Re: [Curdle] Martin Duke's No Objection on draft-ietf-curdle-ssh-kex-sha2-19: (with COMMENT)
"Mark Baushke (ietf)" <mbaushke@gmail.com> Sat, 17 July 2021 13:43 UTC
Return-Path: <mbaushke@gmail.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB5703A1034; Sat, 17 Jul 2021 06:43:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gXnfsXHOn5uQ; Sat, 17 Jul 2021 06:43:39 -0700 (PDT)
Received: from mail-io1-xd32.google.com (mail-io1-xd32.google.com [IPv6:2607:f8b0:4864:20::d32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 704BD3A1031; Sat, 17 Jul 2021 06:43:23 -0700 (PDT)
Received: by mail-io1-xd32.google.com with SMTP id k11so14091779ioa.5; Sat, 17 Jul 2021 06:43:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:mime-version:subject:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=tFfWmMmNvJz4z1EPIU4SYODJW3x6zc3XLWxBsVSeLlo=; b=Z+m2rWd1jx3HGsC2oZkFZZD0Q635RWz6Osm+mJ7mlQO/4X2XnQJuhA3YVXRTiZ52s1 G6BOLHfT+R1cLPraJejhq3X64d8YXiAwN5CZCxyuiS/4HAcOUYjQLjGSkUQJuDujdva2 yB4zUHRnwDUcqkifDc5wceKq3kw4QDKNwEs2+QRYI8ImcF7WFDs8vlErsGeKLqxJoGHt QuJjZ4NfjG8SR+0j5daOVXnYHAk3NZesG3wH39XLdYVI5u/r7dmxw7KwDuJUWZ896CdJ ZocDXd8pYEuWZC+75PH1f35PSaR+UijIVbyhDx0t7iTVdcqL3oHd9mkQvx0V9Ig2K4O5 soYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=tFfWmMmNvJz4z1EPIU4SYODJW3x6zc3XLWxBsVSeLlo=; b=pk2RmkzhLRDrQfZTJ/U4LXe2fJEQayInH6yIu4FprOx4EDQ+uYDHSQAOgAfYPmQ3bA mwo10ZhvrMl+gQl1/WCNo4DB210vt8G44+mzuTENCM6ztjrcy9SZyRB1qMhD9LAj/Rt9 CIFHCg371NOS2bkLnHeMfWUqvgACMu8d6t7VUp4y5iwfOPYXrnREDLJLiIVoWH7mC4uJ ZlCVFmn2fOxEu4lYhUMdXBb0FZY/muNze5+aUn3ihCF2rNixg5gKRjIRrWBzkM7fN33L AfiX5DuK8Pz/A1oNFHtLs9DFjlixiQ5J2TJIStJicQgoQtMY0Rh+jby9fzT/zGq1XvU+ 3Qvg==
X-Gm-Message-State: AOAM530UsxaDCgh2gdxILjfqWX7YWl/WNvlh/g/pH/U9tNqeCmTtKBbB sO+gkBNlw3IjS0qI4g4E3Yc=
X-Google-Smtp-Source: ABdhPJxJidfLghqWIjayaY6pYusQefx5eNkK5jVusUzpiT7USrDLR74s+fZtzjDq069ObBRHAvtiXw==
X-Received: by 2002:a05:6638:c4a:: with SMTP id g10mr13314423jal.21.1626529400628; Sat, 17 Jul 2021 06:43:20 -0700 (PDT)
Received: from smtpclient.apple ([2601:249:447e:a900:cdff:1442:425:bd8c]) by smtp.gmail.com with ESMTPSA id z24sm1022696iog.46.2021.07.17.06.43.19 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 17 Jul 2021 06:43:19 -0700 (PDT)
From: "Mark Baushke (ietf)" <mbaushke@gmail.com>
X-Google-Original-From: "Mark Baushke (ietf)" <mbaushke+ietf@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.100.0.2.22\))
In-Reply-To: <162559729948.22061.17056492277505762376@ietfa.amsl.com>
Date: Sat, 17 Jul 2021 06:43:19 -0700
Cc: draft-ietf-curdle-ssh-kex-sha2@ietf.org, curdle-chairs@ietf.org, curdle@ietf.org, Daniel Migault <mglt.ietf@gmail.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <34EAEB90-4DFF-4BC1-8468-1A8769761710@gmail.com>
References: <162559729948.22061.17056492277505762376@ietfa.amsl.com>
To: Martin Duke <martin.h.duke@gmail.com>
X-Mailer: Apple Mail (2.3654.100.0.2.22)
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/lEsdKOiKl2Ucx2IzECB2s4xYIs8>
Subject: Re: [Curdle] Martin Duke's No Objection on draft-ietf-curdle-ssh-kex-sha2-19: (with COMMENT)
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Jul 2021 13:43:44 -0000
Hi Martin, Comment in-line below. > On Jul 6, 2021, at 11:48 AM, Martin Duke via Datatracker <noreply@ietf.org> wrote: > > Martin Duke has entered the following ballot position for > draft-ietf-curdle-ssh-kex-sha2-19: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-curdle-ssh-kex-sha2/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Two nits: > > (1.1) this is optional, but > > s/man in the middle/on-path attacker Agreed. > > Or other suitable synonym > > (3.1.1) and (3.1.2) I cannot parse the sentences with the phrase "is a > reasonable hash...", e.g. > > SHA2-256 is a reasonable hash in both the KDF and integrity in both gss and > non-gss uses of curve25519 key exchange methods. > > Can you reword? Benjamin Kaduk already answered your question, but I do not know if it was satisfying or if the document should be updated. I could add the following paragraph to section 3.1. RFC4253 section 7.2 "Output of Key Exchange" defines generation of a shared secret K (really the output of the KDF) and an exchange key hash H. Each key exchange method uses a specified HASH function which must be the same for both key exchange and Key Derivation. H is used for key exchange integrity across the SSH session as it is computed only once. It is noted at the end of the 7.2 section that "This process will lose entropy if the amount of entropy in K is larger than the internal state size of HASH." so care must be taken that the hashing algorithm used is well chosen ("reasonable") for the key exchange algorithms being used. Please let me know if adding something like that will improve what 3.1.1 and 3.1.2 are trying to say. Be safe, stay healthy -- Mark
- [Curdle] Martin Duke's No Objection on draft-ietf… Martin Duke via Datatracker
- Re: [Curdle] Martin Duke's No Objection on draft-… Benjamin Kaduk
- Re: [Curdle] Martin Duke's No Objection on draft-… mbaushke ietf
- Re: [Curdle] Martin Duke's No Objection on draft-… Mark Baushke (ietf)
- Re: [Curdle] Martin Duke's No Objection on draft-… Martin Duke
- Re: [Curdle] Martin Duke's No Objection on draft-… Mark Baushke
- Re: [Curdle] Martin Duke's No Objection on draft-… Martin Duke