Re: [Curdle] draft-ietf-curdle-ssh-kex-sha2 and diffie-hellman-group1-sha1 (1024-bit DH)
Tero Kivinen <kivinen@iki.fi> Mon, 17 July 2017 16:33 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4304C131CB7 for <curdle@ietfa.amsl.com>; Mon, 17 Jul 2017 09:33:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.12
X-Spam-Level:
X-Spam-Status: No, score=-1.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cEVVC_pPJY8e for <curdle@ietfa.amsl.com>; Mon, 17 Jul 2017 09:33:17 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A919131CC1 for <curdle@ietf.org>; Mon, 17 Jul 2017 09:32:54 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id v6HGWo0w024993 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 17 Jul 2017 19:32:50 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id v6HGWngE027472; Mon, 17 Jul 2017 19:32:49 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <22892.59057.959364.772229@fireball.acr.fi>
Date: Mon, 17 Jul 2017 19:32:49 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: "Mark D. Baushke" <mdb@juniper.net>
Cc: curdle@ietf.org
In-Reply-To: <82005.1500305248@eng-mail01.juniper.net>
References: <22892.35863.542104.942153@fireball.acr.fi> <82005.1500305248@eng-mail01.juniper.net>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 14 min
X-Total-Time: 14 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/hohFGdeN7vX05zGhFsFtmVyNm3Q>
Subject: Re: [Curdle] draft-ietf-curdle-ssh-kex-sha2 and diffie-hellman-group1-sha1 (1024-bit DH)
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2017 16:33:19 -0000
Mark D. Baushke writes: > > We are defining here a MUST implement and MUST not implement, not MUST > > use and MUST NOT use recommendations. > > For reference, there are five key exchanges that > draft-ietf-curdle-ssh-kex-sha2-08 marks as "MUST NOT" > > Key Exchange Method Name Reference Implement > ---------------------------------- ---------- --------- > diffie-hellman-group1-sha1 RFC4253 MUST NOT > diffie-hellman-group-exchange-sha1 RFC4419 MUST NOT > gss-gex-sha1-* RFC4462 MUST NOT > gss-group1-sha1-* RFC4462 MUST NOT > rsa1024-sha1 RFC4432 MUST NOT > > Of these, only diffie-hellman-group1-sha1 is moving from MUST to MUST > NOT. Due to 1024-bit Diffie-Hellman being considered by many as having > too little security (the same would be true of gss-group1-sha1-*). I think diffie-hellman-group1-sha1 is the only one where there is any real issues, and only because it used to be mandatory. But of course there might be others who want to keep some of the others in their codebase too... > What transition period is desirable for taking group1 "MUST" to "SHOULD > NOT" to "MUST NOT" ? Is it possible to codify both "SHOULD NOT" and > "MUST NOT" time frames into one RFC? In IPsec we decided that unless algoritm is really broken (i.e., there has been demonstration how it can be broken in public) we keep it SHOULD NOT. 786-bit Diffie-Hellman got MUST NOT because it was considered broken. The another 1024-bit Diffie-Hellman group which was generated so that we cannot be sure it is not backdoored, and which is not used at all, also got marked as MUST NOT, but the same group 1024-bit group we are talking here was left as SHOULD NOT. I am not familiar enough about the embedded ssh2 implementations to know what they really support, and when we can go forward. In most cases where we have been trying to guess when things are going away, we have been wrong, so I wouldn't even try to do that, and it is better to see what happens, and come back later when we see that those algorithms are no longer used ever... -- kivinen@iki.fi
- [Curdle] draft-ietf-curdle-ssh-kex-sha2 and diffi… Tero Kivinen
- Re: [Curdle] draft-ietf-curdle-ssh-kex-sha2 and d… Russ Housley
- Re: [Curdle] draft-ietf-curdle-ssh-kex-sha2 and d… Tero Kivinen
- Re: [Curdle] draft-ietf-curdle-ssh-kex-sha2 and d… Mark D. Baushke
- Re: [Curdle] draft-ietf-curdle-ssh-kex-sha2 and d… Mark D. Baushke
- Re: [Curdle] draft-ietf-curdle-ssh-kex-sha2 and d… Tero Kivinen
- Re: [Curdle] draft-ietf-curdle-ssh-kex-sha2 and d… denis bider
- Re: [Curdle] draft-ietf-curdle-ssh-kex-sha2 and d… Peter Gutmann
- Re: [Curdle] draft-ietf-curdle-ssh-kex-sha2 and d… Damien Miller
- Re: [Curdle] draft-ietf-curdle-ssh-kex-sha2 and d… Peter Gutmann
- Re: [Curdle] draft-ietf-curdle-ssh-kex-sha2 and d… Damien Miller
- Re: [Curdle] draft-ietf-curdle-ssh-kex-sha2 and d… Peter Gutmann
- Re: [Curdle] draft-ietf-curdle-ssh-kex-sha2 and d… Damien Miller
- Re: [Curdle] draft-ietf-curdle-ssh-kex-sha2 and d… Peter Gutmann
- Re: [Curdle] draft-ietf-curdle-ssh-kex-sha2 and d… Damien Miller
- Re: [Curdle] draft-ietf-curdle-ssh-kex-sha2 and d… Mark D. Baushke