Re: [Curdle] Comments on draft-ietf-curdle-ssh-ext-info
Eric Rescorla <ekr@rtfm.com> Sat, 08 April 2017 14:52 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2336127977 for <curdle@ietfa.amsl.com>; Sat, 8 Apr 2017 07:52:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.699
X-Spam-Level:
X-Spam-Status: No, score=-0.699 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fzb3cbLeGmuJ for <curdle@ietfa.amsl.com>; Sat, 8 Apr 2017 07:52:54 -0700 (PDT)
Received: from mail-yw0-x234.google.com (mail-yw0-x234.google.com [IPv6:2607:f8b0:4002:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C913A126C3D for <curdle@ietf.org>; Sat, 8 Apr 2017 07:52:53 -0700 (PDT)
Received: by mail-yw0-x234.google.com with SMTP id d191so45018524ywe.2 for <curdle@ietf.org>; Sat, 08 Apr 2017 07:52:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=JcXUj+itlQ3OEBtID1XrYYXhQGVcOZ0mC9w35nTT7Eo=; b=g2fFy4HbXo43/smXeFP2rogJjUDJconlTrc1Up9LnWm3tEg1x25tvwZMtbG/DFhOpt lnfFKUtHk+5eymKEdRlb9FuppxhdWOojkuqurDOMj0aTehMf7iHSjDk4QwdvW05H/vTr nKKpSAJ5hmnt03QA/AcL1mk4dfzkvb6g1+PIfQepnar9ULIp0nhCRsWTIe8qpUjFfj5o Oem6VxZBQx/H5XH8lLaZZzPZsk8Gl/pP/AvXgNIAzcpRCD6/EcytGUyc7C66UByQt6gj ezRE+K8zNuya91PKMkQgFCdgDeBiy99ar2gX328qgp7h2uKdqBnCQCMAknnPWlRYP76K hlYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=JcXUj+itlQ3OEBtID1XrYYXhQGVcOZ0mC9w35nTT7Eo=; b=knDI0DgsUIXMOcT9JAxGNDVcENlGx+/fbh78Fb9RQ9okNT/fe2Z4l1PXLlGxI5qmSY W3I+jhwMoY3LqcpcY7NEOW13Rq4iu18SNf+KMOBHNu5PvtKbuH98XgWVgtQa7+IfLPPU Ijro+HAkPk5wYMrOvECpYU0tuSDmTuYFNu3ekfK4rv61EJNljxHCRBGSK0QVM5Rm8MUb dRO0d4nSocZL+/XxgVhKwBDkFTzPSoK7lKJv53+f2shRh7Whg67nkHshjyxLsoEHIaou v712M/cNuL3u3j9+9Ka2oinpcRvQDI7Vr5E+zyNVBT1/CXv08jCpxm42o75+gDDcVM7m DqGg==
X-Gm-Message-State: AFeK/H0oGPFvFfs5NpI/4+YkmzqV3kkQ/BSKY1ULXGoDY5LXyML5qX2xfAGTF4u25ZLVpxWj//Oujyd0Y7BrYg==
X-Received: by 10.129.108.214 with SMTP id h205mr30509276ywc.71.1491663173017; Sat, 08 Apr 2017 07:52:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.154.210 with HTTP; Sat, 8 Apr 2017 07:52:12 -0700 (PDT)
In-Reply-To: <CADPMZDDOg5O1bKi8RKvr7Z7SPik5scsdUtRqr_ZK3EuEbsAweA@mail.gmail.com>
References: <2DD56D786E600F45AC6BDE7DA4E8A8C118BA5A70@eusaamb107.ericsson.se> <1489827654266.43895@cs.auckland.ac.nz> <50977E6A3D174856B8DAF264C3CB81E8@Khan> <1489914378158.63423@cs.auckland.ac.nz> <74B4C5B2AFD644748A0E1B0957A22C96@Khan> <1490436136828.60577@cs.auckland.ac.nz> <76BA84F1D47F476A8DB5C8CC42AA1B57@Khan> <1491480250094.74577@cs.auckland.ac.nz> <CADPMZDDG1X4awEQiigM5rocLs3Qbvup-NyaaU7J+DcW+o60zPQ@mail.gmail.com> <CABcZeBMhx4pHNa-OBQUpTcm9i9oorTMaoQRWatg5=ox2F=8wcw@mail.gmail.com> <CADPMZDDOg5O1bKi8RKvr7Z7SPik5scsdUtRqr_ZK3EuEbsAweA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 08 Apr 2017 07:52:12 -0700
Message-ID: <CABcZeBMZEYphE6nXLxej4iVRErBes3+M3OwoGu5Or1_xYU2upA@mail.gmail.com>
To: denis bider <denisbider.ietf@gmail.com>
Cc: Peter Gutmann <pgut001@cs.auckland.ac.nz>, curdle <curdle@ietf.org>
Content-Type: multipart/alternative; boundary="001a114e81dc8d7ef0054ca8e516"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/Q0TZ1f4mvjylS5sQiFoqr2H5T00>
Subject: Re: [Curdle] Comments on draft-ietf-curdle-ssh-ext-info
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Apr 2017 14:52:57 -0000
On Sat, Apr 8, 2017 at 3:40 AM, denis bider <denisbider.ietf@gmail.com> wrote: > Thank you for providing this link, Eric. > > What this TLS section terms Zero-RTT, and what Peter appears to imply is > 0RTT, seem to be completely different things. > > In TLS, "0RTT" data appears to be data that are sent upfront in the > client's first packet to the server, encrypted using a pre-shared key > before the handshake has derived a traffic secret. > That's more-or-less correct. You don't actually use the PSK but derive a separate key from the PSK. The security challenges mostly derive from the fact that the server doesn't have an opportunity to provide a nonce. In SSH, there is no such concept at all. This would be equivalent to > sending data encrypted with some type of pre-shared key as part of the > client's KEXINIT, which is not what is happening here. > > The EXT_INFO packet sent by the client after NEWKEYS is not Zero-RTT. It > is data sent after a full and completed key exchange. > I'm not familiar enough with SSH to have an opinion here. -Ekr > > > On Fri, Apr 7, 2017 at 9:21 AM, Eric Rescorla <ekr@rtfm.com> wrote: > >> >> >> On Thu, Apr 6, 2017 at 10:32 PM, denis bider <denisbider.ietf@gmail.com> >> wrote: >> >>> > I was thinking of the problem that it's essentially >>> > impossible to safely do n-RTT, n < 1, for TLS, which >>> > meant that doing the same thing for SSH wasn't going >>> > to be any better. I was reasoning by analogy from TLS >>> > rather than sitting down and drawing diagrams for SSH >>> > to try and figure out all the possible issues. >>> >>> OK, but I'm not familiar with the security implications of this on TLS. >>> >>> Can you link to any resources where this was discussed? Whether for TLS, >>> or in any other context? >>> >> >> Here is the section of TLS 1.3 that describes the security implications of >> 0-RTT data: >> >> https://tlswg.github.io/tls13-spec/#zero-rtt-data >> >> FWIW, it's less clear to me that these apply to SSH because at least the >> replay issues stem from the desire to have loosely coupled distributed >> servers and seamless fall back from server state or synchronization >> failure. >> >> -Ekr >> >> >>> >>> > Perhaps adding an implementation note to say that at this >>> > point the crypto hasn't been confirmed yet and so you may >>> > want to be careful about what you put into your extension >>> > data would be useful? >>> >>> I agree, if this is a threat, we should add a warning in Security >>> Considerations. But to make that warning, I have to understand the threat. >>> >>> If someone asks me about this warning, I want to be able to explain the >>> reason in detail. At this point, what I can say is, "Peter said this on the >>> list." That is, to me, insufficient backing. >>> >>> >>> > Wouldn't "true" and "false" be a better way to express a >>> > boolean? >>> >>> Yes if you could choose the type. But you can't choose the type, because >>> all extensions have to use the same type. That type is a string. >>> >>> >>> > I realise this is kinda bikeshedding, but having to look >>> > up the spec just to figure out what mysterious magic >>> > values in a boolean field specify seems a bit awkward. >>> >>> Booleans are equally mysterious. >>> >>> The third parameter to the Windows API function WaitForMultipleObjects >>> is a boolean. Suppose an application passes "TRUE". Without checking the >>> docs - what does that mean? >>> >>> If you check the docs, you know what "TRUE" in that context means. And >>> if you check the spec here, you know what "p" and "s" mean. >>> >>> Booleans are not inherently self-documenting. (In fact - when used in >>> languages with positional parameters, they are more frequently >>> self-obfuscating.) >>> >>> >>> > Given that there are a nonzero number of implementations >>> > that send a window size of ~0 to indicate no flow control, >>> > it may be useful to add an implementation note to point >>> > this out. >>> >>> OK. I added the following sub-section to my current working copy: >>> >>> >>> 3.3.1. Implementation Note: Prior "No Flow Control" Practice >>> >>> Before this extension, some applications would simply not implement >>> SSH flow control, sending an initial channel window size of 2^32 - 1. >>> Applications SHOULD NOT do this for the following reasons: >>> >>> - It is entirely within the realm of possibility to transfer more than >>> 2^32 bytes over a channel. The channel will then hang if the other >>> party implements SSH flow control according to [RFC4254]. >>> >>> - There exist implementations which cannot handle such large channel >>> window sizes, and will exhibit non-graceful behaviors, including >>> disconnection. >>> >>> >>> denis >>> >>> >>> >>> On Thu, Apr 6, 2017 at 6:04 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz >>> > wrote: >>> >>>> denis bider (Bitvise) <ietf-ssh3@denisbider.com> writes: >>>> >>>> >Can you point out some of these subtle problems that could occur in >>>> this >>>> >regard in SSH? >>>> >>>> I was thinking of the problem that it's essentially impossible to >>>> safely do n- >>>> RTT, n < 1, for TLS, which meant that doing the same thing for SSH >>>> wasn't >>>> going to be any better. I was reasoning by analogy from TLS rather than >>>> sitting down and drawing diagrams for SSH to try and figure out all the >>>> possible issues. >>>> >>>> >Under the assumption that such an extension were defined, can you >>>> point out >>>> >at least one way that sending this info right after NEWKEYS can help an >>>> >attacker? >>>> >>>> It depends on the extension. Without one defined, there's no way to >>>> tell at >>>> the moment. I could invent something that works out badly, but that'd >>>> be >>>> creating a strawman... my concern is that in the future someone may >>>> define a >>>> problematic extension without realising that they're creating a problem. >>>> Perhaps adding an implementation note to say that at this point the >>>> crypto >>>> hasn't been confirmed yet and so you may want to be careful about what >>>> you put >>>> into your extension data would be useful? >>>> >>>> >But the extension value field is generically a string (it must be same >>>> type >>>> >for all extensions, so unsupported extensions can be decoded and >>>> ignored). >>>> >"p" and "s" are therefore fitting ways to express this boolean. >>>> >>>> Wouldn't "true" and "false" be a better way to express a boolean? I >>>> realise >>>> this is kinda bikeshedding, but having to look up the spec just to >>>> figure out >>>> what mysterious magic values in a boolean field specify seems a bit >>>> awkward. >>>> >>>> >Properly implemented flow control is superior. However, this extension >>>> is a >>>> >nod to that not everyone will be using an SSH library that does this >>>> right, >>>> >and "no-flow-control" is a better option if your needs are simple, and >>>> you >>>> >don't have a few years to get this right. >>>> >>>> Given that there are a nonzero number of implementations that send a >>>> window >>>> size of ~0 to indicate no flow control, it may be useful to add an >>>> implementation note to point this out. I enabled some diagnostic code >>>> to >>>> throw an exception in my code if it found this from another >>>> implementation >>>> (other than mine) and got, uh, feedback from beta-testers about it, so >>>> at >>>> least some implementations are using a pseudo-infinite window size to >>>> indicate >>>> no flow control. I'm not saying it should be adopted as an alternative >>>> to >>>> "no-flow-control", but merely to alert implementers about the practice, >>>> e.g. a >>>> certain big iron vendor whose device would crash and reboot as it tried >>>> to >>>> allocate ~0 bytes of memory to match the widow size. >>>> >>>> Peter. >>>> _______________________________________________ >>>> Curdle mailing list >>>> Curdle@ietf.org >>>> https://www.ietf.org/mailman/listinfo/curdle >>>> >>> >>> >>> _______________________________________________ >>> Curdle mailing list >>> Curdle@ietf.org >>> https://www.ietf.org/mailman/listinfo/curdle >>> >>> >> >
- Re: [Curdle] Comments on draft-ietf-curdle-ssh-ex… Eric Rescorla
- Re: [Curdle] Comments on draft-ietf-curdle-ssh-ex… denis bider
- Re: [Curdle] Comments on draft-ietf-curdle-ssh-ex… denis bider
- Re: [Curdle] Comments on draft-ietf-curdle-ssh-ex… Peter Gutmann
- Re: [Curdle] Comments on draft-ietf-curdle-ssh-ex… Peter Gutmann
- Re: [Curdle] Comments on draft-ietf-curdle-ssh-ex… Peter Gutmann
- Re: [Curdle] Comments on draft-ietf-curdle-ssh-ex… denis bider
- [Curdle] Multiple WGLC Daniel Migault
- Re: [Curdle] Multiple WGLC Peter Gutmann
- Re: [Curdle] Comments on draft-ietf-curdle-ssh-ex… denis bider (Bitvise)
- Re: [Curdle] Multiple WGLC Mark D. Baushke
- Re: [Curdle] Comments on draft-ietf-curdle-ssh-ex… Benjamin Kaduk
- Re: [Curdle] Comments on draft-ietf-curdle-ssh-ex… Peter Gutmann
- Re: [Curdle] Comments on draft-ietf-curdle-ssh-ex… denis bider (Bitvise)
- Re: [Curdle] Comments on draft-ietf-curdle-ssh-ex… Peter Gutmann
- Re: [Curdle] Comments on draft-ietf-curdle-ssh-ex… denis bider (Bitvise)
- Re: [Curdle] Comments on draft-ietf-curdle-ssh-ex… Peter Gutmann
- Re: [Curdle] Comments on draft-ietf-curdle-ssh-ex… denis bider
- Re: [Curdle] Comments on draft-ietf-curdle-ssh-ex… Eric Rescorla