu.au (8.15.1/8.15.1) with ESMTP id v6K10Emw029534; Thu, 20 Jul 2017 11:00:14 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1]) by haru.mindrot.org (OpenSMTPD) with ESMTP id 1da6fc08; Thu, 20 Jul 2017 10:59:39 +1000 (AEST)
Date: Thu, 20 Jul 2017 10:59:39 +1000
From: Damien Miller <djm@mindrot.org>
To: "Mark D. Baushke" <mdb@juniper.net>
cc: curdle@ietf.org
In-Reply-To: <82005.1500305248@eng-mail01.juniper.net>
Message-ID: <alpine.BSO.2.20.1707201053511.14080@haru.mindrot.org>
References: <22892.35863.542104.942153@fireball.acr.fi> <82005.1500305248@eng-mail01.juniper.net>
User-Agent: Alpine 2.20 (BSO 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
X-Scanned-By: MIMEDefang 2.73 on UQ Mailhub
X-Scanned-By: MIMEDefang 2.75 on 130.102.60.17
X-UQ-FilterTime: 1500512416
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/PvGBxSIcRVnyO-12hUh_ZokrnI4>
Subject: Re: [Curdle] draft-ietf-curdle-ssh-kex-sha2 and diffie-hellman-group1-sha1 (1024-bit DH)
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2017 01:00:23 -0000

On Mon, 17 Jul 2017, Mark D. Baushke wrote:

> Hi Tero,
> 
> Tero Kivinen <kivinen@iki.fi> writes:
> 
> > I think it is bad idea to go from MUST to implement algorithm to MUST
> > NOT implement in one step. Especially as this will make all current
> > ssh implementations non-conforming as they do still implement
> > diffie-hellman-group1-sha1 even when it might be disabled by default.
> 
> I see your point.
> 
> > We are defining here a MUST implement and MUST not implement, not MUST
> > use and MUST NOT use recommendations.
> 
> For reference, there are five key exchanges that
> draft-ietf-curdle-ssh-kex-sha2-08 marks as "MUST NOT"
> 
>           Key Exchange Method Name           Reference  Implement
>           ---------------------------------- ---------- ---------
>           diffie-hellman-group1-sha1         RFC4253    MUST NOT
>           diffie-hellman-group-exchange-sha1 RFC4419    MUST NOT
>           gss-gex-sha1-*                     RFC4462    MUST NOT
>           gss-group1-sha1-*                  RFC4462    MUST NOT
>           rsa1024-sha1                       RFC4432    MUST NOT
> 
> Of these, only diffie-hellman-group1-sha1 is moving from MUST to MUST
> NOT. Due to 1024-bit Diffie-Hellman being considered by many as having
> too little security (the same would be true of gss-group1-sha1-*).
> 
> What transition period is desirable for taking group1 "MUST" to "SHOULD
> NOT" to "MUST NOT" ? Is it possible to codify both "SHOULD NOT" and 
> "MUST NOT" time frames into one RFC?

Anecdata: OpenSSH has disabled diffie-hellman-group1-sha1 by default
for approximately two years in the client and for considerably longer in
the server.

Opinion: there's still enough old junk out there that optional support for
diffie-hellman-group1-sha1 is probably necessary for a while longer.
IMO this is probably worth an explicit note in the draft.

-d

v2.23.0 | Report a Bug | By Email