Re: [Curdle] Which curves are MUST and SHOULD ?

"Mark D. Baushke" <mdb@juniper.net> Mon, 04 January 2021 20:21 UTC

Return-Path: <mdb@juniper.net>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4B6A3A103F for <curdle@ietfa.amsl.com>; Mon, 4 Jan 2021 12:21:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.449
X-Spam-Level:
X-Spam-Status: No, score=-0.449 tagged_above=-999 required=5 tests=[DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=DUf3cAeq; dkim=pass (1024-bit key) header.d=juniper.net header.b=S1L8KT0M
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CKpUy07sjpu1 for <curdle@ietfa.amsl.com>; Mon, 4 Jan 2021 12:21:01 -0800 (PST)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 321BC3A1037 for <curdle@ietf.org>; Mon, 4 Jan 2021 12:21:01 -0800 (PST)
Received: from pps.filterd (m0108158.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 104K4dOK028732; Mon, 4 Jan 2021 12:21:00 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=to : cc : subject : in-reply-to : references : from : mime-version : content-type : content-transfer-encoding : date : message-id; s=PPS1017; bh=zYATt0gIeFJkyhyt4Cm38PyJYjaF0D80ggRI7lie6R0=; b=DUf3cAeqB6mndEhambBweHLgi7UGBLZtk1Klp8eLFCTs0OzTmQmOxGgNfAhyl+Y/FBO2 PT+lQTz1K49RGa/r+4NsJXTR5yHnFCRsfVwd1HNigTUl1GUJn6N5wDxYiPefn0Cwddnx LHuILPj3FwHLD7KZwUo/pQ8mrVwQxEyBQuXqXp2LQn9q7gHuCjVUkKhX87ug7ma+O4ha 7z9ToTLUDh9FRrtnGSSG63cgiHHNWcBvn2dcuaZ+oEwmL8OonEK3sCL+m1lshavOcMY3 wVwyUDt2Jk4J2V5IskxZ5vrIYo4GC7MeaHCdvG0BbEITAn3JhlTXWbvXKRXnHWMAFoER nA==
Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2172.outbound.protection.outlook.com [104.47.58.172]) by mx0a-00273201.pphosted.com with ESMTP id 35uppksc39-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 04 Jan 2021 12:21:00 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nZPi1Yw6yJpreyV44Re/lx809zVGtoZHsu8RAPELLKcxbr4B+ox/pTkhATfnMI78bzby9PbZ1Dnh07VvpH42ziPRaPPcMyf/omYZyS66zKkI1ZMekelPDRngZTjusOVB2r8ZpdfmBv5mVthlj/Tbu4iQDoPEYVM0pGP+HzgKJl2GqYcKQgMvF9Ls6hiCwh6Tbg08x95pdK/SQvFmIwk2O8d84iFjnFWLmkpyJu15b8+dG06FOeeDqcz/Khxs1zgC1LLe99ZQatE69D1cwRHxDnGNoASoxGFlX1lh68NnfwXSVRG7Ns9eb+BkPWV/hFg72KqQlH96ZEfI6/h78N0W8w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zYATt0gIeFJkyhyt4Cm38PyJYjaF0D80ggRI7lie6R0=; b=lwuaHDyFnU6FQUEdK8heFScrzXD7clgFflRKRbl5CXV8Pd6gsI2HE8j0DnwkUgPbEQSpvjwhu67Z2Wtp0lOGD7yrZvrSVi7L/qfWb4uXSkqbBAHOekzuu+qd+BGceD3fQIxC/OPuTZyF/2279cclZOQmyK53OPA6/lE6DwVsSXPiN+tXPQHyuq9vH03VtZpBpMEcnFk8qwGqcTrrdqZiquG1hF8227jCfPc7lg2sEi9I7cIqmwUObR+VlUKqD0iL0/76F4Y908dM9wJ8g/816UsL3SN8ANFRtJ5lortNdgNCMXd0gj0uNLQ+/I+VKTJOLgitq38F+i0oOMr0oWSAOg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=softfail (sender ip is 66.129.239.12) smtp.rcpttodomain=ietf.org smtp.mailfrom=juniper.net; dmarc=fail (p=reject sp=reject pct=100) action=oreject header.from=juniper.net; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zYATt0gIeFJkyhyt4Cm38PyJYjaF0D80ggRI7lie6R0=; b=S1L8KT0Mqu+zqOEOlQpT1kPlNefutdxoCgn9jP+hV9X9IIHmmOwITyhKARseH4Y7ccyOq8lSw2CwYUQJh/vFcviH19DmuRu1SZ1VjoFerKHIl4N2PvaNDmVtQBRm0RcfvhW34NJMaRdEti7RCLctUon1VseKlOCCVz9DHN3ZDlM=
Received: from BN9PR03CA0224.namprd03.prod.outlook.com (2603:10b6:408:f8::19) by BN8PR05MB6083.namprd05.prod.outlook.com (2603:10b6:408:44::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3742.2; Mon, 4 Jan 2021 20:20:58 +0000
Received: from BN8NAM12FT051.eop-nam12.prod.protection.outlook.com (2603:10b6:408:f8:cafe::6c) by BN9PR03CA0224.outlook.office365.com (2603:10b6:408:f8::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3721.20 via Frontend Transport; Mon, 4 Jan 2021 20:20:58 +0000
X-MS-Exchange-Authentication-Results: spf=softfail (sender IP is 66.129.239.12) smtp.mailfrom=juniper.net; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=fail action=oreject header.from=juniper.net;
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.12 as permitted sender)
Received: from P-EXFEND-EQX-01.jnpr.net (66.129.239.12) by BN8NAM12FT051.mail.protection.outlook.com (10.13.182.230) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.3742.4 via Frontend Transport; Mon, 4 Jan 2021 20:20:57 +0000
Received: from P-EXBEND-EQX-01.jnpr.net (10.104.8.52) by P-EXFEND-EQX-01.jnpr.net (10.104.8.54) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 4 Jan 2021 12:20:56 -0800
Received: from p-mailhub01.juniper.net (10.104.20.6) by P-EXBEND-EQX-01.jnpr.net (10.104.8.52) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Mon, 4 Jan 2021 12:20:56 -0800
Received: from eng-mail03.juniper.net (eng-mail03.juniper.net [10.108.22.11]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id 104KKtGQ016507; Mon, 4 Jan 2021 12:20:55 -0800 (envelope-from mdb@juniper.net)
Received: from eng-mail03 (localhost [127.0.0.1]) by eng-mail03.juniper.net (8.16.1/8.14.9) with ESMTP id 104KLtsK090137; Mon, 4 Jan 2021 12:21:55 -0800 (PST) (envelope-from mdb@juniper.net)
To: Hubert Kario <hkario@redhat.com>
CC: <curdle@ietf.org>
In-Reply-To: <0f4dce32-b362-43d8-85e0-9608ca3427ab@redhat.com>
References: <2CCABC30-F757-4659-9FF3-5AADDD51EE30@akamai.com> <4b681efd49274f03c7e0521e127e031426632ad0.camel@redhat.com> <CADZyTkk--kCWqE7q0Xi5C40V92MuZBktDzQGt_vPSZPiBy7v9w@mail.gmail.com> <18479.1606885358@eng-mail01.juniper.net> <20201205194724.GB64351@kduck.mit.edu> <37691.1607621661@eng-mail01.juniper.net> <1607647129866.76532@cs.auckland.ac.nz> <2917.1607672034@eng-mail01.juniper.net> <012AE120-2516-44F6-B729-ED342A137535@timeheart.net> <ED8F3B46-A5CC-4D14-A714-FD1C0AA67486@akamai.com> <12959BD6-F3AB-418B-8CE0-C3BE43999435@timeheart.net> <40887.1608233724@eng-mail03> <0f4dce32-b362-43d8-85e0-9608ca3427ab@redhat.com>
Comments: In-reply-to: Hubert Kario <hkario@redhat.com> message dated "Mon, 04 Jan 2021 17:53:38 +0100."
From: "Mark D. Baushke" <mdb@juniper.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 4 Jan 2021 12:21:50 -0800
Message-ID: <90135.1609791710@eng-mail03>
X-EXCLAIMER-MD-CONFIG: e3cb0ff2-54e7-4646-8a04-0dae4ac7b136
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-HT: Tenant
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: d8cf80bd-d2cc-4880-f529-08d8b0ee3efb
X-MS-TrafficTypeDiagnostic: BN8PR05MB6083:
X-Microsoft-Antispam-PRVS: <BN8PR05MB60838F6EA481C33C736D843EBFD20@BN8PR05MB6083.namprd05.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: iehTKOU+wDRj4vN4EiIuAMiODDigV0gSmCowt6O4aRm1LBOG4p3xEzNcvyUWjRNx3RbBawruvh5YGf3VIJ/i9NNQhCw53Ueb4r/dFvxfT8WFuyRwlnKN00wW9ElXZxzsYd5jCi83jcpfjFZokouUpjA+vly+xTdgDetwhHtQ3xFzl4LEP4+GCBkOfjPQ0unQSFuH2kAqH16UZd0+ufccTvypsjH3Flgk5HQCcTSuOCDoZGDzLPn+f+cWhYmpwbT1v452PaJ3ecsKb5m8ZySj+kcHG/vuvpy+I/EI7phldE7FPb+oXC1aJiBRJkJigR23UHWEfhG9a6RSmS/7+PulBV1hJW3yGArH1aogSCPOs9eaYHzirjY6m/JV4ruHFPFFI/gfrfs5Oh9vlCQ7YP63x8xjG3lpestAhopfNbcnYlXnavLB99c5OPsFejen6GElh/IsApY7FfnEGNX2n0uyKzi4vdxN9A2ZPir0GNlCpCw=
X-Forefront-Antispam-Report: CIP:66.129.239.12; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:P-EXFEND-EQX-01.jnpr.net; PTR:InfoDomainNonexistent; CAT:NONE; SFS:(4636009)(376002)(346002)(396003)(39860400002)(136003)(46966006)(7126003)(356005)(478600001)(9686003)(6916009)(82740400003)(4326008)(33716001)(6666004)(8676002)(186003)(83380400001)(336012)(2906002)(81166007)(82310400003)(53546011)(426003)(26005)(8936002)(70206006)(70586007)(5660300002)(47076005)(86362001)(316002)(62816006); DIR:OUT; SFP:1102;
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Jan 2021 20:20:57.6920 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: d8cf80bd-d2cc-4880-f529-08d8b0ee3efb
X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.12]; Helo=[P-EXFEND-EQX-01.jnpr.net]
X-MS-Exchange-CrossTenant-AuthSource: BN8NAM12FT051.eop-nam12.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR05MB6083
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.343, 18.0.737 definitions=2021-01-04_12:2021-01-04, 2021-01-04 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 mlxscore=0 malwarescore=0 suspectscore=0 priorityscore=1501 phishscore=0 adultscore=0 clxscore=1015 impostorscore=0 mlxlogscore=999 spamscore=0 bulkscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2101040125
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/XlEze7Fu4DEy32aCeFCZTw6Q1Do>
Subject: Re: [Curdle] Which curves are MUST and SHOULD ?
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Jan 2021 20:21:03 -0000

Hubert Kario <hkario@redhat.com> writes:

> On Thursday, 17 December 2020 20:35:24 CET, Mark D. Baushke wrote:
> > Ron Frederick <ronf@timeheart.net> writes:
> >
> >> On Dec 15, 2020, at 8:09 AM, Salz, Rich <rsalz@akamai.com> wrote:
> >>>>   I’m not comfortable with algorithms going from REQUIRED to
> >>>> SHOULD NOT without some kind of transitional period. My
> >>>> suggestion would be to ease into this with SHOULD NOT for
> >>>> now. If you want to discuss BCP in this draft, perhaps that
> >>>> can be a separate section.
> >>>
> >>> We've done it before, MD5, short RSA/DH keys, etc.
> >>>
> >>> We shouldn't pretend that crypto-breaking advances haven't happened.
> >>>
> >>> Admins can make trade-offs anyway.
> >
> > I am under the impression that the audience here is the maintainers of
> > SSHv2 software rather than the administrators that manage the sites
> > using it.
> 
> it's both

Fair enough.

Two kinds of stakeholders: a) "implementors" and b) "users" should mean
more responses for the question.

Okay. In the original RFC4253 specification both

    diffie-hellman-group1-sha1 
and
    diffie-hellman-group14-sha1

were REQUIRED key exchanges.

The group1 parameters in RFC4253 point to the 1024-bit MODP Second
Oakley Group given in RFC2409 section 6.2 and RFC2412 section E.2.

There are two issues with diffie-hellman-group1-sha1: 1) recent
estimages are that it has roughly 80 bits of security strength, and 2)
it uses SHA1 for hashing which is considered weak.

If we choose "MUST NOT" for this key exchange, then we are going from
"MUST" to "MUST NOT" which could be a hardship for low-end devices
unable to run calculations to generate a shared secret using a larger
MODP group if support is completely removed.

If we choose "SHOULD NOT", then it is hoped that most implementors would
default to not configuring this option by default, but may provide it
for enviornments that need it.

If we choose "MAY", then it is not certain if implementors or users will
do much of anything different and this potentially insecure key exchange
may continue to be used even when it may be a hazard to those that
desire a more secure by default system.

Are you an SSH impelmentor or user or both?

  Implementor
  User
  Both

I would like to get a straw vote for the six *sha1* related key
exchanges. I am proposing that the rsa1024-sha1-* kex be a MUST NOT and
that all of the others be a SHOULD NOT.

1. For diffie-hellman-group1-sha1 what is your vote?

  MUST          -- current for RFC4253
  SHOULD
  MAY
  SHOULD NOT    -- proposed in the -13 draft
  MUST NOT

2. For diffie-hellman-group14-sha1 what is your vote?

  MUST          -- current for RFC4253
  SHOULD
  MAY           -- proposed in the -13 draft
  SHOULD NOT
  MUST NOT

3. For diffie-hellman-group-exchange-sha1 what is your vote?

  MUST
  SHOULD
  MAY           -- current for RFC4419    
  SHOULD NOT    -- proposed in the -13 draft
  MUST NOT

4. For rsa1024-sha1 what is your vote?

  MUST
  SHOULD
  MAY           -- current for RFC4432
  SHOULD NOT
  MUST NOT      -- proposed in the -13 draft

5. For gss-gex-sha1-* what is your vote?

  MUST
  SHOULD        -- current for RFC4462
  MAY
  SHOULD NOT    -- proposed in the -13 draft
  MUST NOT  

6. For gss-group1-sha1-* what is your vote?

  MUST
  SHOULD        -- current for RFC4462
  MAY
  SHOULD NOT    -- proposed in the -13 draft
  MUST NOT  

You may direct your votes to the list or to the chairs and me.

	Be safe, stay healthy,
	-- Mark