Re: [Curdle] AD Review of draft-ietf-curdle-gss-keyex-sha2-05
Simo Sorce <simo@redhat.com> Tue, 10 April 2018 12:04 UTC
Return-Path: <simo@redhat.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AC56126D74 for <curdle@ietfa.amsl.com>; Tue, 10 Apr 2018 05:04:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.89
X-Spam-Level:
X-Spam-Status: No, score=-6.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_SPF_HELO_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lx8eLGPTBe2G for <curdle@ietfa.amsl.com>; Tue, 10 Apr 2018 05:04:40 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 639C4126D05 for <curdle@ietf.org>; Tue, 10 Apr 2018 05:04:40 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 8AE7DC08EC2F; Tue, 10 Apr 2018 12:04:39 +0000 (UTC)
Received: from ovpn-116-135.phx2.redhat.com (ovpn-116-135.phx2.redhat.com [10.3.116.135]) by smtp.corp.redhat.com (Postfix) with ESMTPS id D898688B33; Tue, 10 Apr 2018 12:04:38 +0000 (UTC)
Message-ID: <1523361875.10955.15.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: denis bider <denisbider.ietf@gmail.com>
Cc: Eric Rescorla <ekr@rtfm.com>, draft-ietf-curdle-gss-keyex-sha2@tools.ietf.org, curdle <curdle@ietf.org>
Date: Tue, 10 Apr 2018 08:04:35 -0400
In-Reply-To: <CADPMZDDrqhH4U9=omaB98j-2VQys_ybwG+Hy1L194GMqTJ04Zw@mail.gmail.com>
References: <CABcZeBNCUSpGihHz6bPBSALS4-34Tm7W36BCZ_Ev8OQz3KtVag@mail.gmail.com> <1523302318.10955.2.camel@redhat.com> <CADPMZDDrqhH4U9=omaB98j-2VQys_ybwG+Hy1L194GMqTJ04Zw@mail.gmail.com>
Organization: Red Hat, Inc.
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Tue, 10 Apr 2018 12:04:39 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/lF2Tmf50GPtmfPhVpZKUv6qcW3U>
Subject: Re: [Curdle] AD Review of draft-ietf-curdle-gss-keyex-sha2-05
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Apr 2018 12:04:43 -0000
On Tue, 2018-04-10 at 03:02 -0500, denis bider wrote: > > Krb5 which is de facto the only used GSSAPI mechanism for > > SHH GSS Key exchanges. > > Just a side note: "de facto" are key words there. In practice Kerberos is > the most widely supported GSSAPI mechanism used in SSH. However, GSSAPI key > exchange works equally well with other mechanisms. For example, I believe > we've had someone (either on this list, or on the mostly-zombie SSH list) > mention that they use GSSAPI with X.509 (possibly?) as well as other > mechanisms. Yes, there are other mechanisms, but the warning applies to the Krb5 mechanism explicitly. Simo. > > On Mon, Apr 9, 2018 at 2:31 PM, Simo Sorce <simo@redhat.com> wrote: > > > Chiming in as one of the Authors, sorry for not responding earlier, I've > > bene > > busy and I will follow up with more answers later on as I ge tmore time to > > address them. > > > > On Fri, 2018-04-06 at 16:24 -0700, Eric Rescorla wrote: > > > Rich version of this review at: > > > https://mozphab-ietf.devsvcdev.mozaws.net/D4544 > > > > > > This document has a huge amount of duplicated material which makes it > > > very hard to read. Please refactor so that the common material is in > > > one place. > > > > In general we strived to maintain the same structure as the docuemnt we are > > extending. This is why some sections seem repetitive. They are but they > > also > > are consistent with the previous document. We think this is more beneficial > > than trying to be more synthetic. > > > > > > > > > > > > > > COMMENTS > > > > Due to security concerns with SHA-1 [RFC6194] and with MODP groups > > > > with less than 2048 bits [NIST-SP-800-131Ar1] we propose the use > > > > of > > > > the SHA-2 based hashes with DH group14, group15, group16, group17 > > > > and > > > > group18 [RFC3526]. Additionally we add support for key exchange > > > > based on Elliptic Curve Diffie Hellman with NIST P-256, P-384 and > > > > P-521 as well as X25519 and X448 curves. Following the rationale > > > > of > > > > > > "the X25519..." > > > > Does this imply it should also be "the NIST P-256, ..." ? > > > > > > > > > +--------------------------+--------------------------------+ > > > > | Key Exchange Method Name | Implementation Recommendations | > > > > +--------------------------+--------------------------------+ > > > > | gss-group14-sha256-* | SHOULD/RECOMMENDED | > > > > | gss-group15-sha512-* | MAY/OPTIONAL | > > > > | gss-group16-sha512-* | SHOULD/RECOMMENDED | > > > > > > Why are you only specifying SHA-512 with 4096-bit groups. SHA-256 is > > > still reasonable at that size? > > > > I thik this has been sactisfactorily discussed later in the thread. > > > > > > > > > > > > > Each of these methods specifies GSS-API-authenticated > > > > Diffie-Hellman > > > > key exchange as described in Section 2.1 of [RFC4462] with > > > > SHA-256 > > > > as HASH, and the group defined in Section 8.2 of [RFC4253] The > > > > method > > > > name for each method is the concatenation of the string "gss- > > > > group14-sha256-" with the Base64 encoding of the MD5 hash > > > > [RFC1321] > > > > > > Why is this MD5? Is there some legacy reason for this? It's not > > > necessarily bad but it's odd to modern eyes. > > > > Also discussed later, this is just an identifier, and we a re just being > > consistent with previous naming which can be hardcoded, no need to > > implement > > MD5. > > > > > > > > > Each of these methods specifies GSS-API-authenticated > > > > Diffie-Hellman > > > > key exchange as described in Section 2.1 of [RFC4462] with > > > > SHA-512 > > > > as HASH, and the group defined in Section 7 of [RFC3526] The > > > > method > > > > name for each method is the concatenation of the string "gss- > > > > group18-sha512-" with the Base64 encoding of the MD5 hash of the > > > > ASN.1 DER encoding of the underlying GSS-API mechanism's OID. > > > > > > These all seem to be boilerplate. is there a way to refactor into a > > > single paragraph with a table that describes the substitutions? > > > > See my explanantion above. > > > > > > > > > ASN.1 DER encoding of the underlying GSS-API mechanism's OID. > > > > > > > > 5. New Elliptic Curve Diffie-Hellman Key Exchange methods > > > > > > > > In [RFC5656] new SSH key exchange algorithms based on Elliptic > > > > Curve > > > > Cryptography are introduced. We reuse much of section 4 to > > > > implement > > > > > > s/implement/define/ > > > > > > > > > > This section defers to [RFC7546] as the source of information on > > > > GSS- > > > > API context establishment operations, Section 3 being the most > > > > relevant. All Security Considerations described in [RFC7546] > > > > apply > > > > here too. > > > > > > > > The Client: > > > > > > This section should be refactored to put all the EC mechanics (which > > > are symmetrical) in one place. > > > > Is there a reason? We wanted to give implementers a clear linear > > explanation > > without having to jump back and forth to reference what is happening at any > > given point. > > > > > > > > > and then y coordinate. The coordinate coversion MUST > > > > preserve > > > > leading zero octets. Thus for nistp521 curve the encoded x > > > > coordinate will always have a length of 66 octets while the > > > > Q_C > > > > representation will be 133 octets long. This is the > > > > uncompressed representation specified in Section 4.3.6 of > > > > [ANSI-X9-62-2005]. > > > > > > I have two questions about this: 1. Why are you specifying the > > > detailed computation of the public key? This seems like you could > > > defer it to another spec. > > > > I think this is because we did not have any good normative reference, but > > I'll > > let Hubert chime in. > > > > > 2. Why are you specifying uncompressed > > > representations for NIST curves? > > > > I may be wrong but some compression algorithms have had IPR issues, so > > this may > > derive from a willingness to avoid those, I'll let Hubert chime in here > > too. > > > > > We did this in TLS because people > > > already supported them, but in general they are worse. Is there a > > > reason here? > > > > > > > > > > by 31 zero octets for curve255519 and as an octect of value > > > > 0x05 followed by 55 zero octets. > > > > > > > > Calculating Q_C as the result of the call to X25519 or X448 > > > > function, respectively for curve25519 and curve448 key > > > > exchange, with parameters d_C and g. > > > > > > This material all seems to be in RFC 7748 S 6.1 and 6.2. > > > > I think we wanted it explicitly here, to avoid too much referencing and > > risk of > > errors, but I guess we can reference if you feel strongly about this. > > > > > > > > > > For NIST curves, the server verifies that the q_C is not a > > > > point > > > > at infinity, that both coordinates are in the interval [0, p - > > > > 1], > > > > where p is the prime associated with the curve of the selected > > > > key > > > > exchange and that the point lies on the curve (satisfies the > > > > curve > > > > equation). > > > > > > You should probably cite to the X9.62 or SP-800 for this procedure. > > > > > > > > > > For curve25519, the server verifies that the the high-order > > > > bit of > > > > the last octet is not set - this prevents distinguishing > > > > attacks > > > > between implementations that use Montgomery ladder > > > > implementation > > > > of the curve and ones that use generic elliptic-curve > > > > libraries. > > > > If the bit is set, the key exchange SHOULD fail. For curve448 > > > > any > > > > bit can be set. > > > > > > I'm not following what this is supposed to do. If you are worried > > > about this, why don't you just mask off the top bit. > > > > > > > > > > For NIST curves, the peers perform point multiplication > > > > using > > > > d_U and q_V to get point P. > > > > > > > > For NIST curves, peers verify that P is not a point at > > > > infinity. If P is a point at infinity, the key exchange > > > > MUST > > > > fail. > > > > > > Why is this text here? It describes the client's behavior. > > > > > > > > > > and q_V. The result of the function is the shared secret. > > > > > > > > For curve25519 and curve448, if all the octets of the shared > > > > secret are zero octets, the key exchange MUST fail. > > > > > > > > H = hash(V_C || V_S || I_C || I_S || K_S || Q_C || Q_S || K). > > > > > > This kind of just comes out of nowhere. You probably want some > > > prefatory text. > > > > > > > > > > > > > > 7. C verifies that the key Q_S is valid the same way it is done > > > > in > > > > step 3. If the key is not valid the key exchange MUST fail. > > > > > > > > 8. C computes the shared secret K and H and verifies that it is > > > > valid the same way it is done in step 5. It then calls > > > > > > This check only applies to CFRG curves. > > > > > > > > > > string server public host key and certificates (K_S) > > > > > > > > Since this key exchange method does not require the host key to be > > > > used for any encryption operations, this message is OPTIONAL. If > > > > the > > > > "null" host key algorithm described in Section 5 of [RFC4462] is > > > > used, this message MUST NOT be sent. > > > > > > I am assuming in this situation there is some other form of > > > authentication? > > > > As explained elswhere, GSS key exchange assumes GSSAPI authentication. > > > > > > > > > string I_C, payload of the client's SSH_MSG_KEXINIT > > > > string I_S, payload of the server's SSH_MSG_KEXINIT > > > > string K_S, server's public host key > > > > string Q_C, client's ephemeral public key octet string > > > > string Q_S, server's ephemeral public key octet string > > > > mpint K, shared secret > > > > > > The actual equation is way up above this in the document, which is > > > presumably not great. > > > > > > > > > > Each key exchange method is implicitly registered by this > > > > document. > > > > The IESG is considered to be the owner of all these key exchange > > > > methods; this does NOT imply that the IESG is considered to be the > > > > owner of the underlying GSS-API mechanism. > > > > > > > > 5.2.1. gss-nistp256-sha256-* > > > > > > Again, can you refactor this section so it's not so duplicative. > > > > > > > > > > the target the user intended. Some mechanisms implementations > > > > (like > > > > commonly used krb5 libraries) may use insecure DNS resolution to > > > > canonicalize the target name; in these cases spoofing a DNS > > > > response > > > > that points to an attacker-controlled machine may results in the > > > > user > > > > silently delegating credentials to the attacker, who can then > > > > impersonate the user at will. > > > > > > Is this something new in this document? > > > > No, we just thought important to note, as it was missing in the original > > document but it is a know factor to be aware of when dealing with Krb5 > > which is > > de facto the only used GSSAPI mechanism for SHH GSS Key exchanges. > > > > Simo. > > > > -- > > Simo Sorce > > Sr. Principal Software Engineer > > Red Hat, Inc > > > > _______________________________________________ > > Curdle mailing list > > Curdle@ietf.org > > https://www.ietf.org/mailman/listinfo/curdle > > -- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Simo Sorce
- [Curdle] AD Review of draft-ietf-curdle-gss-keyex… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… denis bider
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… denis bider
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Salz, Rich
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Russ Housley
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Mark Baushke
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… denis bider
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Simo Sorce
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… denis bider
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Simo Sorce
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Benjamin Kaduk
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Hubert Kario
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… denis bider
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Hubert Kario
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Hubert Kario
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Simo Sorce
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Simo Sorce
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Mark D. Baushke
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Daniel Migault
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Salz, Rich
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Hubert Kario
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Simo Sorce
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Simo Sorce