Re: [Curdle] Mirja Kühlewind's Discuss on draft-ietf-curdle-ssh-curves-10: (with DISCUSS and COMMENT)
Aris Adamantiadis <aris@badcode.be> Wed, 28 August 2019 17:08 UTC
Return-Path: <aris@badcode.be>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B79E7120143; Wed, 28 Aug 2019 10:08:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IOprfeE3mnln; Wed, 28 Aug 2019 10:08:24 -0700 (PDT)
Received: from korell.badcode.be (korell.badcode.be [213.167.241.246]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0797D1200B2; Wed, 28 Aug 2019 10:08:23 -0700 (PDT)
Received: from [192.168.128.199] (host-85-201-47-162.dynamic.voo.be [85.201.47.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by korell.badcode.be (Postfix) with ESMTPSA id C051B9E0AB; Wed, 28 Aug 2019 19:03:30 +0200 (CEST)
To: "Mark D. Baushke" <mdb@juniper.net>, Mirja Kühlewind <ietf@kuehlewind.net>
Cc: The IESG <iesg@ietf.org>, draft-ietf-curdle-ssh-curves@ietf.org, Daniel Migault <daniel.migault@ericsson.com>, curdle-chairs@ietf.org, curdle@ietf.org
References: <156699015116.32300.11396032996637636651.idtracker@ietfa.amsl.com> <18058.1567007603@contrail-ubm16-mdb.svec1.juniper.net>
From: Aris Adamantiadis <aris@badcode.be>
Message-ID: <be7c3562-2a26-6d11-8db6-b485e9b4aa22@badcode.be>
Date: Wed, 28 Aug 2019 19:08:21 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <18058.1567007603@contrail-ubm16-mdb.svec1.juniper.net>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/Yzgc3zDkN9XKdPoj_1BosRzh8k4>
Subject: Re: [Curdle] Mirja Kühlewind's Discuss on draft-ietf-curdle-ssh-curves-10: (with DISCUSS and COMMENT)
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2019 17:08:26 -0000
Le 28-08-19 à 17:53, Mark D. Baushke a écrit : > In section 3, the appropriate SSH "protocol error" might be one of a > two: > > SSH_ERR_KEY_INVALID_EC_VALUE for zeros found for the all-zero shared > secret > > and > > SSH_ERR_SIGNATURE_INVALID if the blob is not the correct size for a > public key > > However, an implementation miight return SSH_ERR_SIGNATURE_INVALID > rather than SSH_ERR_KEY_INVALID_EC_VALUE depending on how the > implementation was written. > > As long as the connection aborts and does not continue in the case of a > "protocol error", it is sufficient in my opinion. > > Is it really needful to be prescriptive in this given that many > implementations of this code have already been fielded and I do not > have any ability to know which design choices they made? Hi Mark, I would think it's best that as little information as possible about the error is sent over the SSH connection. This vector was historically used to exploit other cryptographic protocols, enabling attacks such as padding oracles and others. Additionally it doesn't really help the end user who would see this message, because this is clearly an implementation issue within the SSH software stack, not something that the user can tweak in a configuration file. I'd then recommend a SHOULD send SSH_ERR_SIGNATURE_INVALID for all cases where protocol errors happen when handling the shared secret or the peer's key, if we really wish to be prescriptive, something I don't think is important.
- [Curdle] Mirja Kühlewind's Discuss on draft-ietf-… Mirja Kühlewind via Datatracker
- Re: [Curdle] Mirja Kühlewind's Discuss on draft-i… Mark D. Baushke
- Re: [Curdle] Mirja Kühlewind's Discuss on draft-i… Aris Adamantiadis
- Re: [Curdle] Mirja Kühlewind's Discuss on draft-i… Ron Frederick
- Re: [Curdle] Mirja Kühlewind's Discuss on draft-i… denis bider