IETF Logo Mail Archive

Re: [Curdle] Comments on draft-ietf-curdle-ssh-ext-info

Eric Rescorla <ekr@rtfm.com> Sat, 08 April 2017 14:52 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2336127977 for <curdle@ietfa.amsl.com>; Sat, 8 Apr 2017 07:52:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.699
X-Spam-Level:
X-Spam-Status: No, score=-0.699 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fzb3cbLeGmuJ for <curdle@ietfa.amsl.com>; Sat, 8 Apr 2017 07:52:54 -0700 (PDT)
Received: from mail-yw0-x234.google.com (mail-yw0-x234.google.com [IPv6:2607:f8b0:4002:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C913A126C3D for <curdle@ietf.org>; Sat, 8 Apr 2017 07:52:53 -0700 (PDT)
Received: by mail-yw0-x234.google.com with SMTP id d191so45018524ywe.2 for <curdle@ietf.org>; Sat, 08 Apr 2017 07:52:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=JcXUj+itlQ3OEBtID1XrYYXhQGVcOZ0mC9w35nTT7Eo=; b=g2fFy4HbXo43/smXeFP2rogJjUDJconlTrc1Up9LnWm3tEg1x25tvwZMtbG/DFhOpt lnfFKUtHk+5eymKEdRlb9FuppxhdWOojkuqurDOMj0aTehMf7iHSjDk4QwdvW05H/vTr nKKpSAJ5hmnt03QA/AcL1mk4dfzkvb6g1+PIfQepnar9ULIp0nhCRsWTIe8qpUjFfj5o Oem6VxZBQx/H5XH8lLaZZzPZsk8Gl/pP/AvXgNIAzcpRCD6/EcytGUyc7C66UByQt6gj ezRE+K8zNuya91PKMkQgFCdgDeBiy99ar2gX328qgp7h2uKdqBnCQCMAknnPWlRYP76K hlYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=JcXUj+itlQ3OEBtID1XrYYXhQGVcOZ0mC9w35nTT7Eo=; b=knDI0DgsUIXMOcT9JAxGNDVcENlGx+/fbh78Fb9RQ9okNT/fe2Z4l1PXLlGxI5qmSY W3I+jhwMoY3LqcpcY7NEOW13Rq4iu18SNf+KMOBHNu5PvtKbuH98XgWVgtQa7+IfLPPU Ijro+HAkPk5wYMrOvECpYU0tuSDmTuYFNu3ekfK4rv61EJNljxHCRBGSK0QVM5Rm8MUb dRO0d4nSocZL+/XxgVhKwBDkFTzPSoK7lKJv53+f2shRh7Whg67nkHshjyxLsoEHIaou v712M/cNuL3u3j9+9Ka2oinpcRvQDI7Vr5E+zyNVBT1/CXv08jCpxm42o75+gDDcVM7m DqGg==
X-Gm-Message-State: AFeK/H0oGPFvFfs5NpI/4+YkmzqV3kkQ/BSKY1ULXGoDY5LXyML5qX2xfAGTF4u25ZLVpxWj//Oujyd0Y7BrYg==
X-Received: by 10.129.108.214 with SMTP id h205mr30509276ywc.71.1491663173017; Sat, 08 Apr 2017 07:52:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.154.210 with HTTP; Sat, 8 Apr 2017 07:52:12 -0700 (PDT)
In-Reply-To: <CADPMZDDOg5O1bKi8RKvr7Z7SPik5scsdUtRqr_ZK3EuEbsAweA@mail.gmail.com>
References: <2DD56D786E600F45AC6BDE7DA4E8A8C118BA5A70@eusaamb107.ericsson.se> <1489827654266.43895@cs.auckland.ac.nz> <50977E6A3D174856B8DAF264C3CB81E8@Khan> <1489914378158.63423@cs.auckland.ac.nz> <74B4C5B2AFD644748A0E1B0957A22C96@Khan> <1490436136828.60577@cs.auckland.ac.nz> <76BA84F1D47F476A8DB5C8CC42AA1B57@Khan> <1491480250094.74577@cs.auckland.ac.nz> <CADPMZDDG1X4awEQiigM5rocLs3Qbvup-NyaaU7J+DcW+o60zPQ@mail.gmail.com> <CABcZeBMhx4pHNa-OBQUpTcm9i9oorTMaoQRWatg5=ox2F=8wcw@mail.gmail.com> <CADPMZDDOg5O1bKi8RKvr7Z7SPik5scsdUtRqr_ZK3EuEbsAweA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 08 Apr 2017 07:52:12 -0700
Message-ID: <CABcZeBMZEYphE6nXLxej4iVRErBes3+M3OwoGu5Or1_xYU2upA@mail.gmail.com>
To: denis bider <denisbider.ietf@gmail.com>
Cc: Peter Gutmann <pgut001@cs.auckland.ac.nz>, curdle <curdle@ietf.org>
Content-Type: multipart/alternative; boundary="001a114e81dc8d7ef0054ca8e516"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/Q0TZ1f4mvjylS5sQiFoqr2H5T00>
Subject: Re: [Curdle] Comments on draft-ietf-curdle-ssh-ext-info
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Apr 2017 14:52:57 -0000

On Sat, Apr 8, 2017 at 3:40 AM, denis bider <denisbider.ietf@gmail.com>
wrote:

> Thank you for providing this link, Eric.
>
> What this TLS section terms Zero-RTT, and what Peter appears to imply is
> 0RTT, seem to be completely different things.
>
> In TLS, "0RTT" data appears to be data that are sent upfront in the
> client's first packet to the server, encrypted using a pre-shared key
> before the handshake has derived a traffic secret.
>

That's more-or-less correct. You don't actually use the PSK but derive a
separate key from the PSK. The security challenges mostly derive from the
fact that the
server doesn't have an opportunity to provide a nonce.




In SSH, there is no such concept at all. This would be equivalent to
> sending data encrypted with some type of pre-shared key as part of the
> client's KEXINIT, which is not what is happening here.
>
> The EXT_INFO packet sent by the client after NEWKEYS is not Zero-RTT. It
> is data sent after a full and completed key exchange.
>

I'm not familiar enough with SSH to have an opinion here.

-Ekr


>
>
> On Fri, Apr 7, 2017 at 9:21 AM, Eric Rescorla <ekr@rtfm.com> wrote:
>
>>
>>
>> On Thu, Apr 6, 2017 at 10:32 PM, denis bider <denisbider.ietf@gmail.com>
>> wrote:
>>
>>> > I was thinking of the problem that it's essentially
>>> > impossible to safely do n-RTT, n < 1, for TLS, which
>>> > meant that doing the same thing for SSH wasn't going
>>> > to be any better.  I was reasoning by analogy from TLS
>>> > rather than sitting down and drawing diagrams for SSH
>>> > to try and figure out all the possible issues.
>>>
>>> OK, but I'm not familiar with the security implications of this on TLS.
>>>
>>> Can you link to any resources where this was discussed? Whether for TLS,
>>> or in any other context?
>>>
>>
>> Here is the section of TLS 1.3 that describes the security implications of
>> 0-RTT data:
>>
>> https://tlswg.github.io/tls13-spec/#zero-rtt-data
>>
>> FWIW, it's less clear to me that these apply to SSH because at least the
>> replay issues stem from the desire to have loosely coupled distributed
>> servers and seamless fall back from server state or synchronization
>> failure.
>>
>> -Ekr
>>
>>
>>>
>>> > Perhaps adding an implementation note to say that at this
>>> > point the crypto hasn't been confirmed yet and so you may
>>> > want to be careful about what you put into your extension
>>> > data would be useful?
>>>
>>>  I agree, if this is a threat, we should add a warning in Security
>>> Considerations. But to make that warning, I have to understand the threat.
>>>
>>> If someone asks me about this warning, I want to be able to explain the
>>> reason in detail. At this point, what I can say is, "Peter said this on the
>>> list." That is, to me, insufficient backing.
>>>
>>>
>>> > Wouldn't "true" and "false" be a better way to express a
>>> > boolean?
>>>
>>> Yes if you could choose the type. But you can't choose the type, because
>>> all extensions have to use the same type. That type is a string.
>>>
>>>
>>> > I realise this is kinda bikeshedding, but having to look
>>> > up the spec just to figure out what mysterious magic
>>> > values in a boolean field specify seems a bit awkward.
>>>
>>> Booleans are equally mysterious.
>>>
>>> The third parameter to the Windows API function WaitForMultipleObjects
>>> is a boolean. Suppose an application passes "TRUE". Without checking the
>>> docs - what does that mean?
>>>
>>> If you check the docs, you know what "TRUE" in that context means. And
>>> if you check the spec here, you know what "p" and "s" mean.
>>>
>>> Booleans are not inherently self-documenting. (In fact - when used in
>>> languages with positional parameters, they are more frequently
>>> self-obfuscating.)
>>>
>>>
>>> > Given that there are a nonzero number of implementations
>>> > that send a window size of ~0 to indicate no flow control,
>>> > it may be useful to add an implementation note to point
>>> > this out.
>>>
>>> OK. I added the following sub-section to my current working copy:
>>>
>>>
>>> 3.3.1.  Implementation Note: Prior "No Flow Control" Practice
>>>
>>>   Before this extension, some applications would simply not implement
>>>   SSH flow control, sending an initial channel window size of 2^32 - 1.
>>>   Applications SHOULD NOT do this for the following reasons:
>>>
>>>   - It is entirely within the realm of possibility to transfer more than
>>>     2^32 bytes over a channel. The channel will then hang if the other
>>>     party implements SSH flow control according to [RFC4254].
>>>
>>>   - There exist implementations which cannot handle such large channel
>>>     window sizes, and will exhibit non-graceful behaviors, including
>>>     disconnection.
>>>
>>>
>>> denis
>>>
>>>
>>>
>>> On Thu, Apr 6, 2017 at 6:04 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz
>>> > wrote:
>>>
>>>> denis bider (Bitvise) <ietf-ssh3@denisbider.com> writes:
>>>>
>>>> >Can you point out some of these subtle problems that could occur in
>>>> this
>>>> >regard in SSH?
>>>>
>>>> I was thinking of the problem that it's essentially impossible to
>>>> safely do n-
>>>> RTT, n < 1, for TLS, which meant that doing the same thing for SSH
>>>> wasn't
>>>> going to be any better.  I was reasoning by analogy from TLS rather than
>>>> sitting down and drawing diagrams for SSH to try and figure out all the
>>>> possible issues.
>>>>
>>>> >Under the assumption that such an extension were defined, can you
>>>> point out
>>>> >at least one way that sending this info right after NEWKEYS can help an
>>>> >attacker?
>>>>
>>>> It depends on the extension.  Without one defined, there's no way to
>>>> tell at
>>>> the moment.  I could invent something that works out badly, but that'd
>>>> be
>>>> creating a strawman... my concern is that in the future someone may
>>>> define a
>>>> problematic extension without realising that they're creating a problem.
>>>> Perhaps adding an implementation note to say that at this point the
>>>> crypto
>>>> hasn't been confirmed yet and so you may want to be careful about what
>>>> you put
>>>> into your extension data would be useful?
>>>>
>>>> >But the extension value field is generically a string (it must be same
>>>> type
>>>> >for all extensions, so unsupported extensions can be decoded and
>>>> ignored).
>>>> >"p" and "s" are therefore fitting ways to express this boolean.
>>>>
>>>> Wouldn't "true" and "false" be a better way to express a boolean?  I
>>>> realise
>>>> this is kinda bikeshedding, but having to look up the spec just to
>>>> figure out
>>>> what mysterious magic values in a boolean field specify seems a bit
>>>> awkward.
>>>>
>>>> >Properly implemented flow control is superior. However, this extension
>>>> is a
>>>> >nod to that not everyone will be using an SSH library that does this
>>>> right,
>>>> >and "no-flow-control" is a better option if your needs are simple, and
>>>> you
>>>> >don't have a few years to get this right.
>>>>
>>>> Given that there are a nonzero number of implementations that send a
>>>> window
>>>> size of ~0 to indicate no flow control, it may be useful to add an
>>>> implementation note to point this out.  I enabled some diagnostic code
>>>> to
>>>> throw an exception in my code if it found this from another
>>>> implementation
>>>> (other than mine) and got, uh, feedback from beta-testers about it, so
>>>> at
>>>> least some implementations are using a pseudo-infinite window size to
>>>> indicate
>>>> no flow control.  I'm not saying it should be adopted as an alternative
>>>> to
>>>> "no-flow-control", but merely to alert implementers about the practice,
>>>> e.g. a
>>>> certain big iron vendor whose device would crash and reboot as it tried
>>>> to
>>>> allocate ~0 bytes of memory to match the widow size.
>>>>
>>>> Peter.
>>>> _______________________________________________
>>>> Curdle mailing list
>>>> Curdle@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/curdle
>>>>
>>>
>>>
>>> _______________________________________________
>>> Curdle mailing list
>>> Curdle@ietf.org
>>> https://www.ietf.org/mailman/listinfo/curdle
>>>
>>>
>>
>

v2.23.0 | Report a Bug | By Email