IETF Logo Mail Archive

Re: [Curdle] Comments on draft-ietf-curdle-ssh-ext-info

denis bider <denisbider.ietf@gmail.com> Sat, 08 April 2017 10:50 UTC

Return-Path: <denisbider.ietf@gmail.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A0E9126CF9 for <curdle@ietfa.amsl.com>; Sat, 8 Apr 2017 03:50:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.799
X-Spam-Level:
X-Spam-Status: No, score=-0.799 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vgAzo6pgCS2p for <curdle@ietfa.amsl.com>; Sat, 8 Apr 2017 03:50:53 -0700 (PDT)
Received: from mail-qk0-x230.google.com (mail-qk0-x230.google.com [IPv6:2607:f8b0:400d:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0C2F128959 for <curdle@ietf.org>; Sat, 8 Apr 2017 03:50:52 -0700 (PDT)
Received: by mail-qk0-x230.google.com with SMTP id h67so80392692qke.0 for <curdle@ietf.org>; Sat, 08 Apr 2017 03:50:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=nbm9CyvXbW4T7Ce2JwNMUTfm4aCwxcLD9zrv0O+ZZZ0=; b=lDeJJmhcPF1qo0algSLGzqablLuHgQeg5uNIqRrvWEnGVYjq3c9llABEjkoXpGzGmD jIIY3vKxxrzKwD2gm/JIPcWRwS23ITPYIsj21wElvtkLS/XTLmfG46+ZLTBJPYDeDGSa fZirekQPNwyiQh6sgX5djoIO9eju2movDHOqGNaZ901xOCyapxtJCh1YGp7FZgXcUFg/ huo4UKUl87pnpj0cztaq/njo2I7GNBTmToj+eJa+G9Z/CZw0Q9/v/XbcqeziwrUc2IP4 uy1Bt39UrgvUtw2k6ee/rQpq4QDsk6Kc33GpW9Z8YkaHoau5W+yepFnqGnC2uWfzfvUE GO+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=nbm9CyvXbW4T7Ce2JwNMUTfm4aCwxcLD9zrv0O+ZZZ0=; b=oBydS/Zgtwfwog3I9Fp9Ee5E2dlh2cnjLq0hIFM7zxppaCTBCtufloQjeW4Aw9b00n C2B2QXFMfVG9+UOmTIIhxwcv+CoW/uvbRXwOZOrx0Ka0zhO4tvXGW1TMAQNm2Gd4mZSP XMnFNpGZfb8bDGdT7B3U+EKoetetu6Ffi0sYX0Bw3JyfTMCWe3IXNZImIJUH1XZUVwEi YeDadry7njPd+k3KRSLqv4AJFI3+nJf1u3+48cRrozDUrwNf7CbWkJ68sLylbO0l/mAh 1pJ07cEmA9SHTyVHYtlSvMkogy7kX1NFZXHSsgc3jw5g9Jib0Ie9xVG+O38XFsBsbUYQ /RrA==
X-Gm-Message-State: AFeK/H3E44zyUma4rWsQnS+g/j/OmkP3fz3+FM9HkETIpC9LMhiHfmgnr8gawv5ynKRhPSyM2xezE6ettJqBTA==
X-Received: by 10.55.144.6 with SMTP id s6mr40289967qkd.27.1491648039544; Sat, 08 Apr 2017 03:40:39 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.138.239 with HTTP; Sat, 8 Apr 2017 03:40:39 -0700 (PDT)
In-Reply-To: <CABcZeBMhx4pHNa-OBQUpTcm9i9oorTMaoQRWatg5=ox2F=8wcw@mail.gmail.com>
References: <2DD56D786E600F45AC6BDE7DA4E8A8C118BA5A70@eusaamb107.ericsson.se> <1489827654266.43895@cs.auckland.ac.nz> <50977E6A3D174856B8DAF264C3CB81E8@Khan> <1489914378158.63423@cs.auckland.ac.nz> <74B4C5B2AFD644748A0E1B0957A22C96@Khan> <1490436136828.60577@cs.auckland.ac.nz> <76BA84F1D47F476A8DB5C8CC42AA1B57@Khan> <1491480250094.74577@cs.auckland.ac.nz> <CADPMZDDG1X4awEQiigM5rocLs3Qbvup-NyaaU7J+DcW+o60zPQ@mail.gmail.com> <CABcZeBMhx4pHNa-OBQUpTcm9i9oorTMaoQRWatg5=ox2F=8wcw@mail.gmail.com>
From: denis bider <denisbider.ietf@gmail.com>
Date: Sat, 08 Apr 2017 04:40:39 -0600
Message-ID: <CADPMZDDOg5O1bKi8RKvr7Z7SPik5scsdUtRqr_ZK3EuEbsAweA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Peter Gutmann <pgut001@cs.auckland.ac.nz>, curdle <curdle@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c08596886ed3f054ca55fa2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/aFhaGdSfozd48mrlFug5h9t8YUk>
Subject: Re: [Curdle] Comments on draft-ietf-curdle-ssh-ext-info
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Apr 2017 10:50:55 -0000

Thank you for providing this link, Eric.

What this TLS section terms Zero-RTT, and what Peter appears to imply is
0RTT, seem to be completely different things.

In TLS, "0RTT" data appears to be data that are sent upfront in the
client's first packet to the server, encrypted using a pre-shared key
before the handshake has derived a traffic secret.

In SSH, there is no such concept at all. This would be equivalent to
sending data encrypted with some type of pre-shared key as part of the
client's KEXINIT, which is not what is happening here.

The EXT_INFO packet sent by the client after NEWKEYS is not Zero-RTT. It is
data sent after a full and completed key exchange.



On Fri, Apr 7, 2017 at 9:21 AM, Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Thu, Apr 6, 2017 at 10:32 PM, denis bider <denisbider.ietf@gmail.com>
> wrote:
>
>> > I was thinking of the problem that it's essentially
>> > impossible to safely do n-RTT, n < 1, for TLS, which
>> > meant that doing the same thing for SSH wasn't going
>> > to be any better.  I was reasoning by analogy from TLS
>> > rather than sitting down and drawing diagrams for SSH
>> > to try and figure out all the possible issues.
>>
>> OK, but I'm not familiar with the security implications of this on TLS.
>>
>> Can you link to any resources where this was discussed? Whether for TLS,
>> or in any other context?
>>
>
> Here is the section of TLS 1.3 that describes the security implications of
> 0-RTT data:
>
> https://tlswg.github.io/tls13-spec/#zero-rtt-data
>
> FWIW, it's less clear to me that these apply to SSH because at least the
> replay issues stem from the desire to have loosely coupled distributed
> servers and seamless fall back from server state or synchronization
> failure.
>
> -Ekr
>
>
>>
>> > Perhaps adding an implementation note to say that at this
>> > point the crypto hasn't been confirmed yet and so you may
>> > want to be careful about what you put into your extension
>> > data would be useful?
>>
>>  I agree, if this is a threat, we should add a warning in Security
>> Considerations. But to make that warning, I have to understand the threat.
>>
>> If someone asks me about this warning, I want to be able to explain the
>> reason in detail. At this point, what I can say is, "Peter said this on the
>> list." That is, to me, insufficient backing.
>>
>>
>> > Wouldn't "true" and "false" be a better way to express a
>> > boolean?
>>
>> Yes if you could choose the type. But you can't choose the type, because
>> all extensions have to use the same type. That type is a string.
>>
>>
>> > I realise this is kinda bikeshedding, but having to look
>> > up the spec just to figure out what mysterious magic
>> > values in a boolean field specify seems a bit awkward.
>>
>> Booleans are equally mysterious.
>>
>> The third parameter to the Windows API function WaitForMultipleObjects is
>> a boolean. Suppose an application passes "TRUE". Without checking the docs
>> - what does that mean?
>>
>> If you check the docs, you know what "TRUE" in that context means. And if
>> you check the spec here, you know what "p" and "s" mean.
>>
>> Booleans are not inherently self-documenting. (In fact - when used in
>> languages with positional parameters, they are more frequently
>> self-obfuscating.)
>>
>>
>> > Given that there are a nonzero number of implementations
>> > that send a window size of ~0 to indicate no flow control,
>> > it may be useful to add an implementation note to point
>> > this out.
>>
>> OK. I added the following sub-section to my current working copy:
>>
>>
>> 3.3.1.  Implementation Note: Prior "No Flow Control" Practice
>>
>>   Before this extension, some applications would simply not implement
>>   SSH flow control, sending an initial channel window size of 2^32 - 1.
>>   Applications SHOULD NOT do this for the following reasons:
>>
>>   - It is entirely within the realm of possibility to transfer more than
>>     2^32 bytes over a channel. The channel will then hang if the other
>>     party implements SSH flow control according to [RFC4254].
>>
>>   - There exist implementations which cannot handle such large channel
>>     window sizes, and will exhibit non-graceful behaviors, including
>>     disconnection.
>>
>>
>> denis
>>
>>
>>
>> On Thu, Apr 6, 2017 at 6:04 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz>
>> wrote:
>>
>>> denis bider (Bitvise) <ietf-ssh3@denisbider.com> writes:
>>>
>>> >Can you point out some of these subtle problems that could occur in this
>>> >regard in SSH?
>>>
>>> I was thinking of the problem that it's essentially impossible to safely
>>> do n-
>>> RTT, n < 1, for TLS, which meant that doing the same thing for SSH wasn't
>>> going to be any better.  I was reasoning by analogy from TLS rather than
>>> sitting down and drawing diagrams for SSH to try and figure out all the
>>> possible issues.
>>>
>>> >Under the assumption that such an extension were defined, can you point
>>> out
>>> >at least one way that sending this info right after NEWKEYS can help an
>>> >attacker?
>>>
>>> It depends on the extension.  Without one defined, there's no way to
>>> tell at
>>> the moment.  I could invent something that works out badly, but that'd be
>>> creating a strawman... my concern is that in the future someone may
>>> define a
>>> problematic extension without realising that they're creating a problem.
>>> Perhaps adding an implementation note to say that at this point the
>>> crypto
>>> hasn't been confirmed yet and so you may want to be careful about what
>>> you put
>>> into your extension data would be useful?
>>>
>>> >But the extension value field is generically a string (it must be same
>>> type
>>> >for all extensions, so unsupported extensions can be decoded and
>>> ignored).
>>> >"p" and "s" are therefore fitting ways to express this boolean.
>>>
>>> Wouldn't "true" and "false" be a better way to express a boolean?  I
>>> realise
>>> this is kinda bikeshedding, but having to look up the spec just to
>>> figure out
>>> what mysterious magic values in a boolean field specify seems a bit
>>> awkward.
>>>
>>> >Properly implemented flow control is superior. However, this extension
>>> is a
>>> >nod to that not everyone will be using an SSH library that does this
>>> right,
>>> >and "no-flow-control" is a better option if your needs are simple, and
>>> you
>>> >don't have a few years to get this right.
>>>
>>> Given that there are a nonzero number of implementations that send a
>>> window
>>> size of ~0 to indicate no flow control, it may be useful to add an
>>> implementation note to point this out.  I enabled some diagnostic code to
>>> throw an exception in my code if it found this from another
>>> implementation
>>> (other than mine) and got, uh, feedback from beta-testers about it, so at
>>> least some implementations are using a pseudo-infinite window size to
>>> indicate
>>> no flow control.  I'm not saying it should be adopted as an alternative
>>> to
>>> "no-flow-control", but merely to alert implementers about the practice,
>>> e.g. a
>>> certain big iron vendor whose device would crash and reboot as it tried
>>> to
>>> allocate ~0 bytes of memory to match the widow size.
>>>
>>> Peter.
>>> _______________________________________________
>>> Curdle mailing list
>>> Curdle@ietf.org
>>> https://www.ietf.org/mailman/listinfo/curdle
>>>
>>
>>
>> _______________________________________________
>> Curdle mailing list
>> Curdle@ietf.org
>> https://www.ietf.org/mailman/listinfo/curdle
>>
>>
>

v2.23.0 | Report a Bug | By Email