Re: [Curdle] State of draft-ietf-curdle-ssh-kex-sha2?

Ron Frederick <ronf@timeheart.net> Mon, 13 July 2020 20:28 UTC

Return-Path: <ronf@timeheart.net>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 212973A08C1 for <curdle@ietfa.amsl.com>; Mon, 13 Jul 2020 13:28:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=timeheart.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7feyAmruTO-i for <curdle@ietfa.amsl.com>; Mon, 13 Jul 2020 13:28:07 -0700 (PDT)
Received: from mail-pf1-x42a.google.com (mail-pf1-x42a.google.com [IPv6:2607:f8b0:4864:20::42a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8D9B3A086F for <curdle@ietf.org>; Mon, 13 Jul 2020 13:28:06 -0700 (PDT)
Received: by mail-pf1-x42a.google.com with SMTP id u5so6532917pfn.7 for <curdle@ietf.org>; Mon, 13 Jul 2020 13:28:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=timeheart.net; s=mail; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=NIYZVC5oFl8AAKTvLvwjMqrGrp+DuXPoZSqn0CGTCHI=; b=dP0aN+dK9cvbCm4/45BdrmYhBrYKXj7XNG1E7fUByBs5nnySg+4O+65styYd5t9Ths SeX/CzHTFDqSFUtSZpDiqy/4XCdWch5x/dKt7cywnRnSQ7Ip6P05uwo7UtmHa1otTQFM SNedgHdZa6bCIpRdW+k/ma4qirEaFpnvXE8r8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=NIYZVC5oFl8AAKTvLvwjMqrGrp+DuXPoZSqn0CGTCHI=; b=SAdKsacpYB4quxp09O+o7D2O5rUSj842uC0SmfKFn1do4p/P+RpAXNYeyzHr+zT73D 2mUcTSMC9IVzpi52/9IVjY3qj/HrYQNxY4F507WLBsnM7Rcqsly4Qj7eaCpVVryar29q IJ5wlwpwvwUg51mv3Bksy33jRXI/hEQ5nXpz8V0pzmdIMFOlY2JPeA0YPCLH6l2cPiQ1 YChwAas2GXad0yk8HI5GWfXQO2zcR5vIPh7MH9oGguqqqaM5pcLgYZ/NC2usPJmv6Vrb Yr0W5gDLPCCT1N5ZyWnDHjWXFv4zASGMMIEOkOA7Xmz+ARQ6CQec2t5JyKDqyaeXY8x8 tOvg==
X-Gm-Message-State: AOAM530Jazzot2wWG6zbh2jErPL9PmNKnQ4AmA8sHhx137bAI8vFlMEg rIlomMA9aV0R8DMmFhQBr8Qu4w==
X-Google-Smtp-Source: ABdhPJwnVN6iWI6p65OMyx6V6Qp3aBgiODU/1QZJukoGH3Ary924ty/YRo81bkmXmnN4mBjvMc2gVw==
X-Received: by 2002:a63:cb03:: with SMTP id p3mr712199pgg.444.1594672086275; Mon, 13 Jul 2020 13:28:06 -0700 (PDT)
Received: from ?IPv6:2603:3024:18fa:4000:18ef:20ad:6833:584c? ([2603:3024:18fa:4000:18ef:20ad:6833:584c]) by smtp.gmail.com with ESMTPSA id y8sm390036pju.49.2020.07.13.13.28.04 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 13 Jul 2020 13:28:05 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.14\))
From: Ron Frederick <ronf@timeheart.net>
In-Reply-To: <53536.1594666321@eng-mail01.juniper.net>
Date: Mon, 13 Jul 2020 13:28:04 -0700
Cc: IETF curdle <curdle@ietf.org>, IETF ssh <ietf-ssh@netbsd.org>, "Mark D. Baushke" <mdb=40juniper.net@dmarc.ietf.org>, curdle-chairs <curdle-chairs@ietf.org>, denis bider <denisbider.ietf@gmail.com>, Loganaden Velvindron <loganaden@gmail.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <FEFD5981-9729-4BC5-90C7-F571C0A49229@timeheart.net>
References: <CADPMZDB8oXAg0g0oJvZmkK1XPhb28SQPnxwRmL9umzFXkH0ogQ@mail.gmail.com> <2306.1594546601@eng-mail01.juniper.net> <CAOp4FwQMcNHRd65U1A+zfT1Xyrqv7+kHU_Lh1tqMGsBQB2LrVA@mail.gmail.com> <53536.1594666321@eng-mail01.juniper.net>
To: "Mark D. Baushke" <mdb@juniper.net>
X-Mailer: Apple Mail (2.3445.104.14)
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/gN1vZ2_8ZK42HnL-6sHWnUkBDHo>
Subject: Re: [Curdle] State of draft-ietf-curdle-ssh-kex-sha2?
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2020 20:28:08 -0000

On Jul 13, 2020, at 11:52 AM, Mark D. Baushke <mdb@juniper.net> wrote:
> As I understand it, the following are candidates for MUST:
> 
>  * diffie-hellman-group14-sha256
>    [It is not clear to me how much longer 2048-bits will be considered
>     strong enough.]
> 
>  * curve25519-sha256
> 
>  * ecdh-sha2-nistp256
>    [Some folks are not happy with the current ECDH curves.]
> 
> I would look for discussion on the list about which Key Exchange
> Algorithms are Mandatory to Implement going forward.


Given the concerns about the NIST EC curves, I’d lean toward the current NIST ecdh-sha2-nist* curves being only SHOULD and not MUST.

I’m torn about curve25519 in this regard. I think it’s a good option, but I don’t know if we want to go as far as saying all compliant implementations must support it. For historical reasons, I’d lean toward doing that only with DH algorithms with an appropriate amount of strength, since it should be easier for existing implementations that support only DH today to move to those stronger key sizes & hashes.
-- 
Ron Frederick
ronf@timeheart.net