Re: [Curdle] State of draft-ietf-curdle-ssh-kex-sha2?
denis bider <denisbider.ietf@gmail.com> Tue, 14 July 2020 21:16 UTC
Return-Path: <denisbider.ietf@gmail.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B0713A0044 for <curdle@ietfa.amsl.com>; Tue, 14 Jul 2020 14:16:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Iz9FhTe1KmkN for <curdle@ietfa.amsl.com>; Tue, 14 Jul 2020 14:16:15 -0700 (PDT)
Received: from mail-oi1-x230.google.com (mail-oi1-x230.google.com [IPv6:2607:f8b0:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D605C3A0039 for <curdle@ietf.org>; Tue, 14 Jul 2020 14:16:15 -0700 (PDT)
Received: by mail-oi1-x230.google.com with SMTP id e4so134139oib.1 for <curdle@ietf.org>; Tue, 14 Jul 2020 14:16:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2BwwqlcNap91WQmKEPP0GWY4uP0MkHDrHWkiKyCYWro=; b=SrOoTuTx48SIuAxctJCsTtS5wLX5hQnWfl7uXEaFHYQNd8IN7Y47rod+PNeHfW8+Kk 0+oB6TSpxVg7jPNJrF1orAcyS4Utfu3aqGal31C0FoqcZyVOltThq+ThbzQsalvt83Nh WvrMYgdgGVFYL1WUN1Rk+I6Lkxv6wXZtwhkfrYaZ+Mj6Ey0k8CLeQbXJudsow2d//ciK TJWI2MxGq/mRV5oZMaUorziLIW7xyk44kBuP2AVNF9neeoj3AdOyTtlvEeRKvaosBUFV JsCr9PCAqUeich/Pg/giqrOTDIODiz/F1EeDJFDCfGUvC1+IFzUeoBrszpuQf/7U8lio Yv+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2BwwqlcNap91WQmKEPP0GWY4uP0MkHDrHWkiKyCYWro=; b=Br+wjmIzQd/pEnL31hhYeYt2jsU9Io/RO48d304CAFALhA3l/DNwrlFG6Opupyu4zj Qo+15XZDbMZSyhBMoNbpfSLUTIgAPeFaxTkX2MX41wIJOjupOaopbkVXNo8uVyzWr1IR HATiB1t6YJCoKxQlQo+5J0354S0J8XAFRitkelF6nqCplYr/zfr32swP/Ym2uxr9mz98 p3EwuIQndg2NbDtbQC5t+/oC4jhdphREi9j+CaNNe4C43loFoMT8hdTFWNaI/Dznqji7 NjeszR8NMYOXsI+pJ/y1+XxreYLAH4yBfqm8Q/4s23oI1kH/TzfIjCyYOG0J07DMr3Q/ w7Mw==
X-Gm-Message-State: AOAM530BVjNjSjxxSvEBM9HqFlqXvlqlDRtiH41MfBvCeFN8jn5aijd5 5oLhk7UFQxATbUzhmS0SJzrG4yVk9snb/V1IdSDWIxHKtPk=
X-Google-Smtp-Source: ABdhPJyo9phyFva54wViJhgNuuMCOKO/5fzfNjosPoMsBY6NjvWA+Js4HppXLFwfGCGGp5Q9eU4hox90EcVDIDCqCsk=
X-Received: by 2002:aca:b743:: with SMTP id h64mr5541074oif.88.1594761375092; Tue, 14 Jul 2020 14:16:15 -0700 (PDT)
MIME-Version: 1.0
References: <CADPMZDB8oXAg0g0oJvZmkK1XPhb28SQPnxwRmL9umzFXkH0ogQ@mail.gmail.com> <2306.1594546601@eng-mail01.juniper.net> <CAOp4FwQMcNHRd65U1A+zfT1Xyrqv7+kHU_Lh1tqMGsBQB2LrVA@mail.gmail.com> <53536.1594666321@eng-mail01.juniper.net> <202007131952.PAA23582@Stone.Rodents-Montreal.ORG> <57588.1594673627@eng-mail01.juniper.net> <202007132140.RAA29842@Stone.Rodents-Montreal.ORG> <60686.1594677485@eng-mail01.juniper.net>
In-Reply-To: <60686.1594677485@eng-mail01.juniper.net>
From: denis bider <denisbider.ietf@gmail.com>
Date: Tue, 14 Jul 2020 16:16:03 -0500
Message-ID: <CADPMZDCawiDZUXz64DtjyGCxXeMGEUiJUne1fKdDSfVEqf76zw@mail.gmail.com>
To: "Mark D. Baushke" <mdb=40juniper.net@dmarc.ietf.org>
Cc: curdle <curdle@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004392e205aa6d51bf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/dI2nq94F5h1FenTcsnYzXgVBbmU>
Subject: Re: [Curdle] State of draft-ietf-curdle-ssh-kex-sha2?
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jul 2020 21:16:17 -0000
(Replying to Curdle - the message I forward below was posted only on the ole' ietf-ssh@netbsd.org) I'm pretty sure all the feedback so far suggests that "diffie-hellman-group14-sha256" is the only key exchange method that has consensus as a MUST right now. With regard to group15 - if memory serves, the OpenSSH guys were complaining about too much granularity in that regard, they preferred group16+. group16 and larger have my protest as a MUST because too expensive. DH group exchange methods are not interoperable: implementations that generate their own groups fail to interoperate with FIPS implementations half of the time. ECDH has protestations from some niche implementers. Curve25519 apparently isn't coming soon to SSH clients that run on clothing tags. That leaves "diffie-hellman-group14-sha256", which is sensible for MUST, even though in no way ambitious. (Note the lowercase "diffie-hellman-group14-...". I've seen someone capitalize it in this thread. Per RFC 4251, SSH algorithm names are case sensitive.) In the SSH/QUIC draft, I opted for the following language: "The requirement to implement any particular QUIC protocol version or TLS cipher suite expires on the 5-year anniversary of the publishing of this memo. At that point, implementers SHOULD consult any new standards documents if available, or survey the practical use of SSH/QUIC for implementation guidance." Perhaps we could put in something like that, given that the only candidate for MUST is the lowest common denominator that still meets current security requirements. denis -------- Forwarded Message -------- Subject: Re: [Curdle] State of draft-ietf-curdle-ssh-kex-sha2? Date: Tue, 14 Jul 2020 04:10:18 +0000 From: Peter Gutmann <pgut001@cs.auckland.ac.nz> To: Mouse <mouse@Rodents-Montreal.ORG>, ietf-ssh@NetBSD.org <ietf-ssh@NetBSD.org> Mouse <mouse@Rodents-Montreal.ORG> writes: As an implementor, it is highly unlikely I will support anything elliptic curve in the foreseeable future. I support it but it's disabled by default because I can't think of a commonly- used cryptosystem more riddled with side-channels than (EC)DSA, and most of them end up leaking the private key (that's ECDSA, not 25519 which is too novel/nonstandard to be usable with anything I work with). In fact a recent paper on yet another set of side-channel attacks (either "Minerva: The Curse of ECDSA Nonces" or "Big Numbers - Big Troubles") mentions that this is merely the latest set of side-channels that need patching, and more are expected in the future. And that's after several years of patching ECDSA side-channels already. At least with RSA you can just blind and be mostly done with it, you don't have to deal with a mechanism where there's a linear relation between the signing nonce and the private key, with everything around that tied up in side-channels. Peter.
- [Curdle] State of draft-ietf-curdle-ssh-kex-sha2? denis bider
- Re: [Curdle] State of draft-ietf-curdle-ssh-kex-s… Salz, Rich
- Re: [Curdle] State of draft-ietf-curdle-ssh-kex-s… Salz, Rich
- Re: [Curdle] State of draft-ietf-curdle-ssh-kex-s… denis bider
- Re: [Curdle] State of draft-ietf-curdle-ssh-kex-s… Mark D. Baushke
- Re: [Curdle] State of draft-ietf-curdle-ssh-kex-s… denis bider
- Re: [Curdle] State of draft-ietf-curdle-ssh-kex-s… Ron Frederick
- Re: [Curdle] State of draft-ietf-curdle-ssh-kex-s… denis bider
- Re: [Curdle] State of draft-ietf-curdle-ssh-kex-s… Loganaden Velvindron
- Re: [Curdle] State of draft-ietf-curdle-ssh-kex-s… Mark D. Baushke
- Re: [Curdle] State of draft-ietf-curdle-ssh-kex-s… Salz, Rich
- Re: [Curdle] State of draft-ietf-curdle-ssh-kex-s… Ron Frederick
- Re: [Curdle] State of draft-ietf-curdle-ssh-kex-s… Mark D. Baushke
- Re: [Curdle] State of draft-ietf-curdle-ssh-kex-s… Mark D. Baushke
- Re: [Curdle] State of draft-ietf-curdle-ssh-kex-s… denis bider