Re: [Curdle] comments on draft-ietf-curdle-rsa-sha2-03.txt
"denis bider \(Bitvise\)" <ietf-ssh3@denisbider.com> Sun, 26 March 2017 17:56 UTC
Return-Path: <ietf-ssh3@denisbider.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3BC11294FA for <curdle@ietfa.amsl.com>; Sun, 26 Mar 2017 10:56:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.563
X-Spam-Level:
X-Spam-Status: No, score=-1.563 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=denisbider.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XTZ46hRrxeKe for <curdle@ietfa.amsl.com>; Sun, 26 Mar 2017 10:56:28 -0700 (PDT)
Received: from skroderider.denisbider.com (skroderider.denisbider.com [50.18.172.175]) (using TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B54F7129650 for <curdle@ietf.org>; Sun, 26 Mar 2017 10:56:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=denisbider.com; s=mail; h=from:subject:date:message-id:to:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=bhSMHJQ3GsIhnHi0hRUd661hZsKzzDcfbtEHC4iZJa8=; b=EUd5NWptPeOXOQcWXZY012rihsECmOYXA/22tfFgcpn7qywk8qa3wwdz9d/vkoWgczEDP1IJyqH6G HhmDflwLvGbXNXhU2EcBq9f+HLqYFY/WXR3j3z+cK2vRtKPro29rA4OnXCiQkchrPWYwY3oOpTTRGY luioc0iCsM0rEWgxCFkTNzSHyBgckeTY5y2YiKLeACT/uO0/Z7tfd1qrydhxr8c8X1xdAUqHqJhPPz LwmDLNzJpa/V62YkXjOdOSL9vsFIY/fHrqonHIfxJNXfgEmrLx2j8/nn+RsEgxTjOsvbkOG1XaukTM grfC7vDucqLMhogqKDkmrDmt8QZpfsg==
X-Footer: ZGVuaXNiaWRlci5jb20=
Received: from localhost ([127.0.0.1]) by skroderider.denisbider.com with ESMTPSA (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)); Sun, 26 Mar 2017 18:56:21 +0100
Message-ID: <374ADF9BE1924B7889C64CEC7D51FEF8@Khan>
From: "denis bider (Bitvise)" <ietf-ssh3@denisbider.com>
To: Daniel Migault <daniel.migault@ericsson.com>, curdle <curdle@ietf.org>
References: <CADZyTkm43WWxb_DiZ1K9gRwzqmTCJ=Q-no53t9D__mDPERCyqw@mail.gmail.com>
In-Reply-To: <CADZyTkm43WWxb_DiZ1K9gRwzqmTCJ=Q-no53t9D__mDPERCyqw@mail.gmail.com>
Date: Sun, 26 Mar 2017 11:56:14 -0600
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="UTF-8"; reply-type="original"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/WmDw278p861UZan1rhp0rqjWMTg>
Subject: Re: [Curdle] comments on draft-ietf-curdle-rsa-sha2-03.txt
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Mar 2017 17:56:30 -0000
Daniel:
> Should we consider adding / replacing PKCS1v1.5
> by RSA-PSS for the signature format.
An early version of the spec called for PSS. After strong objections - most
prominently Peter Gutmann's; it is possible there were others - I changed
back to PKCS1v1.5. The main objections were:
- PSS is not as universally available;
- adding a new type of padding would impose costs on highly
resource-constrained implementations who would now have to support both.
I have no objections to adding PSS. At this point, it would have to be added
as separate variants. For example: rsa-sha2-256-pss, rsa-sha2-512-pss.
The existing names already have widely implemented / accepted meanings with
PKCS1v1.5.
> I understand that penalties are encouraging to
> keep ssh-rsa while the use of sha1 is deprecated.
> I suggest to provide some recommendations on how
> to perform penalties.
The issue are penalties in software already deployed. Servers are often used
for 5-10 years without update. Users actively resist updates, even if we
urge otherwise. Often, there's no one to perform an update. The
administrator who configured the server has left. The people who use it are
afraid, because they don't have anyone who understands their setup if it
breaks. A new spec won't fix this deployed base.
Software that's aware of this spec is suggested to implement the
"server-sig-algs" extension with EXT_INFO. This eliminates any need to guess
what signature algorithm to use. That is this spec's recommendation.
> MGLT: Can we recommend to have penalties only applies
> when algorithms are weaker than the one supported.
The issue does not arise from implementations penalizing known algorithms,
it arises from old software penalizing unknown algorithms. Old software
cannot know whether an unknown algorithm is stronger or weaker than what it
supports.
An option we have is to recommend new implementations to not penalize
unknown algorithms, because they could be stronger versions of known ones.
That could be sensible. But the "server-sig-algs" extension already removes
the need to try an algorithm the server doesn't support.
> > When authenticating with an RSA key against a server
> > that does not implement the "server-sig-algs" extension,
> > clients MAY default to an ssh-rsa signature to avoid
> > authentication penalties.
>
> MGLT: ssh-rsa must be deprecated, so I think we should
> have something different. The fall back should be on
> the most recommended algorithm, or the authentication
> penalty should be changed.
We can put in instructions that work and will realistically be followed, or
we can put in instructions that don’t work.
Due to existing deployed base, falling back to “rsa-sha2-256” when the
server does not send “server-sig-algs” will not work. If the spec is made to
require this, implementers will ignore it for compatibility. Worse, there
will then be poor guidance toward a solution that does work.
In my opinion, the way to deprecate ssh-rsa is to implement the new
signature methods; implement the "server-sig-algs" extension to allow them
to coexist; allow for several years of new deployment; and then, for new
implementations to start disabling "ssh-rsa" by default.
denis
----- Original Message -----
From: Daniel Migault
Sent: Saturday, March 25, 2017 17:40
To: curdle
Subject: [Curdle] comments on draft-ietf-curdle-rsa-sha2-03.txt
Hi,
Please find my comments on draft-ietf-curdle-rsa-sha2-03.txt.
In a word my comments are:
- 1) Should we consider adding / replacing PKCS1v1.5 by RSA-PSS for the
signature format.
- 2) I understand that penalties are encouraging to keep ssh-rsa while
the use of sha1 is deprecated. I suggest to provide some recommendations on
how to perform penalties.
Yours,
Daniel
Use of RSA Keys with SHA-2 256 and 512 in Secure Shell (SSH)
draft-ietf-curdle-rsa-sha2-03.txt
Abstract
This memo defines an algorithm name, public key format, and signature
format for use of RSA keys with SHA-2 512 for server and client
authentication in SSH connections.
MGLT: Maybe we should also add penalty recommendations as well ?
2. Public Key Algorithms
This memo adopts the style and conventions of [RFC4253] in specifying
how use of a signature algorithm is indicated in SSH.
The following new signature algorithms are defined:
rsa-sha2-256 RECOMMENDED sign Raw RSA key
rsa-sha2-512 OPTIONAL sign Raw RSA key
These signature algorithms are suitable for use both in the SSH transport
layer [RFC4253] for server authentication, and in the authentication
layer [RFC4252] for client authentication.
Since RSA keys are not dependent on the choice of hash function, both
new algorithms reuse the public key format of the existing "ssh-rsa"
algorithm as defined in [RFC4253]:
string "ssh-rsa"
mpint e
mpint n
All aspects of the "ssh-rsa" format are kept, including the encoded
string "ssh-rsa", in order to allow users' existing RSA keys to be
used with the new signature formats, without requiring re-encoding,
or affecting already trusted key fingerprints.
Signing and verifying using these algorithms is performed according to
the RSASSA-PKCS1-v1_5 scheme in [RFC3447] using SHA-2 [FIPS-180-4] as
hash; MGF1 as mask function; and salt length equal to hash size.
MGLT: Could we also take this opportunity to upgrade the signature to
RSA-PSS ?
If "rsa-sha2-256" / "rsa-sha2-512" are already deployed in most
implementation, maybe this document could also define
"rsa-sha2-256-rsassa-pss" and "rsa-sha2-512-rsassa-pss" otherwise we could
define rsa-sha2-* with RSA-PSS.
3. Discovery of signature algorithms supported by servers
Implementation experience has shown that there are servers which apply
authentication penalties to clients attempting signature algorithms
which the SSH server does not support.
MGLT: Can we recommend to have penalties only applies when algorithms are
weaker than the one supported.
Servers that accept rsa-sha2-* signatures for client authentication
SHOULD implement the extension negotiation mechanism defined in
[SSH-EXT-INFO], including especially the "server-sig-algs" extension.
When authenticating with an RSA key against a server that does not
implement the "server-sig-algs" extension, clients MAY default to an
ssh-rsa signature to avoid authentication penalties.
MGLT: ssh-rsa must be deprecated, so I think we should have something
different. The fall back should be on the most recommended algorithm, or the
authentication penalty should be changed.
_______________________________________________
Curdle mailing list
Curdle@ietf.org
https://www.ietf.org/mailman/listinfo/curdle
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Daniel Migault
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Watson Ladd
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… denis bider
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Peter Gutmann
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… denis bider
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Daniel Migault
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Mark D. Baushke
- [Curdle] comments on draft-ietf-curdle-rsa-sha2-0… Daniel Migault
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… denis bider (Bitvise)
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Daniel Migault
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… denis bider
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Peter Gutmann
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Peter Gutmann
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… denis bider
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Daniel Migault
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Ilari Liusvaara
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… denis bider
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Daniel Migault
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Watson Ladd
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Daniel Migault