IETF Logo Mail Archive

[Curdle] comments on draft-ietf-curdle-rsa-sha2-03.txt

Daniel Migault <daniel.migault@ericsson.com> Sat, 25 March 2017 23:40 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B9C61272E1 for <curdle@ietfa.amsl.com>; Sat, 25 Mar 2017 16:40:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.401
X-Spam-Level:
X-Spam-Status: No, score=-2.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.197, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BpE9ipDdKjGI for <curdle@ietfa.amsl.com>; Sat, 25 Mar 2017 16:40:28 -0700 (PDT)
Received: from mail-it0-x231.google.com (mail-it0-x231.google.com [IPv6:2607:f8b0:4001:c0b::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C45C127097 for <curdle@ietf.org>; Sat, 25 Mar 2017 16:40:28 -0700 (PDT)
Received: by mail-it0-x231.google.com with SMTP id w124so12054973itb.0 for <curdle@ietf.org>; Sat, 25 Mar 2017 16:40:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:from:date:message-id:subject:to; bh=KXSy5Q7bwmnbJvd36uv8Xjg4wQg23Uzju5x7iklC1VQ=; b=WdnyZgOP2VPBiuww1Dikff6kYRWL0e3xQt6yzrrP8QTeT82Bhu9z90Eaqd6GGGNzB+ h9Cbf7bX7fLgowza+Hmf9ITRX1FUOBMnhscswX52pSLl7ciavCnGr13Gg/ubW0ew5Nqz P945v7Id+vsAlPHJNV248fYifnJr8NHn1Tr38OIRwVyeDg8VmnSbfXoW53/oeTX4jd15 MJxHVDcrRyguiO3xPwgSOOEj5COK+V+wnkOLsGtEi94cbMZRggOyQJw7G+FBG2dg0HaX ZcrxyQUVundgEaY1EDauFGP/QA+nX2el/wzoFSQuQbbL1G6YMosGD410Z+xRYbBZaToZ c+DQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=KXSy5Q7bwmnbJvd36uv8Xjg4wQg23Uzju5x7iklC1VQ=; b=Es89FW6jf/ffC0Q5L0uI5lTYXslSUbKPNiohN4u/G+njMzNmKfy2bC97rG82oQIZz8 A3mjchS8bAEkZJHgj2sf+6aVAg8qXZOFuWTBTPWC9Zg2BeA6cLBZfBpFhRRpHWoAMTJO j8Y43qqEX3Ay6e79vrHEERTNvwBQiQwQtpH+dkJrYTwFyW3jKbiBPsmPKVZPkQGLZQVj PJyzb6/NXvLCh7p5m6/REE/ccF7CLcATs2S+pot00idoq8ID9o9WQfG2pZEH07tKnuNp IhYxwbAyXFHBQKSBbCmxUCn+QVBeas10bRhDV6KNd7cb9FppfAULXybF81yq6YIgtGHr 9W8g==
X-Gm-Message-State: AFeK/H06H7oRrTwMxvzlKEOoIsrhA7brmJ2265Ocv50s9ONNXZnmHSSWAkhrg5LOXXikVPFTB8SXmPXLpeid2w==
X-Received: by 10.107.174.27 with SMTP id x27mr14392310ioe.35.1490485227210; Sat, 25 Mar 2017 16:40:27 -0700 (PDT)
MIME-Version: 1.0
Sender: mglt.ietf@gmail.com
Received: by 10.107.35.213 with HTTP; Sat, 25 Mar 2017 16:40:26 -0700 (PDT)
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Sat, 25 Mar 2017 19:40:26 -0400
X-Google-Sender-Auth: BuIyXmaSE1QrXBr3cyU5Kml4s8k
Message-ID: <CADZyTkm43WWxb_DiZ1K9gRwzqmTCJ=Q-no53t9D__mDPERCyqw@mail.gmail.com>
To: curdle <curdle@ietf.org>
Content-Type: multipart/alternative; boundary="001a11449ffc82d222054b96a2a7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/dhgWgGKeGQX1rONhy2r6y1qo9Fo>
Subject: [Curdle] comments on draft-ietf-curdle-rsa-sha2-03.txt
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Mar 2017 23:40:30 -0000

Hi,

Please find my comments on draft-ietf-curdle-rsa-sha2-03.txt.

In a word my comments are:
   - 1) Should we consider  adding / replacing PKCS1v1.5 by RSA-PSS for
the signature format.
   - 2) I understand that penalties are encouraging to keep ssh-rsa while
the use of sha1 is deprecated. I suggest to provide some recommendations on
how to perform penalties.

Yours,
Daniel

      Use of RSA Keys with SHA-2 256 and 512 in Secure Shell (SSH)
                   draft-ietf-curdle-rsa-sha2-03.txt


Abstract

  This memo defines an algorithm name, public key format, and signature
  format for use of RSA keys with SHA-2 512 for server and client
  authentication in SSH connections.

MGLT: Maybe we should also add penalty recommendations as well ?

2.  Public Key Algorithms

  This memo adopts the style and conventions of [RFC4253] in specifying
  how use of a signature algorithm is indicated in SSH.

  The following new signature algorithms are defined:

    rsa-sha2-256    RECOMMENDED    sign    Raw RSA key
    rsa-sha2-512    OPTIONAL       sign    Raw RSA key

  These signature algorithms are suitable for use both in the SSH transport
  layer [RFC4253] for server authentication, and in the authentication
  layer [RFC4252] for client authentication.

  Since RSA keys are not dependent on the choice of hash function, both
  new algorithms reuse the public key format of the existing "ssh-rsa"
  algorithm as defined in [RFC4253]:

    string    "ssh-rsa"
    mpint     e
    mpint     n

  All aspects of the "ssh-rsa" format are kept, including the encoded
  string "ssh-rsa", in order to allow users' existing RSA keys to be
  used with the new signature formats, without requiring re-encoding,
  or affecting already trusted key fingerprints.

  Signing and verifying using these algorithms is performed according to
  the RSASSA-PKCS1-v1_5 scheme in [RFC3447] using SHA-2 [FIPS-180-4] as
  hash; MGF1 as mask function; and salt length equal to hash size.

MGLT: Could we also take this opportunity to upgrade the signature to
RSA-PSS ?
If "rsa-sha2-256" / "rsa-sha2-512" are already deployed in most
implementation, maybe this document could also define
"rsa-sha2-256-rsassa-pss" and "rsa-sha2-512-rsassa-pss" otherwise we could
define rsa-sha2-* with RSA-PSS.


3.  Discovery of signature algorithms supported by servers

  Implementation experience has shown that there are servers which apply
  authentication penalties to clients attempting signature algorithms
  which the SSH server does not support.

MGLT: Can we recommend to have penalties only applies when algorithms are
weaker than the one supported.

  Servers that accept rsa-sha2-* signatures for client authentication
  SHOULD implement the extension negotiation mechanism defined in
  [SSH-EXT-INFO], including especially the "server-sig-algs" extension.

  When authenticating with an RSA key against a server that does not
  implement the "server-sig-algs" extension, clients MAY default to an
  ssh-rsa signature to avoid authentication penalties.

MGLT: ssh-rsa must be deprecated, so I think we should have something
different. The fall back should be on the most recommended algorithm, or
the authentication penalty should be changed.

v2.23.0 | Report a Bug | By Email