Re: [Curdle] Looking for comments on draft-ietf-curdle-ssh-kex-sha2

"Mark D. Baushke" <mdb@juniper.net> Thu, 26 November 2020 19:07 UTC

Return-Path: <mdb@juniper.net>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7ABB33A0A1F for <curdle@ietfa.amsl.com>; Thu, 26 Nov 2020 11:07:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=bGU1BmhG; dkim=pass (1024-bit key) header.d=juniper.net header.b=gRlCS6u5
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rn9bnvl1Fb5c for <curdle@ietfa.amsl.com>; Thu, 26 Nov 2020 11:07:36 -0800 (PST)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72D4E3A09F6 for <curdle@ietf.org>; Thu, 26 Nov 2020 11:07:36 -0800 (PST)
Received: from pps.filterd (m0108161.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 0AQJ4Y5v031641; Thu, 26 Nov 2020 11:07:35 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=to : cc : subject : in-reply-to : references : from : mime-version : content-type : content-id : date : message-id; s=PPS1017; bh=HurBiu/qE0hiv7b32Co6RM6jLqtUaO+xADKhVxrGm70=; b=bGU1BmhG7nJbPW2zyUZsew0QcFX/T2x/paaeDU6zrcbk6LoAF6BWRv/f7RY/gMAep7Im 39/USsedddyINz5Fh8iv6I5wsWWmROwXTughhd2eb1X3wJ1ffJbfP3qe0YF9Q7GuHelD RWz14Ff8HxMZcirYWMamAZENq1+8iHmdc+++Itfhu+uZ4W/UxeVFZu6I0X7ruHtUh4yu Kd7GmxzRA2FkyOCRAKpTnCsqGByf/FzNu3PL+LnYpIaQLtWqUwzB+wSLX11wHcvK9zei pLbsK9Dh3V0F+cN1E81evq70mYE2Lpu29wBax4KAmHx7UgpdgZ+aCbF8kqc5kEk3OtB/ sQ==
Received: from nam11-co1-obe.outbound.protection.outlook.com (mail-co1nam11lp2172.outbound.protection.outlook.com [104.47.56.172]) by mx0b-00273201.pphosted.com with ESMTP id 34y2w2sec3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 26 Nov 2020 11:07:35 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RSZCIyijhC0FqeK9UGoSERuaX0BeiGafnuS9Lnh7+U2DZq+kvJ8qfY+3IDWcFPFCy7XlEgONiKwAyiRjodh1CBwteBgEdqwQybRFdJUWIL4kL4gs69yRGJiMzZdoXZaCJ/K8cg393WtbFtH3o3qNp7fgcTmBg99SudrL0qLJLE4sLTr8F2F/zTvemDsh8vFfC9mPuMUxntLh9Qpn0io9D/k3nwpqQB0dYbOFK9sHqTf5x/Tc/HjV2nZNnhavuxRtZfrIaVBNKyzQDHK+wVLFNyIt5oBZX/802p4wy0hF5zOpXDHMvKpH3/StLfz7JwrsqMhd2WS+oiRQ/wUa5hm0xg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HurBiu/qE0hiv7b32Co6RM6jLqtUaO+xADKhVxrGm70=; b=hS/z02+bRpVPh3cZPW18t31usWaGQM61CIqg92mW5dlauMA6YvIYYyaBTm+kAE2uP9byqWxLiMokAXZerA0fTBUROcuUVZxmvFOC/LvGOpTeg0so9HA92XWUuwpvjW9//XkGchIq8WAleMfg1R4R6qAZ9QjE+nzF1uNTSbIF47TB/bpkL/N7xdj3+PWUiHYR03mjNwKglZf9blk8La7RHX6NAk75g6Y4ZHGXq/qLClObyyl0YKx44MDbz7bvLEymJ8Kk4OPGreRUE88KG0tSktknX7K8BY8d3+zQcvWSX0hzCDBubLA4678HfZBSWzrWXGGBOt/JHBLTDdDwghRAhA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=softfail (sender ip is 66.129.242.12) smtp.rcpttodomain=ietf.org smtp.mailfrom=juniper.net; dmarc=fail (p=reject sp=reject pct=100) action=oreject header.from=juniper.net; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HurBiu/qE0hiv7b32Co6RM6jLqtUaO+xADKhVxrGm70=; b=gRlCS6u5sajFtJtZFPdmXK6+IGnju9vyng9QU7h6v49/2Dxdjzib9Jxc1XrREw3l9KZ/o8QurUuyEUfeSncyJlK4oCvv0XphGCJACiKFLwPpAPA3b6p2Kib/9/jaHe5EvgoKLPVoRYBgN7fP4VFDwjj4q8oQ9Ska5/rtpKVCD34=
Received: from DM5PR19CA0053.namprd19.prod.outlook.com (2603:10b6:3:116::15) by BYAPR05MB4839.namprd05.prod.outlook.com (2603:10b6:a03:42::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3611.9; Thu, 26 Nov 2020 19:07:32 +0000
Received: from DM3NAM05FT056.eop-nam05.prod.protection.outlook.com (2603:10b6:3:116:cafe::83) by DM5PR19CA0053.outlook.office365.com (2603:10b6:3:116::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3611.20 via Frontend Transport; Thu, 26 Nov 2020 19:07:32 +0000
X-MS-Exchange-Authentication-Results: spf=softfail (sender IP is 66.129.242.12) smtp.mailfrom=juniper.net; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=fail action=oreject header.from=juniper.net;
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.242.12 as permitted sender)
Received: from P-EXFEND-EQX-01.jnpr.net (66.129.242.12) by DM3NAM05FT056.mail.protection.outlook.com (10.152.98.170) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.3611.23 via Frontend Transport; Thu, 26 Nov 2020 19:07:32 +0000
Received: from P-EXBEND-EQX-02.jnpr.net (10.104.8.53) by P-EXFEND-EQX-01.jnpr.net (10.104.8.54) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 26 Nov 2020 11:07:31 -0800
Received: from P-EXBEND-EQX-02.jnpr.net (10.104.8.53) by P-EXBEND-EQX-02.jnpr.net (10.104.8.53) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 26 Nov 2020 11:07:31 -0800
Received: from p-mailhub01.juniper.net (10.104.20.6) by P-EXBEND-EQX-02.jnpr.net (10.104.8.53) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Thu, 26 Nov 2020 11:07:31 -0800
Received: from eng-mail01.juniper.net (eng-mail01.juniper.net [10.108.17.159]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id 0AQJ7Ts3028783; Thu, 26 Nov 2020 11:07:29 -0800 (envelope-from mdb@juniper.net)
To: Hubert Kario <hkario@redhat.com>, Tero Kivinen <kivinen@iki.fi>
CC: curdle@ietf.org
In-Reply-To: <afea8fb0-82e2-46e9-b2cc-4dca4038b630@redhat.com>
References: <25423.1596646626@eng-mail01.juniper.net> <SA0PR15MB37917F0E55D801609AF23EB0E34B0@SA0PR15MB3791.namprd15.prod.outlook.com> <20200807052623.GM92412@kduck.mit.edu> <71619.1606168457@eng-mail01.juniper.net> <7107b6ac-0e6c-419d-96ac-d0a53b65ee5b@redhat.com> <24511.57685.169815.673441@fireball.acr.fi> <afea8fb0-82e2-46e9-b2cc-4dca4038b630@redhat.com>
Comments: In-reply-to: Hubert Kario <hkario@redhat.com> message dated "Thu, 26 Nov 2020 18:26:10 +0100."
From: "Mark D. Baushke" <mdb@juniper.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <6048.1606417649.1@eng-mail01.juniper.net>
Date: Thu, 26 Nov 2020 11:07:29 -0800
Message-ID: <6050.1606417649@eng-mail01.juniper.net>
X-EXCLAIMER-MD-CONFIG: e3cb0ff2-54e7-4646-8a04-0dae4ac7b136
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-HT: Tenant
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 33d378a5-607e-48fd-98e3-08d8923e8712
X-MS-TrafficTypeDiagnostic: BYAPR05MB4839:
X-Microsoft-Antispam-PRVS: <BYAPR05MB483937F6CA66DDB35A1F4D66BFF90@BYAPR05MB4839.namprd05.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 7fEHSOPukX/BTd36wFXzy8p3Fb/tfjw2ef0LyelxnOmz12/K4FPHPqb3QZJMLOaEjHtCl2Dc+lc4t4CMFlGV4fNMhkHMD81swHJ/PssVh/KvBQLAaJ186kuMuTRzZYG45O42lcUgoIq1bboTXrXJQn1XtLH5xT+fnVHFsBC9l/G0UAjjnc2XxCnp4ugd1nC/d0Lf0nKSurIX+HK+aVMu9xSOTFfDbaOp6peAD/4pklulwPFJsXtbf20qbPr5tg/sDrZO+Ndmg5hOJtFC4WIxPOH1Z1c/VLrer8H7rcU7Lmphf1OkpKgjq0vhi6CS8eeiYTW3Tt2BRU6yAOIFxSvqPAFJCSNbeIJ6z5WkbNkJ2ouDgZCtMuHCbRZ3rEfNhK5aotncFJW1OECasosmX1bBUiieyKC9/VYEQgg22UA4e+t/vTZ6atpSEYUk2oIas5V6ePq4XiYQU1Vqa9ArTyMh5SzJTETRyfwFdu9/FP2Alj8=
X-Forefront-Antispam-Report: CIP:66.129.242.12; CTRY:US; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:P-EXFEND-EQX-01.jnpr.net; PTR:InfoDomainNonexistent; CAT:NONE; SFS:(4636009)(346002)(39860400002)(136003)(396003)(376002)(46966005)(336012)(110136005)(2906002)(186003)(4326008)(70206006)(82310400003)(316002)(966005)(478600001)(47076004)(7696005)(26005)(426003)(86362001)(83380400001)(82740400003)(70586007)(356005)(81166007)(8676002)(5660300002)(8936002); DIR:OUT; SFP:1102;
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Nov 2020 19:07:32.3746 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 33d378a5-607e-48fd-98e3-08d8923e8712
X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.242.12]; Helo=[P-EXFEND-EQX-01.jnpr.net]
X-MS-Exchange-CrossTenant-AuthSource: DM3NAM05FT056.eop-nam05.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB4839
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312, 18.0.737 definitions=2020-11-26_08:2020-11-26, 2020-11-26 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 lowpriorityscore=0 suspectscore=0 clxscore=1011 malwarescore=0 spamscore=0 phishscore=0 mlxlogscore=999 adultscore=0 impostorscore=0 bulkscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2011260117
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/YxF3kKSKWos0O-1-AOSTOHNdkfk>
Subject: Re: [Curdle] Looking for comments on draft-ietf-curdle-ssh-kex-sha2
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Nov 2020 19:07:39 -0000

Hi Tero & Hubert,

Hubert does raise an interesting point regarding Transcript Collision
attacks using SHA-1 to perform a downgrade attack on the selection of
weak symmetric ciphers being negotiated during the key exchange.

The pre-conditions of the Transcript Collision Attack depend on public
key reuse as is found on page 13 "C. Downgrading SSH-2 to Weak
Ciphersuites with a Chosen-Prefix Transcript Collision" of the paper.

I could add this informative reference:

    Karthikeyan Bhargavan, Gaeutan Leurent. Transcript Collision Attacks:
    Breaking Authentication in TLS, IKE, and SSH. Network and Distributed
    System Security Symposium -- NDSS 2016, Feb 2016, San Diego, United
    States. 10.14722/ndss.2016.23418 . hal-01244855
    URL: https://hal.inria.fr/hal-01244855/document

to the informative section of the RFC and try to add additional
theoretical justification against SHA-1, is this really necessary?

The paper does show that the group exchange (RFC4419) use of *-sha1 may
be somewhat easier to attack than the fixed group, but I have already
listed that as 'SHOULD NOT' in my -12 draft.

The real question here is if "SHOULD NOT" is the correct implementation
guidance for all use of diffie-hellman-group14-sha1 in key exchanges
which is a big jump from "MUST" right now. All of the other *-sha1
exchanges in the draft are listed as "SHOULD NOT" already.

Even so, I am already suggesting that any *-sha1 kex be listed last in
the negotation list if it appears at all.

I do not actually have a table which compares the current state of the
RFC enumerated key exchanges with the suggestions in this draft.

The '-' in the table below indicates that the RFC did not actually say
if the new key exchanges were a MUST, SHOULD, or MAY. I am considering
them to all be "MAY" ...

I am happy to reconsider if any of the implementation guidance should be
modified as this list is somewhat subjective to my own views based on
the criteria I address in the draft and also looking at algorithms
deployed by a number of the common SSH implementations.

Obviously, if an implementation does not support ECC, I would not expect
ECDH or Curve* to be present. Similarly, an implementation without
GSS-API support will be missing the gss* exchanges.

 Key Exchange Method Name             | Reference | Was       | Implement

 curve25519-sha256                    | RFC8731   | -         | SHOULD
 curve448-sha512                      | RFC8731   | -         | MAY
 diffie-hellman-group-exchange-sha1   | RFC4419   | -         | SHOULD NOT
 diffie-hellman-group-exchange-sha256 | RFC4419   | -         | MAY
 diffie-hellman-group1-sha1           | RFC4253   | MUST      | SHOULD NOT
 diffie-hellman-group14-sha1          | RFC4253   | MUST      | SHOULD
 diffie-hellman-group14-sha256        | RFC8268   | -         | MUST
 diffie-hellman-group15-sha512        | RFC8268   | -         | MAY
 diffie-hellman-group16-sha512        | RFC8268   | -         | SHOULD
 diffie-hellman-group17-sha512        | RFC8268   | -         | MAY
 diffie-hellman-group18-sha512        | RFC8268   | -         | MAY
 ecdh-sha2-*                          | RFC5656   | MAY       | MAY
 ecdh-sha2-nistp256                   | RFC5656   | MUST      | SHOULD
 ecdh-sha2-nistp384                   | RFC5656   | MUST      | SHOULD
 ecdh-sha2-nistp521                   | RFC5656   | MUST      | SHOULD
 ecmqv-sha2                           | RFC5656   | MAY       | MAY
 ext-info-c                           | RFC8308   | SHOULD    | SHOULD
 ext-info-s                           | RFC8308   | SHOULD    | SHOULD
 gss-*                                | RFC4462   | -         | MAY
 gss-curve25519-sha256-*              | RFC8732   | SHOULD    | SHOULD
 gss-curve448-sha512-*                | RFC8732   | MAY       | MAY
 gss-gex-sha1-*                       | RFC4462   | -         | SHOULD NOT
 gss-group1-sha1-*                    | RFC4462   | -         | SHOULD NOT
 gss-group14-sha256-*                 | RFC8732   | SHOULD    | SHOULD
 gss-group15-sha512-*                 | RFC8732   | MAY       | MAY
 gss-group16-sha512-*                 | RFC8732   | SHOULD    | SHOULD
 gss-group17-sha512-*                 | RFC8732   | MAY       | MAY
 gss-group18-sha512-*                 | RFC8732   | MAY       | MAY
 gss-nistp256-sha256-*                | RFC8732   | SHOULD    | SHOULD
 gss-nistp384-sha384-*                | RFC8732   | MAY       | SHOULD
 gss-nistp521-sha512-*                | RFC8732   | MAY       | MAY
 rsa1024-sha1                         | RFC4432   | -         | MUST NOT
 rsa2048-sha256                       | RFC4432   | -         | MAY

Thank you for your continued comments to improve this draft.

	Be safe, stay healthy,
	-- Mark

PS: It has already been noted that the draft actually updates more than
just RFC 4250. So, the next revision will mention that it updates="4250
4253 4432 4462"