IETF Logo Mail Archive

Re: [Curdle] Secdir last call review of draft-ietf-curdle-ssh-kex-sha2-14

"Salz, Rich" <rsalz@akamai.com> Tue, 13 April 2021 12:52 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0754B3A150B for <curdle@ietfa.amsl.com>; Tue, 13 Apr 2021 05:52:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5E7yP8W55Qub for <curdle@ietfa.amsl.com>; Tue, 13 Apr 2021 05:52:45 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8BD83A1507 for <curdle@ietf.org>; Tue, 13 Apr 2021 05:52:44 -0700 (PDT)
Received: from pps.filterd (m0050102.ppops.net [127.0.0.1]) by m0050102.ppops.net-00190b01. (8.16.0.43/8.16.0.43) with SMTP id 13DCnS5X026631 for <curdle@ietf.org>; Tue, 13 Apr 2021 13:52:42 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=2w/ZAgI1ZtvKGS4HuY7dbV9XBgFuA7owU3LQdvIwdaQ=; b=REkCTsx1mRDhza2bE040iFiliZ6VQ6JwJyQiTG3t0QPcrPNIqKIL0irqEbhP56cP7uYZ PcoghaUSCzSuknMrIlgsSbAE1wbwTLhq2hIagdMNbStCJWmhx7rOv2B1QbpEp8JyB00d LMiiV9j9MivBEpPpmhoqhVeSM88HW+MUmHIvVxeZHFjy/x5S8TW5wkwiHgSIUr81vdaX SA9bKvc90JKpTNHCofMpt6vxqLJ0shFHqZv0Fnr8BxDZntOoKiCFrDiFw8Pr7pUkjIcH U86ZY7LiVyAMSg3/upE7IY+EQNoOsNu1yUyQ1HGgXelypE6/X4HE407rMlKUn6QT6Kxd 8A==
Received: from prod-mail-ppoint6 (prod-mail-ppoint6.akamai.com [184.51.33.61] (may be forged)) by m0050102.ppops.net-00190b01. with ESMTP id 37w3sk9pjg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <curdle@ietf.org>; Tue, 13 Apr 2021 13:52:42 +0100
Received: from pps.filterd (prod-mail-ppoint6.akamai.com [127.0.0.1]) by prod-mail-ppoint6.akamai.com (8.16.0.43/8.16.0.43) with SMTP id 13DCoCeR011227 for <curdle@ietf.org>; Tue, 13 Apr 2021 08:52:32 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.30]) by prod-mail-ppoint6.akamai.com with ESMTP id 37u7c0qpwn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for <curdle@ietf.org>; Tue, 13 Apr 2021 08:52:32 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb1.msg.corp.akamai.com (172.27.123.101) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 13 Apr 2021 08:52:31 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1497.012; Tue, 13 Apr 2021 08:52:31 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: "curdle@ietf.org" <curdle@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-curdle-ssh-kex-sha2-14
Thread-Index: AQHXL+Tv5nJTWXGn/kqSMGFcxdCHS6qyZ/GA
Date: Tue, 13 Apr 2021 12:52:31 +0000
Message-ID: <A033727C-A14B-4829-8AE8-C07FA20FCADF@akamai.com>
References: <20210228010137.GU21@kduck.mit.edu> <87903.1614533390@eng-mail03> <49916660-F237-4BE9-94ED-DE7E41D1B195@inria.fr> <92196.1615946315@eng-mail03> <CAEkxbZuuoBFSii3POA1qrxqQznq-xirzaOuenjV93X2MzswtwA@mail.gmail.com> <49431.1616032497@svl-bsdx-06.juniper.net> <CAEkxbZv1AJd-LJwpOAnEhw-HAqcxQVp=Li1kMT5=J2vPNt_2UQ@mail.gmail.com> <22937.1616184324@svl-bsdx-06.juniper.net> <CAEkxbZs5pxFSiaEyDeSVZDz55VBuJ2dJQaOwFyUK4keLESRasA@mail.gmail.com> <30598.1616716433@eng-mail03> <20210412214335.GN79563@kduck.mit.edu>
In-Reply-To: <20210412214335.GN79563@kduck.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.48.21041102
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.27.164.43]
Content-Type: text/plain; charset="utf-8"
Content-ID: <C78216276957844BA3BD0CB104D00318@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761 definitions=2021-04-13_07:2021-04-13, 2021-04-13 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 malwarescore=0 bulkscore=0 mlxscore=0 spamscore=0 phishscore=0 suspectscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104060000 definitions=main-2104130089
X-Proofpoint-GUID: Ctz9AuCn2207IV4VfORRAE-ZK2At2iUh
X-Proofpoint-ORIG-GUID: Ctz9AuCn2207IV4VfORRAE-ZK2At2iUh
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761 definitions=2021-04-13_07:2021-04-13, 2021-04-13 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 impostorscore=0 adultscore=0 malwarescore=0 suspectscore=0 priorityscore=1501 bulkscore=0 clxscore=1011 lowpriorityscore=0 mlxlogscore=999 spamscore=0 phishscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104060000 definitions=main-2104130089
X-Agari-Authentication-Results: mx.akamai.com; spf=${SPFResult} (sender IP is 184.51.33.61) smtp.mailfrom=rsalz@akamai.com smtp.helo=prod-mail-ppoint6
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/_gbCYNWDJ13u2PwmCwJEjh3sxkg>
Subject: Re: [Curdle] Secdir last call review of draft-ietf-curdle-ssh-kex-sha2-14
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Apr 2021 12:52:49 -0000

During AD, SecDir, IESG, etc., review, the desire to clean up some wording was expressed.  The following diff was suggested by our AD. He pointed out that " This does arguably strengthen the guidance to not use groups smaller than 2048 bits, and I note that the WG list seems to not be CC'd on this thread."

If anyone in the WG objects to the stronger guidance, please reply to the list before the end of the week.  Thanks!


    --- draft-ietf-curdle-ssh-kex-sha2-15.txt	2021-04-12 14:15:12.244182171 -0700
    +++ draft-ietf-curdle-ssh-kex-sha2-15.bjk.txt	2021-04-12 14:33:18.203129555 -0700
    @@ -592,17 +592,25 @@

     3.2.1.  FFC diffie-hellman using generated MODP groups

    -   This random selection from a set of pre-generated moduli for key
    -   exchange uses SHA2-256 as defined in [RFC4419].  [RFC8270] mandates
    -   that implementations avoid any MODP group whose modulus size is less
    -   than 2048 bits.  Care should be taken in the pre-generation of the
    -   moduli P and generator G such that the generator provides a Q-ordered
    -   subgroup of P.  Otherwise, the parameter set may leak one bit of the
    -   shared secret.  The diffie-hellman-group-exchange-sha1 uses SHA-1
    -   which is being deprecated.  This key exchange SHOULD NOT be used.
    -   The diffie-hellman-group-exchange-sha256 uses SHA2-256 which is
    -   reasonable for MODP groups less than 4K bits.  The diffie-hellman-
    -   group-exchange-sha256 key exchange MAY be used.
    +   [RFC4419] defines two key exchange methods that use a random
    +   selection from a set of pre-generated moduli for key exchange: the
    +   diffie-hellman-group-exchange-sha1 method, and the diffie-hellman-
    +   group-exchange-sha256 method.  Per [RFC8270], implementations SHOULD
    +   use a MODP group whose modulus size is equal to or greater than 2048
    +   bits.  MODP groups with a modulus size less than 2048 bits are weak
    +   and MUST NOT be used.
    +
    +   The diffie-hellman-group-exchange-sha1 key exchange method SHOULD
    +   NOT be used.  This method uses SHA-1, which is being deprecated.
    +
    +   The diffie-hellman-group-exchange-sha256 key exchange method MAY be
    +   used.  This method uses SHA-256, which is reasonable for MODP groups
    +   less than 4K bits.
    +
    +   Care should be taken in the pre-generation of the moduli P and
    +   generator G such that the generator provides a Q-ordered subgroup of
    +   P.  Otherwise, the parameter set may leak one bit of the shared
    +   secret.

        Table 9 provides a summary of the Guidance for these exchanges.

    @@ -967,8 +975,14 @@
        is insufficient to match the symmetric cipher or the algorithm has
        been broken.

    -   At this time, the 1024-bit MODP group used by diffie-hellman-
    -   group1-sha1 is too small for the symmetric ciphers used in SSH.
    +   The 1024-bit MODP group used by diffie-hellman-group1-sha1 is too
    +   small for the symmetric ciphers used in SSH.
    +
    +   MODP groups with a modulus size less than 2048 bits are too small
    +   for the symmetric ciphers used in SSH.  If the diffie-hellman-
    +   group-exchange-sha256 or diffie-hellman-group-exchange-sha1 key exchange
    +   method is used, the modulus size of the MODP group used needs to be
    +   at least 2048 bits.

        At this time, the rsa1024-sha1 key exchange is too small for the
        symmetric ciphers used in SSH.

v2.23.0 | Report a Bug | By Email