Re: [Curdle] RSA key transport for SSH (RFC 4432) and forward secrecy

Keith Winstein <keithw@mit.edu> Thu, 11 February 2021 06:02 UTC

Return-Path: <winstein@gmail.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 086B33A12A3 for <curdle@ietfa.amsl.com>; Wed, 10 Feb 2021 22:02:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.419
X-Spam-Level:
X-Spam-Status: No, score=-1.419 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ybRY5iZGRr4z for <curdle@ietfa.amsl.com>; Wed, 10 Feb 2021 22:02:13 -0800 (PST)
Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A22413A1298 for <curdle@ietf.org>; Wed, 10 Feb 2021 22:02:13 -0800 (PST)
Received: by mail-pl1-f169.google.com with SMTP id d13so2799774plg.0 for <curdle@ietf.org>; Wed, 10 Feb 2021 22:02:13 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=0yrZTg1N5NpEM0RExgKygsUr7xJE+LW2VclYdYQW/Jk=; b=AMIm/gQEyDv7ynwbNCJRH457dGu1AnvkWtq+jXsT0rX3bhnSKJfnjg4FZAiJvJz01P KwQXwg8T1JS1ETS3w0v5+PSXtCcq+38SbTWgTPXSib9Ea50uQw9sKzFa4q1+bjXi578P 1mpqskKpsdk/4kQ/oIl7AcucJRQ1bU/6HeDUX7S4ZIwVXjqVcFfhN+54QFOAsIxJXRrT 6HGcxUipWBGHvZAVIblK7QP/aTkb3VfiJMwDo7jDwx9LIZz+1Qm0Xq7ZMy0kBRr4lnQG aeRuwE3NKjwCAkg7kHsnh0gN8R0nLBt5dIJFRhXVvx1BiwJMfJJG/YqV7broOBQTuzrm hGAQ==
X-Gm-Message-State: AOAM530KVgISTDm6pa0FZ52uinfA+x4pfTJ9Ff50Q0qAP7Qhui4wBQ0v 1DGj2ULAO8b05kb6VfJODNYNMTncniQKZpSHdw==
X-Google-Smtp-Source: ABdhPJyRSx7hzvhKLyJEYGjwvP3iR48EnguAK4roGOAy56GV80lix+e9iUaxqX4P75jxJgC4wmjbP0zZGtI6ChbRR6E=
X-Received: by 2002:a17:902:c989:b029:e2:a0b3:1356 with SMTP id g9-20020a170902c989b02900e2a0b31356mr6606604plc.51.1613023332983; Wed, 10 Feb 2021 22:02:12 -0800 (PST)
MIME-Version: 1.0
References: <20210211042551.GV21@kduck.mit.edu> <1613018828089.63687@cs.auckland.ac.nz> <94759.1613022658@svl-bsdx-06.juniper.net>
In-Reply-To: <94759.1613022658@svl-bsdx-06.juniper.net>
Reply-To: keithw@mit.edu
From: Keith Winstein <keithw@mit.edu>
Date: Wed, 10 Feb 2021 22:01:36 -0800
Message-ID: <CAMzhQmPc4=3uQJ-dhN4pjQ1oit2Ad6Z1uck5PU3eNgOkH9u51w@mail.gmail.com>
To: "Mark D. Baushke" <mdb@juniper.net>
Cc: Simon Tatham <anakin@pobox.com>, Ron Frederick <ronf@timeheart.net>, Alexandre Becoulet <alexandre.becoulet@free.fr>, Hari Balakrishnan <hari@mit.edu>, mosh-devel@mit.edu, Peter Gutmann <pgut001@cs.auckland.ac.nz>, Benjamin Kaduk <kaduk@mit.edu>, "curdle@ietf.org" <curdle@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c6e81705bb0942bc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/_fRdY7wlf0QizH2Ckb2HQAgPHA4>
Subject: Re: [Curdle] RSA key transport for SSH (RFC 4432) and forward secrecy
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Feb 2021 06:02:16 -0000

Thank you for looping us in -- my understanding is that "Mobile SSH" refers
to a freeware Android app based on OpenSSH (
https://play.google.com/store/apps/details?id=mobileSSH.feng.gao) and the
PuTTY terminal emulator. It's unrelated to Mosh (mobile shell).

Mosh doesn't implement any public-key cryptography.

Best regards all,
Keith

On Wed, Feb 10, 2021 at 9:55 PM Mark D. Baushke <mdb@juniper.net> wrote:

> [To+ Ron, Alexandre, mosh-devel, Simon] question on rsa2048-sha256 KeX for
> SSH
>
> Summary:
>
>     Is anyone actively using rsa2048-sha256 for a Ssecure Shell Key
>     exchange per RFC 4432.
>
>     The Security Area Director Benjamin Kaduk has concerns regarding
>     this Key Exchange Algorithm (see messagess below).
>
>     The IETF Draft
>
>     https://datatracker.ietf.org/doc/draft-ietf-curdle-ssh-kex-sha2/
>
>     is presently in Last Call.
>
>     This draft is in the process of suggesting "MUST NOT" for
>     rsa1024-sha1.
>
>     The question on the table is if the same rating should be appled to
>     rsa2048-sha256 or if RFC 4432 should itself be moved to historical,
>     or if this is still a useful key exchange being actively used.
>
>     Ben desires data and it is my suggestion that the supporters for the
>     implementations that provide for rsa2048-sha256 may information on
>     this topic.
>
>     Comments welcome.
>
> Hi Ben & Peter,
>
> To Peter's question, my straw poll was explicitly about the *-sha1 Key
> Exchanges which did not include the rsa2048-sha256 kex.
>
> If I go to https://ssh-comparison.quendi.de/comparison/kex.html
>
> I see that rsa2048-sha256 is supported by the following implementations:
>
>    AsyncSSH   (maintained by Ron Frederick)
>    libassh    (maintained by Alexandre Becoulet)
>    Mobile SSH (aka Mosh via mosh.org and <mosh-devel@mit.edu>)
>               (original paper authors
>                    Keith Winstein <keithw@mit.edu>du>,
>                    Hari Balakrishnan <hari@mit.edu>)
>    PuTTY      (maintained by Simon Tatham)
>
> There may be other implementations that are not in the comparison chart,
> but I think this may be a good start.
>
> I have added both Ron, Alexandre, mosh-devel@mit.edu, and Simon to the
> TO line for this message.
>
> Thank you for your participation in this thread.
>
>         Be safe, stay healthy,
>         -- Mark
>
>  ------- original messages -------
>
> Date: Wed, 10 Feb 2021 20:25:51 -0800
> From: Benjamin Kaduk <kaduk@mit.edu>
> To: curdle@ietf.org
> Archived-At: <
> https://mailarchive.ietf.org/arch/msg/curdle/uo-OEckOhU8CKCzwwws6kKNsM2s>
> Subject: [Curdle] RSA key transport for SSH (RFC 4432) and forward secrecy
>
> While reviewing draft-ietf-curdle-ssh-kex-sha2, I followed many of the
> references, which included RFC 4432, which defines the "rsa1024-sha1"
> (getting deprecated for SHA-1 usage) and "rsa2048-sha256" (which is not)
> key exchange methods.  While the specific construction is claimed to still
> produce contributory behavior in practice (due to the client-contributed
> key only ever being used in combination with the hash of server-provided
> data), it seems to still be the case that if the RSA private key is
> revealed, the session key is revealed, which is mostly the standard
> non-forward-secret behavior.
>
> Things are perhaps better if you buy into the theory that "it may be a
> transient key generated solely for this SSH connection, or it may be
> re-used for several connections" is supposed to prevent indefinite reuse of
> the RSA keypair, which seems ... not very reassuring.
>
> While it's not clear to me that there's specific reason to (say) move the
> whole RFC to Historic status or claim that it is obsoleted by some
> more-modern key-exchange method, it does seem likely to me that we could
> get IETF consensus that actually using rsa2048-sha256 is generally a bad
> idea.  (Or maybe we could get consensus to move it to Historic.)  Perhaps
> an RFC 2026 Applicability Statement would be an appropriate tool for this
> case?
>
> But most likely the best place to start would be to ask how widely it's
> implemented and if it's known to be in use anywhere...does anyone have
> data?
>
> Thanks,
>
> Ben
>
> _______________________________________________
> Curdle mailing list
> Curdle@ietf.org
> https://www.ietf.org/mailman/listinfo/curdle
>
>  ------- message 2 -------
>
> From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
> To: Benjamin Kaduk <kaduk@mit.edu>du>, "curdle@ietf.org" <curdle@ietf.org>
> Date: Thu, 11 Feb 2021 04:47:07 +0000
> Archived-At: <
> https://mailarchive.ietf.org/arch/msg/curdle/vwS-A4E04Mg1A8avNfWqaXtZli0>
> Subject: Re: [Curdle] RSA key transport for SSH (RFC 4432) and forward
>  secrecy
>
> Benjamin Kaduk <kaduk@mit.edu> writes:
>
> >But most likely the best place to start would be to ask how widely it's
> >implemented and if it's known to be in use anywhere...does anyone have
> data?
>
> We could start with Mark Baushke's KEX straw poll from a month ago, I think
> pretty much everyone voted RSA a MUST NOT which would indicate that
> no-one's
> going to miss it.
>
> Peter.
>
>
> _______________________________________________
> Curdle mailing list
> Curdle@ietf.org
> https://www.ietf.org/mailman/listinfo/curdle
>
>  ------- end of original messages -------
>