Re: [Curdle] Mirja Kühlewind's Discuss on draft-ietf-curdle-ssh-curves-10: (with DISCUSS and COMMENT)
Ron Frederick <ronf@timeheart.net> Wed, 28 August 2019 22:37 UTC
Return-Path: <ronf@timeheart.net>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03CDF1200E3 for <curdle@ietfa.amsl.com>; Wed, 28 Aug 2019 15:37:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=timeheart.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bwSXb4fDn8Et for <curdle@ietfa.amsl.com>; Wed, 28 Aug 2019 15:37:20 -0700 (PDT)
Received: from mail-pl1-x631.google.com (mail-pl1-x631.google.com [IPv6:2607:f8b0:4864:20::631]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D6BB12024E for <curdle@ietf.org>; Wed, 28 Aug 2019 15:37:20 -0700 (PDT)
Received: by mail-pl1-x631.google.com with SMTP id w11so620971plp.5 for <curdle@ietf.org>; Wed, 28 Aug 2019 15:37:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=timeheart.net; s=mail; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=B7sQUH35b5LgNZlQ9qOGfmyqYi5h7gTlv7KWhHybh78=; b=KS2UbWI56+0SD+yfWhyJfgZWQ830wTqSwg1gYXg8FewoM3bMTm2zJeGIpNjqtEu0FT 2t7byqHIwOhshUI6rXI36ls4WxfAT7k0Dshb4iF8ejWK/XKRG5sMM2/0joaUM/7gBMWv etxIQXKOwK9dR4c/x38OFgOWDhkpao4Ltcbcs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=B7sQUH35b5LgNZlQ9qOGfmyqYi5h7gTlv7KWhHybh78=; b=g/+VXYQp7JG7Q7gWrkGHwyom511dW1diyErygRZxwraz4pcZ/+whFlIFD7mapcoGrA HjewllE0QeJj1yQyQnkhoD7fZz5WORCOlKLnK41fE+3JwVpDkOLLe0gizMjfwzRcitUs Y3Xf/9cu3wksGXHkhO6BCVCuCqoncykSfW0zvrBIlTWQ/iCjxR4a4oDzJws+8bVjW1YD 82hS4iVVh2A4hFaTypI8dejCIBGJNRD93W0Kdka9c7+oLNo0v4TDFsXSp4+7WQ/K4zjv nnSzs24NV3p+PsuLNKJK9basKPy5AhPSqcFn8rDxWojViGYCCZ/LKIzLvY6FWiJYz24y HP6Q==
X-Gm-Message-State: APjAAAUC1uU4VEaIhHeSm5JHQdY57jn10zX4rb1qMslcBzVBdAVtr69N QrVKGLB8EWTX0OYcIXFco8pijg==
X-Google-Smtp-Source: APXvYqytc6mEWdENSnZeF9Y5L/ejg6ofni62p8p7Cml4o61vvEiBJ8VHsF7a/g1/mGiWJl8tV3kqSA==
X-Received: by 2002:a17:902:7886:: with SMTP id q6mr6818836pll.78.1567031839865; Wed, 28 Aug 2019 15:37:19 -0700 (PDT)
Received: from [10.17.102.191] ([155.64.23.53]) by smtp.gmail.com with ESMTPSA id o4sm202234pje.28.2019.08.28.15.37.18 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 28 Aug 2019 15:37:19 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Ron Frederick <ronf@timeheart.net>
In-Reply-To: <be7c3562-2a26-6d11-8db6-b485e9b4aa22@badcode.be>
Date: Wed, 28 Aug 2019 15:37:17 -0700
Cc: "Mark D. Baushke" <mdb@juniper.net>, Mirja Kühlewind <ietf@kuehlewind.net>, curdle@ietf.org, Daniel Migault <daniel.migault@ericsson.com>, draft-ietf-curdle-ssh-curves@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <6A321C2C-7EE8-4290-888A-7AF19863BEA0@timeheart.net>
References: <156699015116.32300.11396032996637636651.idtracker@ietfa.amsl.com> <18058.1567007603@contrail-ubm16-mdb.svec1.juniper.net> <be7c3562-2a26-6d11-8db6-b485e9b4aa22@badcode.be>
To: Aris Adamantiadis <aris@badcode.be>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/SS5Ge7PFQ8vIokgYW4Ie5BBlK5E>
Subject: Re: [Curdle] Mirja Kühlewind's Discuss on draft-ietf-curdle-ssh-curves-10: (with DISCUSS and COMMENT)
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2019 22:37:24 -0000
On Aug 28, 2019, at 10:08 AM, Aris Adamantiadis <aris@badcode.be> wrote: > Le 28-08-19 à 17:53, Mark D. Baushke a écrit : >> In section 3, the appropriate SSH "protocol error" might be one of a >> two: >> >> SSH_ERR_KEY_INVALID_EC_VALUE for zeros found for the all-zero shared >> secret >> >> and >> SSH_ERR_SIGNATURE_INVALID if the blob is not the correct size for a >> public key >> >> However, an implementation miight return SSH_ERR_SIGNATURE_INVALID >> rather than SSH_ERR_KEY_INVALID_EC_VALUE depending on how the >> implementation was written. >> >> As long as the connection aborts and does not continue in the case of a >> "protocol error", it is sufficient in my opinion. >> >> Is it really needful to be prescriptive in this given that many >> implementations of this code have already been fielded and I do not >> have any ability to know which design choices they made? > > Hi Mark, > > I would think it's best that as little information as possible about the error is sent over the SSH connection. This vector was historically used to exploit other cryptographic protocols, enabling attacks such as padding oracles and others. Additionally it doesn't really help the end user who would see this message, because this is clearly an implementation issue within the SSH software stack, not something that the user can tweak in a configuration file. > > I'd then recommend a SHOULD send SSH_ERR_SIGNATURE_INVALID for all cases where protocol errors happen when handling the shared secret or the peer's key, if we really wish to be prescriptive, something I don't think is important. The SSH_ERR_* names are not actually wire protocol constructs, so I don’t believe they should be used in this spec. From what I can see, they are values defined internally by OpenSSH and LibSSH (and possibly others), but in the end they are converted to a text string before being used anywhere. I didn’t track all the way through the code to see if the text strings ever appear on the wire or not or only in local log messages, but if they did appear on the wire I expect they would be as the “description” text in an SSH_MSG_DISCONNECT message. The “reason code” in that message comes from a much smaller list (defined in RFC 4253 section 11.1) and would probably be set to SSH_DISCONNECT_PROTOCOL_ERROR or perhaps SSH_DISCONNECT_KEY_EXCHANGE_FAILED. I agree that this spec should not attempt to go into detail about what error is returned, especially not for a text string like this. I could see potentially recommending that a disconnect be performed, but even attempting to recommend the specific disconnect reason runs the risk of not matching what existing implementations are currently doing in this case and I see very little value in trying to standardize the exact disconnect reason. -- Ron Frederick ronf@timeheart.net
- [Curdle] Mirja Kühlewind's Discuss on draft-ietf-… Mirja Kühlewind via Datatracker
- Re: [Curdle] Mirja Kühlewind's Discuss on draft-i… Mark D. Baushke
- Re: [Curdle] Mirja Kühlewind's Discuss on draft-i… Aris Adamantiadis
- Re: [Curdle] Mirja Kühlewind's Discuss on draft-i… Ron Frederick
- Re: [Curdle] Mirja Kühlewind's Discuss on draft-i… denis bider