Re: [Curdle] comments on draft-ietf-curdle-rsa-sha2-03.txt
"denis bider \(Bitvise\)" <ietf-ssh3@denisbider.com> Sun, 26 March 2017 17:56 UTC
Return-Path: <ietf-ssh3@denisbider.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3BC11294FA for <curdle@ietfa.amsl.com>; Sun, 26 Mar 2017 10:56:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.563
X-Spam-Level:
X-Spam-Status: No, score=-1.563 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=denisbider.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XTZ46hRrxeKe for <curdle@ietfa.amsl.com>; Sun, 26 Mar 2017 10:56:28 -0700 (PDT)
Received: from skroderider.denisbider.com (skroderider.denisbider.com [50.18.172.175]) (using TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B54F7129650 for <curdle@ietf.org>; Sun, 26 Mar 2017 10:56:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=denisbider.com; s=mail; h=from:subject:date:message-id:to:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=bhSMHJQ3GsIhnHi0hRUd661hZsKzzDcfbtEHC4iZJa8=; b=EUd5NWptPeOXOQcWXZY012rihsECmOYXA/22tfFgcpn7qywk8qa3wwdz9d/vkoWgczEDP1IJyqH6G HhmDflwLvGbXNXhU2EcBq9f+HLqYFY/WXR3j3z+cK2vRtKPro29rA4OnXCiQkchrPWYwY3oOpTTRGY luioc0iCsM0rEWgxCFkTNzSHyBgckeTY5y2YiKLeACT/uO0/Z7tfd1qrydhxr8c8X1xdAUqHqJhPPz LwmDLNzJpa/V62YkXjOdOSL9vsFIY/fHrqonHIfxJNXfgEmrLx2j8/nn+RsEgxTjOsvbkOG1XaukTM grfC7vDucqLMhogqKDkmrDmt8QZpfsg==
X-Footer: ZGVuaXNiaWRlci5jb20=
Received: from localhost ([127.0.0.1]) by skroderider.denisbider.com with ESMTPSA (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)); Sun, 26 Mar 2017 18:56:21 +0100
Message-ID: <374ADF9BE1924B7889C64CEC7D51FEF8@Khan>
From: "denis bider (Bitvise)" <ietf-ssh3@denisbider.com>
To: Daniel Migault <daniel.migault@ericsson.com>, curdle <curdle@ietf.org>
References: <CADZyTkm43WWxb_DiZ1K9gRwzqmTCJ=Q-no53t9D__mDPERCyqw@mail.gmail.com>
In-Reply-To: <CADZyTkm43WWxb_DiZ1K9gRwzqmTCJ=Q-no53t9D__mDPERCyqw@mail.gmail.com>
Date: Sun, 26 Mar 2017 11:56:14 -0600
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="UTF-8"; reply-type="original"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/WmDw278p861UZan1rhp0rqjWMTg>
Subject: Re: [Curdle] comments on draft-ietf-curdle-rsa-sha2-03.txt
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Mar 2017 17:56:30 -0000
Daniel: > Should we consider adding / replacing PKCS1v1.5 > by RSA-PSS for the signature format. An early version of the spec called for PSS. After strong objections - most prominently Peter Gutmann's; it is possible there were others - I changed back to PKCS1v1.5. The main objections were: - PSS is not as universally available; - adding a new type of padding would impose costs on highly resource-constrained implementations who would now have to support both. I have no objections to adding PSS. At this point, it would have to be added as separate variants. For example: rsa-sha2-256-pss, rsa-sha2-512-pss. The existing names already have widely implemented / accepted meanings with PKCS1v1.5. > I understand that penalties are encouraging to > keep ssh-rsa while the use of sha1 is deprecated. > I suggest to provide some recommendations on how > to perform penalties. The issue are penalties in software already deployed. Servers are often used for 5-10 years without update. Users actively resist updates, even if we urge otherwise. Often, there's no one to perform an update. The administrator who configured the server has left. The people who use it are afraid, because they don't have anyone who understands their setup if it breaks. A new spec won't fix this deployed base. Software that's aware of this spec is suggested to implement the "server-sig-algs" extension with EXT_INFO. This eliminates any need to guess what signature algorithm to use. That is this spec's recommendation. > MGLT: Can we recommend to have penalties only applies > when algorithms are weaker than the one supported. The issue does not arise from implementations penalizing known algorithms, it arises from old software penalizing unknown algorithms. Old software cannot know whether an unknown algorithm is stronger or weaker than what it supports. An option we have is to recommend new implementations to not penalize unknown algorithms, because they could be stronger versions of known ones. That could be sensible. But the "server-sig-algs" extension already removes the need to try an algorithm the server doesn't support. > > When authenticating with an RSA key against a server > > that does not implement the "server-sig-algs" extension, > > clients MAY default to an ssh-rsa signature to avoid > > authentication penalties. > > MGLT: ssh-rsa must be deprecated, so I think we should > have something different. The fall back should be on > the most recommended algorithm, or the authentication > penalty should be changed. We can put in instructions that work and will realistically be followed, or we can put in instructions that don’t work. Due to existing deployed base, falling back to “rsa-sha2-256” when the server does not send “server-sig-algs” will not work. If the spec is made to require this, implementers will ignore it for compatibility. Worse, there will then be poor guidance toward a solution that does work. In my opinion, the way to deprecate ssh-rsa is to implement the new signature methods; implement the "server-sig-algs" extension to allow them to coexist; allow for several years of new deployment; and then, for new implementations to start disabling "ssh-rsa" by default. denis ----- Original Message ----- From: Daniel Migault Sent: Saturday, March 25, 2017 17:40 To: curdle Subject: [Curdle] comments on draft-ietf-curdle-rsa-sha2-03.txt Hi, Please find my comments on draft-ietf-curdle-rsa-sha2-03.txt. In a word my comments are: - 1) Should we consider adding / replacing PKCS1v1.5 by RSA-PSS for the signature format. - 2) I understand that penalties are encouraging to keep ssh-rsa while the use of sha1 is deprecated. I suggest to provide some recommendations on how to perform penalties. Yours, Daniel Use of RSA Keys with SHA-2 256 and 512 in Secure Shell (SSH) draft-ietf-curdle-rsa-sha2-03.txt Abstract This memo defines an algorithm name, public key format, and signature format for use of RSA keys with SHA-2 512 for server and client authentication in SSH connections. MGLT: Maybe we should also add penalty recommendations as well ? 2. Public Key Algorithms This memo adopts the style and conventions of [RFC4253] in specifying how use of a signature algorithm is indicated in SSH. The following new signature algorithms are defined: rsa-sha2-256 RECOMMENDED sign Raw RSA key rsa-sha2-512 OPTIONAL sign Raw RSA key These signature algorithms are suitable for use both in the SSH transport layer [RFC4253] for server authentication, and in the authentication layer [RFC4252] for client authentication. Since RSA keys are not dependent on the choice of hash function, both new algorithms reuse the public key format of the existing "ssh-rsa" algorithm as defined in [RFC4253]: string "ssh-rsa" mpint e mpint n All aspects of the "ssh-rsa" format are kept, including the encoded string "ssh-rsa", in order to allow users' existing RSA keys to be used with the new signature formats, without requiring re-encoding, or affecting already trusted key fingerprints. Signing and verifying using these algorithms is performed according to the RSASSA-PKCS1-v1_5 scheme in [RFC3447] using SHA-2 [FIPS-180-4] as hash; MGF1 as mask function; and salt length equal to hash size. MGLT: Could we also take this opportunity to upgrade the signature to RSA-PSS ? If "rsa-sha2-256" / "rsa-sha2-512" are already deployed in most implementation, maybe this document could also define "rsa-sha2-256-rsassa-pss" and "rsa-sha2-512-rsassa-pss" otherwise we could define rsa-sha2-* with RSA-PSS. 3. Discovery of signature algorithms supported by servers Implementation experience has shown that there are servers which apply authentication penalties to clients attempting signature algorithms which the SSH server does not support. MGLT: Can we recommend to have penalties only applies when algorithms are weaker than the one supported. Servers that accept rsa-sha2-* signatures for client authentication SHOULD implement the extension negotiation mechanism defined in [SSH-EXT-INFO], including especially the "server-sig-algs" extension. When authenticating with an RSA key against a server that does not implement the "server-sig-algs" extension, clients MAY default to an ssh-rsa signature to avoid authentication penalties. MGLT: ssh-rsa must be deprecated, so I think we should have something different. The fall back should be on the most recommended algorithm, or the authentication penalty should be changed. _______________________________________________ Curdle mailing list Curdle@ietf.org https://www.ietf.org/mailman/listinfo/curdle
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Daniel Migault
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Watson Ladd
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… denis bider
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Peter Gutmann
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… denis bider
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Daniel Migault
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Mark D. Baushke
- [Curdle] comments on draft-ietf-curdle-rsa-sha2-0… Daniel Migault
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… denis bider (Bitvise)
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Daniel Migault
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… denis bider
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Peter Gutmann
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Peter Gutmann
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… denis bider
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Daniel Migault
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Ilari Liusvaara
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… denis bider
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Daniel Migault
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Watson Ladd
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Daniel Migault