Re: [Curdle] Can you do a review of draft-gajcowski-cnsa-ssh-profile

mbaushke ietf <> Sun, 15 August 2021 16:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 45DED3A1AF5; Sun, 15 Aug 2021 09:06:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JPmi7eYcA9dR; Sun, 15 Aug 2021 09:06:52 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::1034]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DBC523A1AF9; Sun, 15 Aug 2021 09:06:51 -0700 (PDT)
Received: by with SMTP id n5so2295012pjt.4; Sun, 15 Aug 2021 09:06:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=subject:mime-version:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=GNv1Luupgu0UBQlZzOoWlCOu0hTlCZFr8QY6fBMN/ok=; b=VJDzsxMnLW8xjUADUAS3TjaFwD2bAqdXTUiio2nEijb/sH/E6Pl9searPbMH1AGIfo rk338nQLTV/19uXoXMF7Yy9gaWInmXjHcXGgqqf6BRkjFGwDI7d/mRC8clnUiQkJ2O3/ 49BNnfmpLb2XdyxaWjQuF3xaIN7fSHZf7wQoCQ0XrLINfM4re+4oV/WVpxE1SBfk8UQj ghzcpgwNiHlP+JEYBvDBjUtfGBMvKarjtg+QzAcGHNc6iB9k/+gqNUazaS4Olgw2MzT1 mY+7hQc4FyU9tB1YMm9E22KhEc0KX7X6EK2eyPD6vpCXJDgzHtj8sWqQDrioxfEil6Uu BC+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:mime-version:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=GNv1Luupgu0UBQlZzOoWlCOu0hTlCZFr8QY6fBMN/ok=; b=DqWLITH1XDkSJ6cI4isx9XFiut6YZTnX6Xn+TmKtW7epRRKmS6ZRUmHQ3W8Yw/QG/b tlStZHNFcXxX3lDYT/pum1ar2j2X7hTCuQ+aRpwOaX65EuR5WuZohxqihPF4Sx8raGBb ZpOdAeBJtLaiF4jdnBBtKzfVFlUPb+m4ITxdkv873WcA+jr+0kj2J8vgJsSSHV5Q6gK5 vcoaeKxeAyqEud/aZEjCiwF/ZIhr+uS2hS2/+vUbOeImV5OXCeXXDjm5UHFyiXwb2KhZ CuDp+Y03g+7n32cCV3HCdPUTKRVfhCCKWSCJDqSAhzW0PNs0ja2S6seUe1XziSBFwoYK xAIw==
X-Gm-Message-State: AOAM5303EMHQTaZ1BzdAkW6PEOwoeJB52TO1JSO7tLMakqN4J39acZku g/YKwcN1T+ia8OKSLv6UuqE=
X-Google-Smtp-Source: ABdhPJxw0Lebkt/9VRVRHSbzg5NtAUWUAq6QgD2sFrPCOJXRggVYe02vG0dVyoMkNgaKHsErTqnJbA==
X-Received: by 2002:a05:6a00:1693:b029:333:da3a:8c86 with SMTP id k19-20020a056a001693b0290333da3a8c86mr12409854pfc.41.1629043609624; Sun, 15 Aug 2021 09:06:49 -0700 (PDT)
Received: from ( []) by with ESMTPSA id pj14sm6809500pjb.35.2021. (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 15 Aug 2021 09:06:49 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.\))
Content-Type: text/plain; charset="utf-8"
From: mbaushke ietf <>
X-Priority: 3 (Normal)
In-Reply-To: <>
Date: Sun, 15 Aug 2021 09:06:47 -0700
Cc:,, Benjamin Kaduk <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <>
To:, Nicholas Gajcowski <>, Michael Jenkins <>
X-Mailer: Apple Mail (2.3654.
Archived-At: <>
Subject: Re: [Curdle] Can you do a review of draft-gajcowski-cnsa-ssh-profile
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 15 Aug 2021 16:06:58 -0000

Hi Adrian, Nicholas, & Michael,

I regret it has taken me longer to organize my thoughts on the draft-gajcowski-cnsa-ssh-profile than I thought it would take.

The comments I sent to Adrian were rushed, but I tried to take more time with the notes that follow. At the end of this message is my original quick replay.

This is a review of

In the Abstract and Section 1, "IPsec" is preferred over "IPSec"
anywhere it appears:

  See RFC 4301 Section 1.1,

  |   The spelling "IPsec" is preferred and used throughout this and all
  |   related IPsec standards.  All other capitalizations of IPsec (e.g.,
  |   IPSEC, IPSec, ipsec) are deprecated.  However, any capitalization of
  |   the sequence of letters "IPsec" should be understood to refer to the
  |   IPsec protocols.

Please use IPsec throughout your draft to be consistent with other IETF RFCs.

[SP80059] should probably use the URL:
given all of the movement of documents at the NIST site in recent

Section 3
  "meeting their IA interoperability requirements"

This is the first use of the Inter-Agency (IA) acronym. Please spell
it out on first use... assuming that I have the acronym correct in
the first place.

Section 4

If you expect to use rsa-sha2-512 as a public key algorithm, then it
is necessary to add two methods to the key exchange algorithms. These
two methods are: "ext-info-c" and "ext-info-s", defined in [RFC8308].
They provide a mechanism to support other Secure Shell negotiations
including "server-sig-algs" which allows the public-key-algorithms to
restrict the ssh-rsa to not be negotiated and instead allow only
rsa-sha2-512. See also the requirement given in section 6.1 of your
draft for why it is important to reduce the list of the
"server-sig-algs" to just the two of interest in this RFC. Some
implementations always add ext-info-c to the server configuration and
ext-info-s to the client configuration, so they are implicit. The
"server-sig-algs" may be defined by another configuration option name
such as the PubkeyAcceptedKeyTypes directive used by OpenSSH.

Also, please note that RFC5647 is not the only way to negotiate the
use of AES 256-bit GCM mode. It turns out that the RFC5647 was not
well written and was not generally adopted by most open source
editions of SSH. Instead, uses the same wire
protocol, but negotiates to IGNORE the value of the MAC algorithm list
and implicitly select the matching MAC algorithm when the AEAD GCM
algorithm is selected.

There is presently no explicit RFC with or names, but there are multiple implementations
in the field that use the name-space for this option

The issue here is if this RFC should be taken as being 'prescriptive'
or 'descriptive' to get the profile that is desired with the available
implementations. In my opinion, a 'prescriptive' profile is not
desirable as it will not allow the use of experimental PQC algorithms
to be used in the profile even if that is highly desirable for testing
and deployment purposes. So, it MAY be desirable to avoid being too
restrictive in disallowing something like a a publickey algorithm
option such as one of

as was mentioned in

If this informational RFC is made prescriptive, then it is possible
that certification efforts for vendors trying to provide for
experimental algorithms would fail to be certified. This is
undesirable behavior in my opinion. In general, the use of MUST NOT in
your RFC seems overly harsh. I would think that SHOULD NOT is strong
enough. Use of profiles that are not approved by NIST may cause harm
to interoperability of SSH implementations within the public sector

Section 4.1

As yet, SHA-3 and its related XOF functions are not present in SSH.
However, this section prohibits experimentation with them while using
this profile. I do not necessarily think this is a wise choice. It
seems to me that it would be better to specify a minimum security
strength needed and provide a list of algorithms which meet that

Section 4.2

Query: Why only 3072 and 4096 bits for an RSA key? You are suggesting
that an RSA public key modules of 3078 bits is not acceptable. Why
does this restriction exist? Yes, there are a large number of primes
that will work, but why limit them to two explicit sizes instead of a
range? I think this may need some justification. As long as sizes are
documented and strong enough, I do not understand the blind reasoning
of two fixed sizes of moduli length.

I believe the NSA may be overly restrictive in suggesting that only
X.509v3 certificates are acceptable. There are alternatives in the
field which are well deployed which avoid the ASN.1 encoding debacle
that has caused so many implementation problems since X.509 was first
deployed in the OSI protocol stack in 1988 and later pushed into the
TCP/IP universe with X.509v3 arriving in 1996.

An alternative is documented as OpenSSH Certificates which was
documented in 2010-03-08 with release OpenSSH 5.4. See
for a table on the support of the *
and the URL:
for some documentation.

I therefore suggest the sentence

    "Certificates MUST be X.509v3 certificates and their use MUST
    comply with [RFC8603]."

be removed. However, you could say that should X.509v3 certificates be
used, they MUST comply with RFC8603.

In the past twenty years, there have been MANY problems with
non-inter-operable X509v3 certificates on the Internet. Including
misuse of critical sections and improper OIDs being used as well as
the use of UNICODE to generate dangerous false identities that seem to
look good to a human, but are forgeries.

Of course, this is a larger issue, but forced compliance to X509v3 and
use of CRLs and OCSP as well as Cross Certificates (aka chain or
bridge certificates) and multi-host certificates can make it
non-trivial for some devices to properly make use of X509v3

Section 6.1 and 6.2

Is it really desirable to mix ECC and FFC DH exchanges and public
signature algorithms? I do not see any real harm in it, but it seems
to be counter intuitive to the push I have seen elsewhere for use of
ECDH with ECDSA and FFC DH with RSA in the past. I mostly curious
here, there is no problem with these sections allowing that
flexibility. I am just somewhat bewildered by prescriptive use of
algorithms in other places in the document where this one actually
allows flexibility for the deployment.

Section 7.

I am again puzzled by a prescriptive fixed 3072 bit and 4096 bit RSA
modulus sizes with nothing in between them. If this is a testing
consideration, you might want to mention that those are the only two
sizes that the ACVP system permits for formal certification under FIPS
140-3 and/or NIAP Protection Profiles. Assuming this is the reason for
the restriction.

Section 9

There seems to be some confusion in Rekeying. There are two separate
encryption streams client-to-server and server-to-client. They are
typically rekeyed separately based on time and/or traffic volume. I do
not recall seeing any implementation where the same key is being used
in both directions. It would seem wise to be explicit that this
section is overwriting is updating guidance of RFC4253 section 9
to disallow the reselection of Ciphers against the "It is permissible to
change some or all of the algorithms during the re-exchange."
original text. A possible rewrite might be:

    [RFC4253] section 9 alllows either the server or the client to
    send initiate a "key re-exchange by sending an SSH_MSG_KEXINIT
    packet". However, that section also specifies "It is permissible
    to change some or all of the algorithms during the re-exchange."
    this sentence being updated. The cipher suite being employed MUST
    NOT be changed when a rekey occurs.

Section 10

In my opnion, it is highly desirable to note that in a PQC world, the
smaller key sizes used by ECC algorithms will require less Qubits
(quantum bit) to be deployed to break the connection than if FFC
algorithms are employed. I have not read any recent papers comparing
IFC (RSA algorithm) factorization Qubit requirements. If this is going
to be a useful RFC, a pointer to such literature may help make the
CSNA users more comfortable when actually configuring their SSH
clients and servers.

Just suggesting that the security consideration of the other SSH RFCs
is sufficient undermines the purpose and justification of this draft.
This section should tell the reader what vulnerability of security for
the SSH protocol exists without the mitigation of the profile being
recommended in this draft.

Section 12.1

The URL: is
embarrassing as my browser reports 'NET::ERR_CERT_INVALID'

  |  Subject:
  |  Issuer: DOD SW CA-54
  |  Expires on: Jan 31, 2022
  |  Current date: Aug 7, 2021
  |  PEM encoded chain:
  |  -----BEGIN CERTIFICATE-----
  |  ADCCAQoCggEBAJapnWkho9HhQA11ySYQppvELs8eGWEnMwdQQXk5ik9647QPQFfd
  |  NtPlSbJvZwuxKreWr8AARKe7bzTRSuuOK8wfhTuc8Z65jbwK0/SvyUWwViHyMF4O
  |  ASo4q66dLmWbO7tvgmb1pR0RTWt94sBldsW0klknTiM2Fal1bJrCdVlG8JzQ0Lx6
  |  MeUJHouRYln3bmgetnmUupGG7scV3N8fzDf39B/XPnLX+kgjn366xIjSoTCKhPO+
  |  g3vxh0/0+5c1lRgveN9smfytLYVhBRMwEiEYEO8+EaI9CyUbFZ4/rj9z55zeFMOf
  |  S1eKu6sOnTDxZFtlUBIQC03/pfyCF6mVjbcCAwEAAaOCAX0wggF5MB8GA1UdIwQY
  |  ZGlzYS5taWwvc2lnbi9ET0RTV0NBXzU0LmNlcjAgBggrBgEFBQcwAYYUaHR0cDov
  |  Jmh0dHA6Ly9jcmwuZGlzYS5taWwvY3JsL0RPRFNXQ0FfNTQuY3JsMEYGA1UdEQQ/
  |  MD2CC3d3dy5pYWQuZ292ghJuY21kLXVmeDA1LmlhZC5nb3aCDHd3dy5jbnNzLmdv
  |  ggEBABzu5Naz3ndMZFkR9aA35AlyXT8R/zW4I7YyNONr6cybciSjPuQjmFfdbvDd
  |  l9t/Hv8FhXCF4KhxFoMADAyZcLjARKF26elYizcGKr9nc6hmgiUJpwqp/B8+Rlfn
  |  TG7s1UWlXrdSn/LxCZdNk/zJl3X5CoXAimFq3EL5+ziZvFtDtiGI8538PTBQ/Tra
  |  6ZHr7qUG5T9hCNrajwULckBxD4Nuh+F4wP6AWu96BFlQuMasYksvm4y8oiPXnUhM
  |  gDG0z5umBR15mdZ7CSUPlG2lETB2w6LjPIN84hp73LP30L/St1dZlX+1ZWfEBvPW
  |  Hij1G3wQ+dsAJkApXaxWJX1WLGA=
  |  -----END CERTIFICATE-----

I respectfully suggest that a published document with a revision be
produced that has a valid DOI URL that is not subject to change from to or other issues moving forward.

    $ wget --no-check-certificate
    --2021-08-09 13:04:49--
    Resolving (
    Connecting to (||:443... connected.
    WARNING: cannot verify's certificate, issued by ‘CN=DOD SW CA-54,OU=PKI,OU=DoD,O=U.S. Government,C=US’:
      Unable to locally verify the issuer's authority.
    HTTP request sent, awaiting response... 302 Found
    Location: /my.policy [following]
    --2021-08-09 13:04:50--
    Connecting to (||:443... connected.
    WARNING: cannot verify's certificate, issued by ‘CN=DOD SW CA-54,OU=PKI,OU=DoD,O=U.S. Government,C=US’:
      Unable to locally verify the issuer's authority.
    HTTP request sent, awaiting response... 302 Found
    Location: /CNSS/Issuances/Policies.htm [following]
    --2021-08-09 13:04:50--
    Connecting to (||:443... connected.
    WARNING: cannot verify's certificate, issued by ‘CN=DOD SW CA-54,OU=PKI,OU=DoD,O=U.S. Government,C=US’:
      Unable to locally verify the issuer's authority.
    HTTP request sent, awaiting response... 404 Not Found
    2021-08-09 13:04:50 ERROR 404: Not Found.

Note: I tried to visit the link with a number of browsers and failed
each time.

URL for FIPS180 should be
rather than
OR, should use the DOI entry in the citation.

Section 12.2

I would also suggest that

become a DOI URL
or that the reference include the DOI information.

With similar DOI URLs used for the and
URLs. They have changed locations a number of times over the last
20+ years and the DOI URLs are intended to be able to be updated to
point to a good archival location for the documents.

It is not yet clear to me if GSSAPI capabilities are allowed in the
CSNA framework. Trusting a Key Distribution Center (KDC) for servers
to be used to introduce other servers needs to be addressed in this
document somewhere as there is a large installed base of Microsoft
servers and many educational institutions that use Kerberos throughout
their institutions.

I would also suggest that one or two examples of configurations for
client and server of popular SSH configurations may be desirable. This
would let you show how to inter-operate with more than one release of
popularly available implementations. This would allow you to show that
interoperability testing has actually occurred with one or more
implementations of the SSH client/server protocol with your suggested

Quick and dirty partial example... only you really know what you think
is correct...

  * OpenSSH sshd_config (server configuration file, but most of these
    will also be present in the ssh_config file).

    KexAlgorithms ecdh-sha2-nistp384
    KexAlgorithms +diffie-hellman-group15-sha512
    KexAlgorithms +diffie-hellman-group16-sha512

    PubkeyAcceptedKeyTypes +ecdsa-sha2-nistp384,rsa-sha2-512

    HostKeyAlgorithms +ecdsa-sha2-nistp384,rsa-sha2-512


    # Will not be used given is implicitly used
    MACs hmac-sha2-512

    HostbasedAcceptedAlgorithms +ecdsa-sha2-nistp384,rsa-sha2-512

    HostbasedAuthentication no
    HostbasedUsesNameFromPacketOnly no

    # HostCertificate filename-for-the-certificate
    # TrustedUserCAKeys filename-for-public-trusted-certificate-authorities
    HostKey /etc/ssh/ssh_host_ecdsa_key,/etc/ssh/ssh_host_rsa_key
    CASignatureAlgorithms ecdsa-sha2-nistp384,rsa-sha2-512

    # GSSAPIAuthentication yes
    GSSAPICleanupCredentials yes
    GSSAPIStrictAcceptorCheck yes

    # Use of a HostKeyAgent such as a process running on an HSM may be
    # desirable but is outside of the scope of this RFC.
    # HostKeyAgent

This ends my comments on the draft.

If you have any questions on my points, please let me know.

        Be safe, stay healthy,
        -- Mark

PS: I believe that most of the material in my original note may already have been covered, but I leave it in place as the draft-gajcowski authors were not part of the original distribution and I am not sure if they were given a copy of the message or not.

> On Jul 28, 2021, at 8:32 AM, mbaushke ietf <> wrote:
> Hi Adrian,
>> On Jul 27, 2021, at 3:11 PM, RFC ISE (Adrian Farrel) <> wrote:
>> Hi Mark, I trust you are well and life is treating you fairly.
> I am presently on holiday, but will be back to my normal grind the middle of next week at which time I can take a more detailed look for a real review of the draft.
> This message was written in haste. I hope I have written it with proper references to other RFCs and URLs.
> Please pardon any typos and ask questions if my content is unclear.
>> Nicholas Gajcowski and Mike Jenkins have submitted
>> to me
>> requesting publication as an Independent Submission Informational RFC.
> Okay.
> Taking a quick read, it does have a few problems with the majority of the SSH implementations.
> * The algorithm agreement of the informational RFC 5647 missed the point that AEAD algorithms already bring the MAC algorithm with them when the encryption algorithm is specified. Requiring that they both match when they are independently negotiated was a mistake. Many negotiation implementations are using "" to negotiate the wire protocol used in RFC 5647, but the language in the draft does not allow for this wiggle room which means that very few implementations of SSH would interoperate with this draft. At this time, I believe RFC 5647 is only implemented by two SSH variations while is implemented by eleven variations which includes the two that do implement RFC 5647.
> Notes on the encryption method may be found in
> * There is an issue in the use of X.509v3 certificates. A few of the primary implementations of SSH avoid these ASN.1 field of problems if at all possible. The largest fielded implementation is OpenSSH which provides a certificate format that is simpler and less prone to implementation errors. The format of the certificate may be found here:
> * Section 5 seems unclear on how negotiation is performed in SSH. In this case, they need to explicitly mention the use of RFC 8308 to "add ext-info-s" and "ext-info-c" or they will not be able to support the rsa-sha2-512 algorithm they list. In addition, as suggested previously, they really should allow if they want RFC 5647 to be used for encryption. I think only the commercial implementations of SSH have tried to bend over sideways to implement RFC5656.
> Someone should look at to see what CNSA restrictions will actually work.
> Although there are very few implementations available, it seems like they should also allow the GSSAPI algorithms which match to be used, but perhaps they no longer trust a Kerberos Key Distribution Center.
> I also admit some surprise that EdDSA is not on the approved list, given that the Draft FIPS 186-5 has it listed (ssh-ed25519 may be too small for CSNA, but ssh-ed448 might be good enough). RFC 8709 is not mentioned at all.
> Also worth noting is that use of ECDSA and ECDH are theoretically easier to break than RSA using Quantum Cryptography because the number of Q-bits needed for the job are smaller. I can worry more about that when real Q-bits are shown to factor more than just 21 as the largest number I could find.
> * Section 12.1 - the CNSA URL does not work without setting off security problems. They really need to get their documents somewhere that are more controlled. Perhaps use a URL?
>> This document is one of a series of documents that describe "profiles" of
>> IETF security tools approved for use by the US Government. The aim is to
>> advise implementers what they need to do to enter the US Government
>> market, but also to help best practices. The intention is to never dilute
>> IETF security, but to sometimes make some strengthening by upgrading the
>> RFC 2119 language.
>> The document has been through a round of editing as I discussed several
>> points with the authors, and now I'm looking for a few brief reviews.
> If it a brief review you need, then the above may be a good enough start.
>> Mike suggested you as a possible reviewer. Are you able to have a look at
>> it, and tell me (briefly) what you think of it, please?
> Yes. This message is the brief review.
>> - Would publication be a good/bad idea?
> As it is right now, it will mean that FIPS 140-3 conformant implementations will not be able to work.
>> - Does it violate any security issues?
> Only the original sin that RFC 5656 never went through review by any of the SSH implementers.
>> - Is it clear enough to be published?
> Not yet. I think that they need to actually provide better guidance about how to avoid non-interoperability.
>> If you are also willing and have the time/energy, would you be prepared
>> do a more detailed review as well, with two parts:
>> a) Comments for the Authors
>>  Reasons for rejection or suggestions for improvements.
>>  These will be returned to authors (or you may wish to have
>>  email discussions directly with authors).  These may be
>>  be published in an 'ISE write-up' if this draft
>>  is sent to the IESG for a Conflict Review (RFC 5742).
> Yes, I can do this. I have written a great deal on how governments should configure and implement SSH.
> I was a part of the CCUF that provided an SSH package for use in Common Criterial Protection Profiles which was used by NIAP to generate the Functional Package for SSH.
> As written, the current draft will make that NIAP functional Package harder to handle.
>> b) Comments for the Independent Submissions Editor
>>  These are advice to the ISE, and will not be published.
>> If you can do the review, two to three weeks would be a good time frame.
>> If not, could you suggest other possible reviewers, please?
> If there is need, I can provide a suggested list of other possible reviewers for this document.
>> Thanks,
>> Adrian
>> -- 
>> Adrian Farrel (ISE),
> Thank you for the opportunity to help the ISE.
> You may feel free to send a copy of this message to the authors of the draft if you think it would be useful.
>        Be safe, stay healthy,
>        -- Mark