IETF Logo Mail Archive

Re: [Curdle] draft-ietf-curdle-ssh-kex-sha2 and diffie-hellman-group1-sha1 (1024-bit DH)

denis bider <denisbider.ietf@gmail.com> Mon, 17 July 2017 21:07 UTC

Return-Path: <denisbider.ietf@gmail.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33C5912741D for <curdle@ietfa.amsl.com>; Mon, 17 Jul 2017 14:07:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fi1x58JmMpzV for <curdle@ietfa.amsl.com>; Mon, 17 Jul 2017 14:07:06 -0700 (PDT)
Received: from mail-yb0-x233.google.com (mail-yb0-x233.google.com [IPv6:2607:f8b0:4002:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 298931243F6 for <curdle@ietf.org>; Mon, 17 Jul 2017 14:07:06 -0700 (PDT)
Received: by mail-yb0-x233.google.com with SMTP id w187so570901ybc.0 for <curdle@ietf.org>; Mon, 17 Jul 2017 14:07:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=7b9zxoMS7uOZiXeYS73+1QEiLDVhUYWejtCayfFI6pc=; b=GbFI1Drz3QcNQde3JeCYeqEUp3hxlH2cpHvBEGJkp93obS4qdjKbPiMiyVkbbZqliE WbfDNrWJV0hDaQvfXjc3IsSjg4Z8GHX8XVLBKnuijAPQ/QRRN1j3DTV7b6WzP/HZfqgF mryDcuO//+YBHNYMbUkb0848ReXtTC97kc16Y1ffRL7cgMk+MvHGFGDxt94bdTXyHkyz yNPLURoGR7tzjurprNnJt5cgN1rk4yNo6k6bfmY4Oaw/2kTbig0EXfcf4wWy6FFDB1z8 9ocqJNoYNVx4ES7xSe+Mj2DpzFOeS082wgWTs+a2rBi8vj25c53DTn/TDxhNCHIAnPzR OSEA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=7b9zxoMS7uOZiXeYS73+1QEiLDVhUYWejtCayfFI6pc=; b=aOuAzXPSu9ZNg2aAPvHXw09hXCFlFuL3Kq/n5qj9SxOc4vio+f32i8SD+87LRZ6aIe BzQ14PRrjhcUFMc5VMJRo9iZig/RjRu+0MSwxeiveNtv8hm5NkDIyy8Ip2hf4U8ELrwQ thPXEYVg8+qVRXlR/FVAWvUiHxQLEcVq2kRiGUdMHYxqB64aw7qckJfkygKug/gcpWzN 9NymGE/w6DH9TpbJxWOM+guiZ54VvvryEXvDhBOR1PgruW2Nju068SBZTV7rNqU+fNTR 6Dj3DWJQh9qGObPcJ7pJt1VkilV4/PG/zAPIG+U2zO5qQCCMZEnCx08pCyfaVSWnmaQ8 Py3g==
X-Gm-Message-State: AIVw1115tH8UpW+ddUtYPW48RwRFw4NyZrSrrky13wxG4atK9FVcXB0B pAI1sgoGVpV9uvwurMaQAeCpYa8IMg==
X-Received: by 10.37.176.154 with SMTP id f26mr19491292ybj.246.1500325625331; Mon, 17 Jul 2017 14:07:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.37.215.131 with HTTP; Mon, 17 Jul 2017 14:07:04 -0700 (PDT)
In-Reply-To: <22892.59057.959364.772229@fireball.acr.fi>
References: <22892.35863.542104.942153@fireball.acr.fi> <82005.1500305248@eng-mail01.juniper.net> <22892.59057.959364.772229@fireball.acr.fi>
From: denis bider <denisbider.ietf@gmail.com>
Date: Mon, 17 Jul 2017 15:07:04 -0600
Message-ID: <CADPMZDAgcFqCsve3s65XQiQb9ipdO_bui=7dcYtHi10=d+jvcQ@mail.gmail.com>
To: Tero Kivinen <kivinen@iki.fi>
Cc: "Mark D. Baushke" <mdb@juniper.net>, curdle <curdle@ietf.org>
Content-Type: multipart/alternative; boundary="f403045f2754f20d69055489c7d6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/jtS4u8505WaBvZZGfM9qy7gAFJg>
Subject: Re: [Curdle] draft-ietf-curdle-ssh-kex-sha2 and diffie-hellman-group1-sha1 (1024-bit DH)
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2017 21:07:08 -0000

I think Tero's assessments make sense.

I can provide anecdotal feedback that we still receive questions from users
about "how do I make this connection work?" where the problem is that the
other party supports only diffie-hellman-group1-sha1, and nothing else, so
the algorithm needs to be enabled.

Users SHOULD upgrade, of course, but in practice, many systems appear to be
upgraded at 10-year intervals. I expect we will continue to see occasional
demand for diffie-hellman-group1-sha1 for at least some 5 years. Although
it is off by default, we will be compelled to support it, simply because
despite its shortcomings, it is better than plaintext (by far).

denis


On Mon, Jul 17, 2017 at 10:32 AM, Tero Kivinen <kivinen@iki.fi> wrote:

> Mark D. Baushke writes:
> > > We are defining here a MUST implement and MUST not implement, not MUST
> > > use and MUST NOT use recommendations.
> >
> > For reference, there are five key exchanges that
> > draft-ietf-curdle-ssh-kex-sha2-08 marks as "MUST NOT"
> >
> >           Key Exchange Method Name           Reference  Implement
> >           ---------------------------------- ---------- ---------
> >           diffie-hellman-group1-sha1         RFC4253    MUST NOT
> >           diffie-hellman-group-exchange-sha1 RFC4419    MUST NOT
> >           gss-gex-sha1-*                     RFC4462    MUST NOT
> >           gss-group1-sha1-*                  RFC4462    MUST NOT
> >           rsa1024-sha1                       RFC4432    MUST NOT
> >
> > Of these, only diffie-hellman-group1-sha1 is moving from MUST to MUST
> > NOT. Due to 1024-bit Diffie-Hellman being considered by many as having
> > too little security (the same would be true of gss-group1-sha1-*).
>
> I think diffie-hellman-group1-sha1 is the only one where there is any
> real issues, and only because it used to be mandatory. But of course
> there might be others who want to keep some of the others in their
> codebase too...
>
> > What transition period is desirable for taking group1 "MUST" to "SHOULD
> > NOT" to "MUST NOT" ? Is it possible to codify both "SHOULD NOT" and
> > "MUST NOT" time frames into one RFC?
>
> In IPsec we decided that unless algoritm is really broken (i.e., there
> has been demonstration how it can be broken in public) we keep it
> SHOULD NOT. 786-bit Diffie-Hellman got MUST NOT because it was
> considered broken. The another 1024-bit Diffie-Hellman group which was
> generated so that we cannot be sure it is not backdoored, and which is
> not used at all, also got marked as MUST NOT, but the same group
> 1024-bit group we are talking here was left as SHOULD NOT.
>
> I am not familiar enough about the embedded ssh2 implementations to
> know what they really support, and when we can go forward. In most
> cases where we have been trying to guess when things are going away,
> we have been wrong, so I wouldn't even try to do that, and it is
> better to see what happens, and come back later when we see that those
> algorithms are no longer used ever...
> --
> kivinen@iki.fi
>
> _______________________________________________
> Curdle mailing list
> Curdle@ietf.org
> https://www.ietf.org/mailman/listinfo/curdle
>

v2.23.0 | Report a Bug | By Email