Re: [Curdle] comments on draft-ietf-curdle-rsa-sha2-03.txt
Daniel Migault <daniel.migault@ericsson.com> Sun, 26 March 2017 20:39 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F7A81296B3 for <curdle@ietfa.amsl.com>; Sun, 26 Mar 2017 13:39:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.401
X-Spam-Level:
X-Spam-Status: No, score=-2.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.197, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IwrfWxXc4G8N for <curdle@ietfa.amsl.com>; Sun, 26 Mar 2017 13:39:42 -0700 (PDT)
Received: from mail-it0-x230.google.com (mail-it0-x230.google.com [IPv6:2607:f8b0:4001:c0b::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F886128616 for <curdle@ietf.org>; Sun, 26 Mar 2017 13:39:42 -0700 (PDT)
Received: by mail-it0-x230.google.com with SMTP id e75so2011272itd.1 for <curdle@ietf.org>; Sun, 26 Mar 2017 13:39:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=FgmHAGulBaoiXZ0mmMCZLV10dEBgxNSZwkHlGgYv7JI=; b=kVLqWugIzdf39kGGPk6vmVVvbXifuPwqjVoHKARCadFVbDGNuT4Ab7X21b676rx3cM UPV6k+vPS73sQWol5pO2Y8ZI1KqVpn8iYWLn+vofC5GCcmtn1h5lAWPwiR9hKyEyPIJj zMjWRI9/F5bJjKoNcoM9GOpjhnwNZTNCUUxOLmKhCeekQHTI4aG1n9uvclBJMmMAOWuM xTikj4Q9dA2+AGdHNECv8n5ZVaHGZRiThxL+zhYUYCSlD8zX1DOpjnbWkZEAIO3Ovgh1 lbfL7jenwztREWwwvVeAaC9TaOMREJ1us1QaRBnwqpYNin0ISNSgHfcyx4ifkuKClqt0 1b+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=FgmHAGulBaoiXZ0mmMCZLV10dEBgxNSZwkHlGgYv7JI=; b=plImOPiW8ZLq1PyJq4LRKws0xRVERb/rKHvLXeVVI0DeN7jABmQWED7uhQfMt9oJh+ kpIs+z665Wm2G92TBORdWW+i9DnU7Ne2AFna7rutRwpQEHUE4Npj0IxIOLgExnhnVcLG 4zWPMlvrC4ehhErlZywZgVYkS674BUTc2Nsi0xCn6lS5GqJQYK6DhhNTq/lgiysLaHxX gYSNqzPcMJ9+8BtYiMNK+id758G9CIc/Tsv4sg/S1ZT3eeI/p27sdmFWJHUxSio5uqRN GrhjZxns4ZovWt9VMPInPU4f4Evk/IhGi6hk5WF5aoNRqejm+KzB4EV3ZTBoYDelMCma ghjQ==
X-Gm-Message-State: AFeK/H3442Qn42CnM3LX3/Cm9UNQYyWo4pHx2R9NrZ85PHQmaDbMnRap68yk2Glibp96wApbO9AIjKTKPAGWxw==
X-Received: by 10.107.174.27 with SMTP id x27mr17760520ioe.35.1490560781713; Sun, 26 Mar 2017 13:39:41 -0700 (PDT)
MIME-Version: 1.0
Sender: mglt.ietf@gmail.com
Received: by 10.107.35.213 with HTTP; Sun, 26 Mar 2017 13:39:40 -0700 (PDT)
In-Reply-To: <374ADF9BE1924B7889C64CEC7D51FEF8@Khan>
References: <CADZyTkm43WWxb_DiZ1K9gRwzqmTCJ=Q-no53t9D__mDPERCyqw@mail.gmail.com> <374ADF9BE1924B7889C64CEC7D51FEF8@Khan>
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Sun, 26 Mar 2017 15:39:40 -0500
X-Google-Sender-Auth: l7I0hgE_yYZcOeWwR1XEQAFVuYI
Message-ID: <CADZyTkkovyn_SdqZxY_NCunCtR1QChKyTSsT2HOXDWAeUMTf2A@mail.gmail.com>
To: "denis bider (Bitvise)" <ietf-ssh3@denisbider.com>
Cc: curdle <curdle@ietf.org>
Content-Type: multipart/alternative; boundary="001a11449ffce90544054ba839af"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/dbMZfEm72wdpQmHOWxhbAcItHZI>
Subject: Re: [Curdle] comments on draft-ietf-curdle-rsa-sha2-03.txt
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Mar 2017 20:39:45 -0000
Hi, Thanks for the response. Please see mine inline. In short I agree with your responses. I believe it would be good to add rsa-sha2-256-pss, rsa-sha2-512-pss. Yours, Daniel On Sun, Mar 26, 2017 at 12:56 PM, denis bider (Bitvise) < ietf-ssh3@denisbider.com> wrote: > Daniel: > > > Should we consider adding / replacing PKCS1v1.5 >> by RSA-PSS for the signature format. >> > > An early version of the spec called for PSS. After strong objections - > most prominently Peter Gutmann's; it is possible there were others - I > changed back to PKCS1v1.5. The main objections were: > > - PSS is not as universally available; > - adding a new type of padding would impose costs on highly > resource-constrained implementations who would now have to support both. > > I have no objections to adding PSS. At this point, it would have to be > added as separate variants. For example: rsa-sha2-256-pss, rsa-sha2-512-pss. > > The existing names already have widely implemented / accepted meanings > with PKCS1v1.5. > > I understand the motivations. I personally think it would be good to add rsa-sha2-256-pss, rsa-sha2-512-pss > > I understand that penalties are encouraging to >> keep ssh-rsa while the use of sha1 is deprecated. >> I suggest to provide some recommendations on how >> to perform penalties. >> > > The issue are penalties in software already deployed. Servers are often > used for 5-10 years without update. Users actively resist updates, even if > we urge otherwise. Often, there's no one to perform an update. The > administrator who configured the server has left. The people who use it are > afraid, because they don't have anyone who understands their setup if it > breaks. A new spec won't fix this deployed base. > > Software that's aware of this spec is suggested to implement the > "server-sig-algs" extension with EXT_INFO. This eliminates any need to > guess what signature algorithm to use. That is this spec's recommendation. > > > Agree, my recommendation on penalties was mostly for new implementations that do not implement ext_info. Maybe you are right having ext_info solve this issue better. > MGLT: Can we recommend to have penalties only applies >> when algorithms are weaker than the one supported. >> > > The issue does not arise from implementations penalizing known algorithms, > it arises from old software penalizing unknown algorithms. Old software > cannot know whether an unknown algorithm is stronger or weaker than what it > supports. > > An option we have is to recommend new implementations to not penalize > unknown algorithms, because they could be stronger versions of known ones. > That could be sensible. But the "server-sig-algs" extension already removes > the need to try an algorithm the server doesn't support. > > > > When authenticating with an RSA key against a server >> > that does not implement the "server-sig-algs" extension, >> > clients MAY default to an ssh-rsa signature to avoid >> > authentication penalties. >> >> MGLT: ssh-rsa must be deprecated, so I think we should >> have something different. The fall back should be on >> the most recommended algorithm, or the authentication >> penalty should be changed. >> > > We can put in instructions that work and will realistically be followed, > or we can put in instructions that don’t work. > > Agree. > Due to existing deployed base, falling back to “rsa-sha2-256” when the > server does not send “server-sig-algs” will not work. If the spec is made > to require this, implementers will ignore it for compatibility. Worse, > there will then be poor guidance toward a solution that does work. > Agree > In my opinion, the way to deprecate ssh-rsa is to implement the new > signature methods; implement the "server-sig-algs" extension to allow them > to coexist; allow for several years of new deployment; and then, for new > implementations to start disabling "ssh-rsa" by default. > > Maybe that would be good to explain how the option is also helping to deprecate suites in the security consideration section. > > denis > > > > ----- Original Message ----- > From: Daniel Migault > Sent: Saturday, March 25, 2017 17:40 > To: curdle > Subject: [Curdle] comments on draft-ietf-curdle-rsa-sha2-03.txt > > Hi, > > Please find my comments on draft-ietf-curdle-rsa-sha2-03.txt. > > In a word my comments are: > - 1) Should we consider adding / replacing PKCS1v1.5 by RSA-PSS for > the signature format. > - 2) I understand that penalties are encouraging to keep ssh-rsa while > the use of sha1 is deprecated. I suggest to provide some recommendations on > how to perform penalties. > > Yours, > Daniel > > Use of RSA Keys with SHA-2 256 and 512 in Secure Shell (SSH) > draft-ietf-curdle-rsa-sha2-03.txt > > > Abstract > > This memo defines an algorithm name, public key format, and signature > format for use of RSA keys with SHA-2 512 for server and client > authentication in SSH connections. > > MGLT: Maybe we should also add penalty recommendations as well ? > > 2. Public Key Algorithms > > This memo adopts the style and conventions of [RFC4253] in specifying > how use of a signature algorithm is indicated in SSH. > > The following new signature algorithms are defined: > > rsa-sha2-256 RECOMMENDED sign Raw RSA key > rsa-sha2-512 OPTIONAL sign Raw RSA key > > These signature algorithms are suitable for use both in the SSH transport > layer [RFC4253] for server authentication, and in the authentication > layer [RFC4252] for client authentication. > > Since RSA keys are not dependent on the choice of hash function, both > new algorithms reuse the public key format of the existing "ssh-rsa" > algorithm as defined in [RFC4253]: > > string "ssh-rsa" > mpint e > mpint n > > All aspects of the "ssh-rsa" format are kept, including the encoded > string "ssh-rsa", in order to allow users' existing RSA keys to be > used with the new signature formats, without requiring re-encoding, > or affecting already trusted key fingerprints. > > Signing and verifying using these algorithms is performed according to > the RSASSA-PKCS1-v1_5 scheme in [RFC3447] using SHA-2 [FIPS-180-4] as > hash; MGF1 as mask function; and salt length equal to hash size. > > MGLT: Could we also take this opportunity to upgrade the signature to > RSA-PSS ? > If "rsa-sha2-256" / "rsa-sha2-512" are already deployed in most > implementation, maybe this document could also define > "rsa-sha2-256-rsassa-pss" and "rsa-sha2-512-rsassa-pss" otherwise we could > define rsa-sha2-* with RSA-PSS. > > > 3. Discovery of signature algorithms supported by servers > > Implementation experience has shown that there are servers which apply > authentication penalties to clients attempting signature algorithms > which the SSH server does not support. > > MGLT: Can we recommend to have penalties only applies when algorithms are > weaker than the one supported. > > Servers that accept rsa-sha2-* signatures for client authentication > SHOULD implement the extension negotiation mechanism defined in > [SSH-EXT-INFO], including especially the "server-sig-algs" extension. > > When authenticating with an RSA key against a server that does not > implement the "server-sig-algs" extension, clients MAY default to an > ssh-rsa signature to avoid authentication penalties. > > MGLT: ssh-rsa must be deprecated, so I think we should have something > different. The fall back should be on the most recommended algorithm, or > the authentication penalty should be changed. > > > > _______________________________________________ > Curdle mailing list > Curdle@ietf.org > https://www.ietf.org/mailman/listinfo/curdle > > _______________________________________________ > Curdle mailing list > Curdle@ietf.org > https://www.ietf.org/mailman/listinfo/curdle >
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Daniel Migault
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Watson Ladd
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… denis bider
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Peter Gutmann
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… denis bider
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Daniel Migault
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Mark D. Baushke
- [Curdle] comments on draft-ietf-curdle-rsa-sha2-0… Daniel Migault
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… denis bider (Bitvise)
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Daniel Migault
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… denis bider
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Peter Gutmann
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Peter Gutmann
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… denis bider
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Daniel Migault
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Ilari Liusvaara
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… denis bider
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Daniel Migault
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Watson Ladd
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Daniel Migault