Re: [Curdle] AD Review of draft-ietf-curdle-gss-keyex-sha2-05

Russ Housley <housley@vigilsec.com> Sat, 07 April 2018 15:10 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A8661200FC for <curdle@ietfa.amsl.com>; Sat, 7 Apr 2018 08:10:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id og2LaOpxphqJ for <curdle@ietfa.amsl.com>; Sat, 7 Apr 2018 08:10:50 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1F0D1250B8 for <curdle@ietf.org>; Sat, 7 Apr 2018 08:10:49 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id A2852300A2C for <curdle@ietf.org>; Sat, 7 Apr 2018 11:10:47 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id k9CMyZA2dbxH for <curdle@ietf.org>; Sat, 7 Apr 2018 11:10:45 -0400 (EDT)
Received: from a860b60074bd.home (pool-108-45-101-150.washdc.fios.verizon.net [108.45.101.150]) by mail.smeinc.net (Postfix) with ESMTPSA id 6DA2D300670; Sat, 7 Apr 2018 11:10:45 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <ED376226-E1BA-4ED5-9254-DF2B75E93965@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_FF3D6637-5936-4BD6-BB07-1197DF865D4B"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Sat, 7 Apr 2018 11:10:55 -0400
In-Reply-To: <CADPMZDDjFghyj=1L+kq_XAXiea1W2LNEG9d13YY+OSyyd61niA@mail.gmail.com>
Cc: curdle <curdle@ietf.org>, draft-ietf-curdle-gss-keyex-sha2@tools.ietf.org
To: denis bider <denisbider.ietf@gmail.com>, Eric Rescorla <ekr@rtfm.com>
References: <CABcZeBNCUSpGihHz6bPBSALS4-34Tm7W36BCZ_Ev8OQz3KtVag@mail.gmail.com> <CADPMZDDjFghyj=1L+kq_XAXiea1W2LNEG9d13YY+OSyyd61niA@mail.gmail.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/c1mQW_K_HnXMxDyReR4atwTVlRI>
Subject: Re: [Curdle] AD Review of draft-ietf-curdle-gss-keyex-sha2-05
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Apr 2018 15:10:52 -0000

Denis:

> I'm not an author of this draft, but I can respond with respect to the following:
> 
> > > | gss-group14-sha256-*     | SHOULD/RECOMMENDED
> > > | gss-group15-sha512-*     | MAY/OPTIONAL
> > > | gss-group16-sha512-*     | SHOULD/RECOMMENDED
> >
> > Why are you only specifying SHA-512 with 4096-bit groups.
> > SHA-256 is still reasonable at that size?
> 
> There exist NSA recommendations aimed at "organizations that run classified or unclassified national security systems (NSS) and vendors that build products used in NSS."
> 
> https://cryptome.org/2016/01/CNSA-Suite-and-Quantum-Computing-FAQ.pdf <https://cryptome.org/2016/01/CNSA-Suite-and-Quantum-Computing-FAQ.pdf>
> 
> These recommendations cover a usage case for software that implements the above algorithms. These recommendations call for the following minimums:
> 
> - Diffie Hellman: 3072-bit or larger
> 
> - Hashing: SHA-384 or larger
> 
> These recommendations are most effectively met by associating group15 and group16 with SHA-512.
> 
> Otherwise, products that wanted to meet these recommendations would have to use much larger and more expensive DH groups in order to meet the SHA-384-or-better requirement.

I do not quite understand this response.  I can understand a desire to include a ciphersuite that aligns with the NSA guidance so that anyone that needs to follow it can easily do so, but that does not seem to be what you are suggesting.  Looking at page 2 of the document that you cite, a ciphersuite that uses the NIST P-384 curve, SHA-384, and AES-256 is needed.

I would be in favor os adding such a ciphersuite as MAY/OPTIONAL.

Russ