Re: [Curdle] RSA key transport for SSH (RFC 4432) and forward secrecy
Keith Winstein <keithw@mit.edu> Thu, 11 February 2021 06:02 UTC
Return-Path: <winstein@gmail.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 086B33A12A3 for <curdle@ietfa.amsl.com>; Wed, 10 Feb 2021 22:02:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.419
X-Spam-Level:
X-Spam-Status: No, score=-1.419 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ybRY5iZGRr4z for <curdle@ietfa.amsl.com>; Wed, 10 Feb 2021 22:02:13 -0800 (PST)
Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A22413A1298 for <curdle@ietf.org>; Wed, 10 Feb 2021 22:02:13 -0800 (PST)
Received: by mail-pl1-f169.google.com with SMTP id d13so2799774plg.0 for <curdle@ietf.org>; Wed, 10 Feb 2021 22:02:13 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=0yrZTg1N5NpEM0RExgKygsUr7xJE+LW2VclYdYQW/Jk=; b=AMIm/gQEyDv7ynwbNCJRH457dGu1AnvkWtq+jXsT0rX3bhnSKJfnjg4FZAiJvJz01P KwQXwg8T1JS1ETS3w0v5+PSXtCcq+38SbTWgTPXSib9Ea50uQw9sKzFa4q1+bjXi578P 1mpqskKpsdk/4kQ/oIl7AcucJRQ1bU/6HeDUX7S4ZIwVXjqVcFfhN+54QFOAsIxJXRrT 6HGcxUipWBGHvZAVIblK7QP/aTkb3VfiJMwDo7jDwx9LIZz+1Qm0Xq7ZMy0kBRr4lnQG aeRuwE3NKjwCAkg7kHsnh0gN8R0nLBt5dIJFRhXVvx1BiwJMfJJG/YqV7broOBQTuzrm hGAQ==
X-Gm-Message-State: AOAM530KVgISTDm6pa0FZ52uinfA+x4pfTJ9Ff50Q0qAP7Qhui4wBQ0v 1DGj2ULAO8b05kb6VfJODNYNMTncniQKZpSHdw==
X-Google-Smtp-Source: ABdhPJyRSx7hzvhKLyJEYGjwvP3iR48EnguAK4roGOAy56GV80lix+e9iUaxqX4P75jxJgC4wmjbP0zZGtI6ChbRR6E=
X-Received: by 2002:a17:902:c989:b029:e2:a0b3:1356 with SMTP id g9-20020a170902c989b02900e2a0b31356mr6606604plc.51.1613023332983; Wed, 10 Feb 2021 22:02:12 -0800 (PST)
MIME-Version: 1.0
References: <20210211042551.GV21@kduck.mit.edu> <1613018828089.63687@cs.auckland.ac.nz> <94759.1613022658@svl-bsdx-06.juniper.net>
In-Reply-To: <94759.1613022658@svl-bsdx-06.juniper.net>
Reply-To: keithw@mit.edu
From: Keith Winstein <keithw@mit.edu>
Date: Wed, 10 Feb 2021 22:01:36 -0800
Message-ID: <CAMzhQmPc4=3uQJ-dhN4pjQ1oit2Ad6Z1uck5PU3eNgOkH9u51w@mail.gmail.com>
To: "Mark D. Baushke" <mdb@juniper.net>
Cc: Simon Tatham <anakin@pobox.com>, Ron Frederick <ronf@timeheart.net>, Alexandre Becoulet <alexandre.becoulet@free.fr>, Hari Balakrishnan <hari@mit.edu>, mosh-devel@mit.edu, Peter Gutmann <pgut001@cs.auckland.ac.nz>, Benjamin Kaduk <kaduk@mit.edu>, "curdle@ietf.org" <curdle@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c6e81705bb0942bc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/_fRdY7wlf0QizH2Ckb2HQAgPHA4>
Subject: Re: [Curdle] RSA key transport for SSH (RFC 4432) and forward secrecy
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Feb 2021 06:02:16 -0000
Thank you for looping us in -- my understanding is that "Mobile SSH" refers to a freeware Android app based on OpenSSH ( https://play.google.com/store/apps/details?id=mobileSSH.feng.gao) and the PuTTY terminal emulator. It's unrelated to Mosh (mobile shell). Mosh doesn't implement any public-key cryptography. Best regards all, Keith On Wed, Feb 10, 2021 at 9:55 PM Mark D. Baushke <mdb@juniper.net> wrote: > [To+ Ron, Alexandre, mosh-devel, Simon] question on rsa2048-sha256 KeX for > SSH > > Summary: > > Is anyone actively using rsa2048-sha256 for a Ssecure Shell Key > exchange per RFC 4432. > > The Security Area Director Benjamin Kaduk has concerns regarding > this Key Exchange Algorithm (see messagess below). > > The IETF Draft > > https://datatracker.ietf.org/doc/draft-ietf-curdle-ssh-kex-sha2/ > > is presently in Last Call. > > This draft is in the process of suggesting "MUST NOT" for > rsa1024-sha1. > > The question on the table is if the same rating should be appled to > rsa2048-sha256 or if RFC 4432 should itself be moved to historical, > or if this is still a useful key exchange being actively used. > > Ben desires data and it is my suggestion that the supporters for the > implementations that provide for rsa2048-sha256 may information on > this topic. > > Comments welcome. > > Hi Ben & Peter, > > To Peter's question, my straw poll was explicitly about the *-sha1 Key > Exchanges which did not include the rsa2048-sha256 kex. > > If I go to https://ssh-comparison.quendi.de/comparison/kex.html > > I see that rsa2048-sha256 is supported by the following implementations: > > AsyncSSH (maintained by Ron Frederick) > libassh (maintained by Alexandre Becoulet) > Mobile SSH (aka Mosh via mosh.org and <mosh-devel@mit.edu>) > (original paper authors > Keith Winstein <keithw@mit.edu>, > Hari Balakrishnan <hari@mit.edu>) > PuTTY (maintained by Simon Tatham) > > There may be other implementations that are not in the comparison chart, > but I think this may be a good start. > > I have added both Ron, Alexandre, mosh-devel@mit.edu, and Simon to the > TO line for this message. > > Thank you for your participation in this thread. > > Be safe, stay healthy, > -- Mark > > ------- original messages ------- > > Date: Wed, 10 Feb 2021 20:25:51 -0800 > From: Benjamin Kaduk <kaduk@mit.edu> > To: curdle@ietf.org > Archived-At: < > https://mailarchive.ietf.org/arch/msg/curdle/uo-OEckOhU8CKCzwwws6kKNsM2s> > Subject: [Curdle] RSA key transport for SSH (RFC 4432) and forward secrecy > > While reviewing draft-ietf-curdle-ssh-kex-sha2, I followed many of the > references, which included RFC 4432, which defines the "rsa1024-sha1" > (getting deprecated for SHA-1 usage) and "rsa2048-sha256" (which is not) > key exchange methods. While the specific construction is claimed to still > produce contributory behavior in practice (due to the client-contributed > key only ever being used in combination with the hash of server-provided > data), it seems to still be the case that if the RSA private key is > revealed, the session key is revealed, which is mostly the standard > non-forward-secret behavior. > > Things are perhaps better if you buy into the theory that "it may be a > transient key generated solely for this SSH connection, or it may be > re-used for several connections" is supposed to prevent indefinite reuse of > the RSA keypair, which seems ... not very reassuring. > > While it's not clear to me that there's specific reason to (say) move the > whole RFC to Historic status or claim that it is obsoleted by some > more-modern key-exchange method, it does seem likely to me that we could > get IETF consensus that actually using rsa2048-sha256 is generally a bad > idea. (Or maybe we could get consensus to move it to Historic.) Perhaps > an RFC 2026 Applicability Statement would be an appropriate tool for this > case? > > But most likely the best place to start would be to ask how widely it's > implemented and if it's known to be in use anywhere...does anyone have > data? > > Thanks, > > Ben > > _______________________________________________ > Curdle mailing list > Curdle@ietf.org > https://www.ietf.org/mailman/listinfo/curdle > > ------- message 2 ------- > > From: Peter Gutmann <pgut001@cs.auckland.ac.nz> > To: Benjamin Kaduk <kaduk@mit.edu>, "curdle@ietf.org" <curdle@ietf.org> > Date: Thu, 11 Feb 2021 04:47:07 +0000 > Archived-At: < > https://mailarchive.ietf.org/arch/msg/curdle/vwS-A4E04Mg1A8avNfWqaXtZli0> > Subject: Re: [Curdle] RSA key transport for SSH (RFC 4432) and forward > secrecy > > Benjamin Kaduk <kaduk@mit.edu> writes: > > >But most likely the best place to start would be to ask how widely it's > >implemented and if it's known to be in use anywhere...does anyone have > data? > > We could start with Mark Baushke's KEX straw poll from a month ago, I think > pretty much everyone voted RSA a MUST NOT which would indicate that > no-one's > going to miss it. > > Peter. > > > _______________________________________________ > Curdle mailing list > Curdle@ietf.org > https://www.ietf.org/mailman/listinfo/curdle > > ------- end of original messages ------- >
- [Curdle] RSA key transport for SSH (RFC 4432) and… Benjamin Kaduk
- Re: [Curdle] RSA key transport for SSH (RFC 4432)… Peter Gutmann
- Re: [Curdle] RSA key transport for SSH (RFC 4432)… Mark D. Baushke
- Re: [Curdle] RSA key transport for SSH (RFC 4432)… Peter Gutmann
- Re: [Curdle] RSA key transport for SSH (RFC 4432)… Keith Winstein
- Re: [Curdle] RSA key transport for SSH (RFC 4432)… Mark D. Baushke
- Re: [Curdle] RSA key transport for SSH (RFC 4432)… Ron Frederick
- Re: [Curdle] RSA key transport for SSH (RFC 4432)… Benjamin Kaduk
- Re: [Curdle] RSA key transport for SSH (RFC 4432)… Simon Tatham