IETF Logo Mail Archive

Re: [Curdle] comments on draft-ietf-curdle-rsa-sha2-03.txt

Daniel Migault <daniel.migault@ericsson.com> Sun, 26 March 2017 20:39 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F7A81296B3 for <curdle@ietfa.amsl.com>; Sun, 26 Mar 2017 13:39:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.401
X-Spam-Level:
X-Spam-Status: No, score=-2.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.197, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IwrfWxXc4G8N for <curdle@ietfa.amsl.com>; Sun, 26 Mar 2017 13:39:42 -0700 (PDT)
Received: from mail-it0-x230.google.com (mail-it0-x230.google.com [IPv6:2607:f8b0:4001:c0b::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F886128616 for <curdle@ietf.org>; Sun, 26 Mar 2017 13:39:42 -0700 (PDT)
Received: by mail-it0-x230.google.com with SMTP id e75so2011272itd.1 for <curdle@ietf.org>; Sun, 26 Mar 2017 13:39:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=FgmHAGulBaoiXZ0mmMCZLV10dEBgxNSZwkHlGgYv7JI=; b=kVLqWugIzdf39kGGPk6vmVVvbXifuPwqjVoHKARCadFVbDGNuT4Ab7X21b676rx3cM UPV6k+vPS73sQWol5pO2Y8ZI1KqVpn8iYWLn+vofC5GCcmtn1h5lAWPwiR9hKyEyPIJj zMjWRI9/F5bJjKoNcoM9GOpjhnwNZTNCUUxOLmKhCeekQHTI4aG1n9uvclBJMmMAOWuM xTikj4Q9dA2+AGdHNECv8n5ZVaHGZRiThxL+zhYUYCSlD8zX1DOpjnbWkZEAIO3Ovgh1 lbfL7jenwztREWwwvVeAaC9TaOMREJ1us1QaRBnwqpYNin0ISNSgHfcyx4ifkuKClqt0 1b+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=FgmHAGulBaoiXZ0mmMCZLV10dEBgxNSZwkHlGgYv7JI=; b=plImOPiW8ZLq1PyJq4LRKws0xRVERb/rKHvLXeVVI0DeN7jABmQWED7uhQfMt9oJh+ kpIs+z665Wm2G92TBORdWW+i9DnU7Ne2AFna7rutRwpQEHUE4Npj0IxIOLgExnhnVcLG 4zWPMlvrC4ehhErlZywZgVYkS674BUTc2Nsi0xCn6lS5GqJQYK6DhhNTq/lgiysLaHxX gYSNqzPcMJ9+8BtYiMNK+id758G9CIc/Tsv4sg/S1ZT3eeI/p27sdmFWJHUxSio5uqRN GrhjZxns4ZovWt9VMPInPU4f4Evk/IhGi6hk5WF5aoNRqejm+KzB4EV3ZTBoYDelMCma ghjQ==
X-Gm-Message-State: AFeK/H3442Qn42CnM3LX3/Cm9UNQYyWo4pHx2R9NrZ85PHQmaDbMnRap68yk2Glibp96wApbO9AIjKTKPAGWxw==
X-Received: by 10.107.174.27 with SMTP id x27mr17760520ioe.35.1490560781713; Sun, 26 Mar 2017 13:39:41 -0700 (PDT)
MIME-Version: 1.0
Sender: mglt.ietf@gmail.com
Received: by 10.107.35.213 with HTTP; Sun, 26 Mar 2017 13:39:40 -0700 (PDT)
In-Reply-To: <374ADF9BE1924B7889C64CEC7D51FEF8@Khan>
References: <CADZyTkm43WWxb_DiZ1K9gRwzqmTCJ=Q-no53t9D__mDPERCyqw@mail.gmail.com> <374ADF9BE1924B7889C64CEC7D51FEF8@Khan>
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Sun, 26 Mar 2017 15:39:40 -0500
X-Google-Sender-Auth: l7I0hgE_yYZcOeWwR1XEQAFVuYI
Message-ID: <CADZyTkkovyn_SdqZxY_NCunCtR1QChKyTSsT2HOXDWAeUMTf2A@mail.gmail.com>
To: "denis bider (Bitvise)" <ietf-ssh3@denisbider.com>
Cc: curdle <curdle@ietf.org>
Content-Type: multipart/alternative; boundary="001a11449ffce90544054ba839af"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/dbMZfEm72wdpQmHOWxhbAcItHZI>
Subject: Re: [Curdle] comments on draft-ietf-curdle-rsa-sha2-03.txt
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Mar 2017 20:39:45 -0000

Hi,

Thanks for the response. Please see mine inline. In short I agree with your
responses. I believe it would be good to add rsa-sha2-256-pss,
rsa-sha2-512-pss.

Yours,
Daniel



On Sun, Mar 26, 2017 at 12:56 PM, denis bider (Bitvise) <
ietf-ssh3@denisbider.com> wrote:

> Daniel:
>
>
> Should we consider adding / replacing PKCS1v1.5
>> by RSA-PSS for the signature format.
>>
>
> An early version of the spec called for PSS. After strong objections -
> most prominently Peter Gutmann's; it is possible there were others - I
> changed back to PKCS1v1.5. The main objections were:
>
> - PSS is not as universally available;
> - adding a new type of padding would impose costs on highly
> resource-constrained implementations who would now have to support both.
>
> I have no objections to adding PSS. At this point, it would have to be
> added as separate variants. For example: rsa-sha2-256-pss, rsa-sha2-512-pss.
>
> The existing names already have widely implemented / accepted meanings
> with PKCS1v1.5.
>
> I understand the motivations. I personally think it would be good to add
rsa-sha2-256-pss, rsa-sha2-512-pss

>
> I understand that penalties are encouraging to
>> keep ssh-rsa while the use of sha1 is deprecated.
>> I suggest to provide some recommendations on how
>> to perform penalties.
>>
>
> The issue are penalties in software already deployed. Servers are often
> used for 5-10 years without update. Users actively resist updates, even if
> we urge otherwise. Often, there's no one to perform an update. The
> administrator who configured the server has left. The people who use it are
> afraid, because they don't have anyone who understands their setup if it
> breaks. A new spec won't fix this deployed base.
>
> Software that's aware of this spec is suggested to implement the
> "server-sig-algs" extension with EXT_INFO. This eliminates any need to
> guess what signature algorithm to use. That is this spec's recommendation.
>
>
> Agree, my recommendation on penalties was mostly for new implementations
that do not implement ext_info. Maybe you are right having ext_info solve
this issue better.


> MGLT: Can we recommend to have penalties only applies
>> when algorithms are weaker than the one supported.
>>
>
> The issue does not arise from implementations penalizing known algorithms,
> it arises from old software penalizing unknown algorithms. Old software
> cannot know whether an unknown algorithm is stronger or weaker than what it
> supports.
>
> An option we have is to recommend new implementations to not penalize
> unknown algorithms, because they could be stronger versions of known ones.
> That could be sensible. But the "server-sig-algs" extension already removes
> the need to try an algorithm the server doesn't support.
>
>
> > When authenticating with an RSA key against a server
>> > that does not implement the "server-sig-algs" extension,
>> > clients MAY default to an ssh-rsa signature to avoid
>> > authentication penalties.
>>
>> MGLT: ssh-rsa must be deprecated, so I think we should
>> have something different. The fall back should be on
>> the most recommended algorithm, or the authentication
>> penalty should be changed.
>>
>
> We can put in instructions that work and will realistically be followed,
> or we can put in instructions that don’t work.
>
> Agree.


> Due to existing deployed base, falling back to “rsa-sha2-256” when the
> server does not send “server-sig-algs” will not work. If the spec is made
> to require this, implementers will ignore it for compatibility. Worse,
> there will then be poor guidance toward a solution that does work.
>
Agree

> In my opinion, the way to deprecate ssh-rsa is to implement the new
> signature methods; implement the "server-sig-algs" extension to allow them
> to coexist; allow for several years of new deployment; and then, for new
> implementations to start disabling "ssh-rsa" by default.
>
> Maybe that would be good to explain how the option is also helping to
deprecate suites in the security consideration section.

>
> denis
>
>
>
> ----- Original Message -----
> From: Daniel Migault
> Sent: Saturday, March 25, 2017 17:40
> To: curdle
> Subject: [Curdle] comments on draft-ietf-curdle-rsa-sha2-03.txt
>
> Hi,
>
> Please find my comments on draft-ietf-curdle-rsa-sha2-03.txt.
>
> In a word my comments are:
>   - 1) Should we consider  adding / replacing PKCS1v1.5 by RSA-PSS for
> the signature format.
>   - 2) I understand that penalties are encouraging to keep ssh-rsa while
> the use of sha1 is deprecated. I suggest to provide some recommendations on
> how to perform penalties.
>
> Yours,
> Daniel
>
>      Use of RSA Keys with SHA-2 256 and 512 in Secure Shell (SSH)
>                   draft-ietf-curdle-rsa-sha2-03.txt
>
>
> Abstract
>
>  This memo defines an algorithm name, public key format, and signature
>  format for use of RSA keys with SHA-2 512 for server and client
>  authentication in SSH connections.
>
> MGLT: Maybe we should also add penalty recommendations as well ?
>
> 2.  Public Key Algorithms
>
>  This memo adopts the style and conventions of [RFC4253] in specifying
>  how use of a signature algorithm is indicated in SSH.
>
>  The following new signature algorithms are defined:
>
>    rsa-sha2-256    RECOMMENDED    sign    Raw RSA key
>    rsa-sha2-512    OPTIONAL       sign    Raw RSA key
>
>  These signature algorithms are suitable for use both in the SSH transport
>  layer [RFC4253] for server authentication, and in the authentication
>  layer [RFC4252] for client authentication.
>
>  Since RSA keys are not dependent on the choice of hash function, both
>  new algorithms reuse the public key format of the existing "ssh-rsa"
>  algorithm as defined in [RFC4253]:
>
>    string    "ssh-rsa"
>    mpint     e
>    mpint     n
>
>  All aspects of the "ssh-rsa" format are kept, including the encoded
>  string "ssh-rsa", in order to allow users' existing RSA keys to be
>  used with the new signature formats, without requiring re-encoding,
>  or affecting already trusted key fingerprints.
>
>  Signing and verifying using these algorithms is performed according to
>  the RSASSA-PKCS1-v1_5 scheme in [RFC3447] using SHA-2 [FIPS-180-4] as
>  hash; MGF1 as mask function; and salt length equal to hash size.
>
> MGLT: Could we also take this opportunity to upgrade the signature to
> RSA-PSS ?
> If "rsa-sha2-256" / "rsa-sha2-512" are already deployed in most
> implementation, maybe this document could also define
> "rsa-sha2-256-rsassa-pss" and "rsa-sha2-512-rsassa-pss" otherwise we could
> define rsa-sha2-* with RSA-PSS.
>
>
> 3.  Discovery of signature algorithms supported by servers
>
>  Implementation experience has shown that there are servers which apply
>  authentication penalties to clients attempting signature algorithms
>  which the SSH server does not support.
>
> MGLT: Can we recommend to have penalties only applies when algorithms are
> weaker than the one supported.
>
>  Servers that accept rsa-sha2-* signatures for client authentication
>  SHOULD implement the extension negotiation mechanism defined in
>  [SSH-EXT-INFO], including especially the "server-sig-algs" extension.
>
>  When authenticating with an RSA key against a server that does not
>  implement the "server-sig-algs" extension, clients MAY default to an
>  ssh-rsa signature to avoid authentication penalties.
>
> MGLT: ssh-rsa must be deprecated, so I think we should have something
> different. The fall back should be on the most recommended algorithm, or
> the authentication penalty should be changed.
>
>
>
> _______________________________________________
> Curdle mailing list
> Curdle@ietf.org
> https://www.ietf.org/mailman/listinfo/curdle
>
> _______________________________________________
> Curdle mailing list
> Curdle@ietf.org
> https://www.ietf.org/mailman/listinfo/curdle
>

v2.23.0 | Report a Bug | By Email