Re: [Curdle] Comments on draft-ietf-curdle-ssh-ext-info
"denis bider \(Bitvise\)" <ietf-ssh3@denisbider.com> Sat, 25 March 2017 19:52 UTC
Return-Path: <ietf-ssh3@denisbider.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06DE3127A97 for <curdle@ietfa.amsl.com>; Sat, 25 Mar 2017 12:52:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.562
X-Spam-Level:
X-Spam-Status: No, score=-1.562 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=denisbider.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qa2M3Ru1HjJu for <curdle@ietfa.amsl.com>; Sat, 25 Mar 2017 12:52:46 -0700 (PDT)
Received: from skroderider.denisbider.com (skroderider.denisbider.com [50.18.172.175]) (using TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F379812773A for <curdle@ietf.org>; Sat, 25 Mar 2017 12:52:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=denisbider.com; s=mail; h=from:subject:date:message-id:to:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=mUsi1okLDpitQoAsJeMi1csIDNPtSWEO4NVqcRbGK8g=; b=ES7zsAbhaZBovmxVacqoZAwPDhHUeUdw3KptwHNpT8FZ6rseJABhJEC0iQMlGsUmya7zMER60t1D9 m0cgN6h+G2WmwJ7QkpwOemlDtAxVCcbUEEuIwTnJHSVCLvw/sLmoYZX8DB6sOhJMbTq/jYXjhs1QLq j0bWgEvF9+KR1iCcCfdFJYvPcKrw1xEfIcewtqTuRRs4v8q3OT/HgZqOydRPNQwFK4GFki1Np/kJpE haIgIBXOT9GcUD12I/hX4E9Zxg3pu8TKlRE1wVtMH6MbFH22LxkosS2kMusTwQVeHkaUQS9wDXeOXU cjbKlpgqAxpMvn9ZWyeqd/wGBEOoM1A==
X-Footer: ZGVuaXNiaWRlci5jb20=
Received: from localhost ([127.0.0.1]) by skroderider.denisbider.com with ESMTPSA (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)); Sat, 25 Mar 2017 19:52:17 +0000
Message-ID: <76BA84F1D47F476A8DB5C8CC42AA1B57@Khan>
From: "denis bider (Bitvise)" <ietf-ssh3@denisbider.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, Daniel Migault <daniel.migault@ericsson.com>, curdle <curdle@ietf.org>
References: <2DD56D786E600F45AC6BDE7DA4E8A8C118BA5A70@eusaamb107.ericsson.se> <1489827654266.43895@cs.auckland.ac.nz>, <50977E6A3D174856B8DAF264C3CB81E8@Khan> <1489914378158.63423@cs.auckland.ac.nz>, <74B4C5B2AFD644748A0E1B0957A22C96@Khan> <1490436136828.60577@cs.auckland.ac.nz>
In-Reply-To: <1490436136828.60577@cs.auckland.ac.nz>
Date: Sat, 25 Mar 2017 13:52:43 -0600
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/T07iqCk1hKBbJ8UCkct4zmqjA8k>
Subject: Re: [Curdle] Comments on draft-ietf-curdle-ssh-ext-info
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Mar 2017 19:52:47 -0000
Peter: > I was thinking of it in terms of SSL's Change Cipherspec, > the same as SSH's Newkeys, where there's all sorts of > subtle problems if you send data before getting the other > side's CCS to confirm that both sides are using the same > crypto parameters. Can you point out some of these subtle problems that could occur in this regard in SSH? > So the point of the SSH_MSG_SERVICE_REQUEST wasn't so much > getting back the "yeah, sure, whatever" response from the > server, it was being able to verify that you could decrypt > and MAC the response you got. If that was a primary purpose, rather than a side effect, I imagine there would be an SSH_MSG_NEWKEYS_VERIFY, which would be encrypted with the new crypto parameters. This could be sent immediately after SSH_MSG_NEWKEYS, which is the last message that uses old parameters. But yes, it's possible this is a desired side effect. In this case, if the server sends EXT_INFO immediately after NEWKEYS, and client wants to wait for a successful encrypted packet before queueing up an authentication request; this lets the client queue up the authentication request faster, because it doesn't have to wait for SERVICE_ACCEPT. Instead, the server's EXT_INFO already serves this role. The server's EXT_INFO doesn't contain confidential information (client is not authenticated), so there is no problem there. This leaves the situation that the client may be sending its own EXT_INFO after NEWKEYS. Perhaps an extension will be defined where the client would send info here it doesn't want to make public. (Currently, I don't know of one.) Under the assumption that such an extension were defined, can you point out at least one way that sending this info right after NEWKEYS can help an attacker? > > 2. Send SERVICE_REQUEST, immediately followed by a USERAUTH > > message. This can all be sent potentially in the same > > transmission as the client's NEWKEYS. > > Ugh. So there are implementations that will send a NEWKEYS + > SERVICE_REQUEST + USERAUTH all in one block without having > any idea wheteher the crypto handshake process has succeeded? It is possible. However, I'm not aware that an implementation actually does this. Ours waits for SERVICE_ACCEPT. I checked three others; they wait too. > > string "no-flow-control" > > string choice of: "p" for preferred | "s" for supported > > So you really just need at least one side to set a boolean > flag saying "yes, I really want this". In other words > no-flow-control + boolean = false says the option is > available, and boolean = true says you must enable the option. Yes. But the extension value field is generically a string (it must be same type for all extensions, so unsupported extensions can be decoded and ignored). "p" and "s" are therefore fitting ways to express this boolean. This week, I implemented "no-flow-control" in our software (in the manner recently defined - using "p" to indicate preferred, and "s" for supported). It works, but I point out that testing indicates zero performance benefit between our SSH Client and Server. In other words, regular SSH flow control has no handbrake effect if it's done right. The main advantages I see with this extension are: - In 10 years: it could become widely supported, and new simpler SSH software that only needs one channel can avoid complexity, and never implement SSH flow control. - Right now: authors who are having trouble with their window adjusting can sidestep that by implementing "no-flow-control" in addition. Properly implemented flow control is superior. However, this extension is a nod to that not everyone will be using an SSH library that does this right, and "no-flow-control" is a better option if your needs are simple, and you don't have a few years to get this right. denis ----- Original Message ----- From: Peter Gutmann Sent: Saturday, March 25, 2017 04:02 To: denis bider (Bitvise) ; Daniel Migault ; curdle Subject: Re: [Curdle] Comments on draft-ietf-curdle-ssh-ext-info denis bider (Bitvise) <ietf-ssh3@denisbider.com> writes: >I'm not sure that I see the threat here, or how the described behavior >would >resolve it. I was thinking of it in terms of SSL's Change Cipherspec, the same as SSH's Newkeys, where there's all sorts of subtle problems if you send data before getting the other side's CCS to confirm that both sides are using the same crypto parameters. I'd always assumed that SSH's use of the redudant SSH_MSG_SERVICE_REQUEST followed by a SSH_MSG_USERAUTH_REQUEST was that you checked that the SSH_MSG_SERVICE_REQUEST succeeded, in other words that both sides had scuccessfully agreed on the same crypto parameters, before sending sensitive data in the SSH_MSG_USERAUTH_REQUEST. So the point of the SSH_MSG_SERVICE_REQUEST wasn't so much getting back the "yeah, sure, whatever" response from the server, it was being able to verify that you could decrypt and MAC the response you got. >2. Send SERVICE_REQUEST, immediately followed by a USERAUTH message. > >This can all be sent potentially in the same transmission as the client's >NEWKEYS. Ugh. So there are implementations that will send a NEWKEYS + SERVICE_REQUEST + USERAUTH all in one block without having any idea wheteher the crypto handshake process has succeeded? >But I don't see what this would achieve, since NEWKEYS is still >unencrypted. >As-is, the server doesn't send an encrypted piece of information until it's >replying to SERVICE_ACCEPT. See above, I was using the SERVICE_REQUEST + SERVICE_ACCEPT to verify that client and server are on the same page cryptographically. >When re-adding "no-flow-control", I realized that the original definition >is >deficient, and allows no room for implementations that support this >extension, but still prefer not to use it. > >Ours would be an implementation like that. If this needs two >implementations >to be added, I will implement it to make life easier for implementers of >simpler SSH software, but I would prefer not to use it. > >I have therefore changed the definition as follows: > > string "no-flow-control" > string choice of: "p" for preferred | "s" for supported > >To take effect, this extension MUST be: > >- Sent by both parties. >- At least one party MUST have sent the value "p" (preferred). That seems a bit wierd... the fact that a client or server is sending no-flow- control already says "supported". So you really just need at least one side to set a boolean flag saying "yes, I really want this". In other words no- flow-control + boolean = false says the option is available, and boolean = true says you must enable the option. Peter.
- Re: [Curdle] Comments on draft-ietf-curdle-ssh-ex… Eric Rescorla
- Re: [Curdle] Comments on draft-ietf-curdle-ssh-ex… denis bider
- Re: [Curdle] Comments on draft-ietf-curdle-ssh-ex… denis bider
- Re: [Curdle] Comments on draft-ietf-curdle-ssh-ex… Peter Gutmann
- Re: [Curdle] Comments on draft-ietf-curdle-ssh-ex… Peter Gutmann
- Re: [Curdle] Comments on draft-ietf-curdle-ssh-ex… Peter Gutmann
- Re: [Curdle] Comments on draft-ietf-curdle-ssh-ex… denis bider
- [Curdle] Multiple WGLC Daniel Migault
- Re: [Curdle] Multiple WGLC Peter Gutmann
- Re: [Curdle] Comments on draft-ietf-curdle-ssh-ex… denis bider (Bitvise)
- Re: [Curdle] Multiple WGLC Mark D. Baushke
- Re: [Curdle] Comments on draft-ietf-curdle-ssh-ex… Benjamin Kaduk
- Re: [Curdle] Comments on draft-ietf-curdle-ssh-ex… Peter Gutmann
- Re: [Curdle] Comments on draft-ietf-curdle-ssh-ex… denis bider (Bitvise)
- Re: [Curdle] Comments on draft-ietf-curdle-ssh-ex… Peter Gutmann
- Re: [Curdle] Comments on draft-ietf-curdle-ssh-ex… denis bider (Bitvise)
- Re: [Curdle] Comments on draft-ietf-curdle-ssh-ex… Peter Gutmann
- Re: [Curdle] Comments on draft-ietf-curdle-ssh-ex… denis bider
- Re: [Curdle] Comments on draft-ietf-curdle-ssh-ex… Eric Rescorla