[Curdle] comments on draft-ietf-curdle-rsa-sha2-03.txt
Daniel Migault <daniel.migault@ericsson.com> Sat, 25 March 2017 23:40 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B9C61272E1 for <curdle@ietfa.amsl.com>; Sat, 25 Mar 2017 16:40:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.401
X-Spam-Level:
X-Spam-Status: No, score=-2.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.197, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BpE9ipDdKjGI for <curdle@ietfa.amsl.com>; Sat, 25 Mar 2017 16:40:28 -0700 (PDT)
Received: from mail-it0-x231.google.com (mail-it0-x231.google.com [IPv6:2607:f8b0:4001:c0b::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C45C127097 for <curdle@ietf.org>; Sat, 25 Mar 2017 16:40:28 -0700 (PDT)
Received: by mail-it0-x231.google.com with SMTP id w124so12054973itb.0 for <curdle@ietf.org>; Sat, 25 Mar 2017 16:40:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:from:date:message-id:subject:to; bh=KXSy5Q7bwmnbJvd36uv8Xjg4wQg23Uzju5x7iklC1VQ=; b=WdnyZgOP2VPBiuww1Dikff6kYRWL0e3xQt6yzrrP8QTeT82Bhu9z90Eaqd6GGGNzB+ h9Cbf7bX7fLgowza+Hmf9ITRX1FUOBMnhscswX52pSLl7ciavCnGr13Gg/ubW0ew5Nqz P945v7Id+vsAlPHJNV248fYifnJr8NHn1Tr38OIRwVyeDg8VmnSbfXoW53/oeTX4jd15 MJxHVDcrRyguiO3xPwgSOOEj5COK+V+wnkOLsGtEi94cbMZRggOyQJw7G+FBG2dg0HaX ZcrxyQUVundgEaY1EDauFGP/QA+nX2el/wzoFSQuQbbL1G6YMosGD410Z+xRYbBZaToZ c+DQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=KXSy5Q7bwmnbJvd36uv8Xjg4wQg23Uzju5x7iklC1VQ=; b=Es89FW6jf/ffC0Q5L0uI5lTYXslSUbKPNiohN4u/G+njMzNmKfy2bC97rG82oQIZz8 A3mjchS8bAEkZJHgj2sf+6aVAg8qXZOFuWTBTPWC9Zg2BeA6cLBZfBpFhRRpHWoAMTJO j8Y43qqEX3Ay6e79vrHEERTNvwBQiQwQtpH+dkJrYTwFyW3jKbiBPsmPKVZPkQGLZQVj PJyzb6/NXvLCh7p5m6/REE/ccF7CLcATs2S+pot00idoq8ID9o9WQfG2pZEH07tKnuNp IhYxwbAyXFHBQKSBbCmxUCn+QVBeas10bRhDV6KNd7cb9FppfAULXybF81yq6YIgtGHr 9W8g==
X-Gm-Message-State: AFeK/H06H7oRrTwMxvzlKEOoIsrhA7brmJ2265Ocv50s9ONNXZnmHSSWAkhrg5LOXXikVPFTB8SXmPXLpeid2w==
X-Received: by 10.107.174.27 with SMTP id x27mr14392310ioe.35.1490485227210; Sat, 25 Mar 2017 16:40:27 -0700 (PDT)
MIME-Version: 1.0
Sender: mglt.ietf@gmail.com
Received: by 10.107.35.213 with HTTP; Sat, 25 Mar 2017 16:40:26 -0700 (PDT)
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Sat, 25 Mar 2017 19:40:26 -0400
X-Google-Sender-Auth: BuIyXmaSE1QrXBr3cyU5Kml4s8k
Message-ID: <CADZyTkm43WWxb_DiZ1K9gRwzqmTCJ=Q-no53t9D__mDPERCyqw@mail.gmail.com>
To: curdle <curdle@ietf.org>
Content-Type: multipart/alternative; boundary="001a11449ffc82d222054b96a2a7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/dhgWgGKeGQX1rONhy2r6y1qo9Fo>
Subject: [Curdle] comments on draft-ietf-curdle-rsa-sha2-03.txt
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Mar 2017 23:40:30 -0000
Hi, Please find my comments on draft-ietf-curdle-rsa-sha2-03.txt. In a word my comments are: - 1) Should we consider adding / replacing PKCS1v1.5 by RSA-PSS for the signature format. - 2) I understand that penalties are encouraging to keep ssh-rsa while the use of sha1 is deprecated. I suggest to provide some recommendations on how to perform penalties. Yours, Daniel Use of RSA Keys with SHA-2 256 and 512 in Secure Shell (SSH) draft-ietf-curdle-rsa-sha2-03.txt Abstract This memo defines an algorithm name, public key format, and signature format for use of RSA keys with SHA-2 512 for server and client authentication in SSH connections. MGLT: Maybe we should also add penalty recommendations as well ? 2. Public Key Algorithms This memo adopts the style and conventions of [RFC4253] in specifying how use of a signature algorithm is indicated in SSH. The following new signature algorithms are defined: rsa-sha2-256 RECOMMENDED sign Raw RSA key rsa-sha2-512 OPTIONAL sign Raw RSA key These signature algorithms are suitable for use both in the SSH transport layer [RFC4253] for server authentication, and in the authentication layer [RFC4252] for client authentication. Since RSA keys are not dependent on the choice of hash function, both new algorithms reuse the public key format of the existing "ssh-rsa" algorithm as defined in [RFC4253]: string "ssh-rsa" mpint e mpint n All aspects of the "ssh-rsa" format are kept, including the encoded string "ssh-rsa", in order to allow users' existing RSA keys to be used with the new signature formats, without requiring re-encoding, or affecting already trusted key fingerprints. Signing and verifying using these algorithms is performed according to the RSASSA-PKCS1-v1_5 scheme in [RFC3447] using SHA-2 [FIPS-180-4] as hash; MGF1 as mask function; and salt length equal to hash size. MGLT: Could we also take this opportunity to upgrade the signature to RSA-PSS ? If "rsa-sha2-256" / "rsa-sha2-512" are already deployed in most implementation, maybe this document could also define "rsa-sha2-256-rsassa-pss" and "rsa-sha2-512-rsassa-pss" otherwise we could define rsa-sha2-* with RSA-PSS. 3. Discovery of signature algorithms supported by servers Implementation experience has shown that there are servers which apply authentication penalties to clients attempting signature algorithms which the SSH server does not support. MGLT: Can we recommend to have penalties only applies when algorithms are weaker than the one supported. Servers that accept rsa-sha2-* signatures for client authentication SHOULD implement the extension negotiation mechanism defined in [SSH-EXT-INFO], including especially the "server-sig-algs" extension. When authenticating with an RSA key against a server that does not implement the "server-sig-algs" extension, clients MAY default to an ssh-rsa signature to avoid authentication penalties. MGLT: ssh-rsa must be deprecated, so I think we should have something different. The fall back should be on the most recommended algorithm, or the authentication penalty should be changed.
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Daniel Migault
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Watson Ladd
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… denis bider
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Peter Gutmann
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… denis bider
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Daniel Migault
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Mark D. Baushke
- [Curdle] comments on draft-ietf-curdle-rsa-sha2-0… Daniel Migault
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… denis bider (Bitvise)
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Daniel Migault
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… denis bider
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Peter Gutmann
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Peter Gutmann
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… denis bider
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Daniel Migault
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Ilari Liusvaara
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… denis bider
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Daniel Migault
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Watson Ladd
- Re: [Curdle] comments on draft-ietf-curdle-rsa-sh… Daniel Migault