Re: [Curdle] Looking for comments on draft-ietf-curdle-ssh-kex-sha2

Tero Kivinen <kivinen@iki.fi> Thu, 26 November 2020 20:21 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D91483A0B6B for <curdle@ietfa.amsl.com>; Thu, 26 Nov 2020 12:21:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iki.fi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H1n6OlsFMbmW for <curdle@ietfa.amsl.com>; Thu, 26 Nov 2020 12:21:33 -0800 (PST)
Received: from lahtoruutu.iki.fi (lahtoruutu.iki.fi [185.185.170.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36BFC3A0B18 for <curdle@ietf.org>; Thu, 26 Nov 2020 12:21:32 -0800 (PST)
Received: from fireball.acr.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kivinen) by lahtoruutu.iki.fi (Postfix) with ESMTPSA id 58B0C1B00090; Thu, 26 Nov 2020 22:21:29 +0200 (EET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1606422089; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lJmxihoGDgWVMDcrB0UIaD2GPVjv3ahH65F32otY6rE=; b=PYi9dRlBjGEyY4HOP9yJs8nclMul2RW8zhMtfhfm8G2f7KLZCvr8UuDILf4T/xZEtXvspt dRHzPiujkrmnaXsLvcOWPsN+7g/TEtYHOSQi/KFlYDCj+YMtYhq+6F7IgQqto1dkQIzNj9 4SlZdAvFeaPBmUpIzEdzPqrSVGM4HmaBhI+9oPh1Iu8yMpERIsFR8w3hcHyetqJ8TEteSI zMDpKwEhR52CnNbBrVuXa4/0yXrhX1BC1TBUHP7ai2MunQ8ATj78L2WEd1c1KuN91BNiM8 j/S9XspAYwENFh3f3ivx6cSNs7ibkUtbKTttlt7SM2LFNQw9eK9c9Xy99MOxCQ==
Received: by fireball.acr.fi (Postfix, from userid 15204) id 2AA1D25C0E2C; Thu, 26 Nov 2020 22:21:28 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <24512.3656.123894.418218@fireball.acr.fi>
Date: Thu, 26 Nov 2020 22:21:28 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Hubert Kario <hkario@redhat.com>
Cc: <curdle@ietf.org>
In-Reply-To: <afea8fb0-82e2-46e9-b2cc-4dca4038b630@redhat.com>
References: <25423.1596646626@eng-mail01.juniper.net> <SA0PR15MB37917F0E55D801609AF23EB0E34B0@SA0PR15MB3791.namprd15.prod.outlook.com> <20200807052623.GM92412@kduck.mit.edu> <71619.1606168457@eng-mail01.juniper.net> <7107b6ac-0e6c-419d-96ac-d0a53b65ee5b@redhat.com> <24511.57685.169815.673441@fireball.acr.fi> <afea8fb0-82e2-46e9-b2cc-4dca4038b630@redhat.com>
X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd)
X-Edit-Time: 6 min
X-Total-Time: 13 min
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1606422089; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lJmxihoGDgWVMDcrB0UIaD2GPVjv3ahH65F32otY6rE=; b=ajHyBG3RsYXVaFbIkrrWZK1FmL4nRB3w3SyDyNUqdgkpWfYIvgkHLGRrj5MBFso7bsneN3 buH//nlWFfomRNvmm+XpD+lIFUQ2iIrWM73FbHSJSmWoDGaOBWiOIxnkVBiM+qerDGy9B9 9BMCApFcCk6GeLBwk+GGu9cxipJ8YsfKDEI0zHYNPGu4b4mSbFwuBQVoz1V9rkBSsc4Xs2 pLFsxw6rFOqBMJohn4hwgwYr8mFGYqtsqnhedQhh9l+JKtrNozeYkxP+6sUW1bjLf318E4 eRnch6hOOt3K/n+kD7MBGg87Pdqn2gjoi6819TAWEArzB8d8s3ulRoV/mYZQjQ==
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen smtp.mailfrom=kivinen@iki.fi
ARC-Seal: i=1; s=lahtoruutu; d=iki.fi; t=1606422089; a=rsa-sha256; cv=none; b=wKDFhnN7ThN/Z6ZVXj1eJwhyWYf/e2QDAKc62p3ChKRju6pIks9JNIAnZLs8xfI7B6BO8c cNff0YHby+/a0+jM2HoSMDUJQHJq8+v2Xjj7tEUOycWYVmvAZLNXKCCjQUtblwk+pmPgir C1BBh1YrRsPZSdbRa8sJFJzD5ZTzoWAUD0srkv1FFCWGPRzhrZ0GMsjwlpMhGKXxp2YP7I AdXAUTSoQwTNza4xJkS38ovW5za2tYSk630x1cByRFZg5ygRyflN+eo7EwbdpK9FUHLh+v +X/Ci/w5JYMvQxCSQG9PN/f2KfX16URRNuacrIEFM8x4RtBLcYXa4PwCqELKww==
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/o5ws_CLd2fQs009SjFnkiogknMo>
Subject: Re: [Curdle] Looking for comments on draft-ietf-curdle-ssh-kex-sha2
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Nov 2020 20:21:36 -0000

Hubert Kario writes:
> On Thursday, 26 November 2020 18:09:41 CET, Tero Kivinen wrote:
> > Hubert Kario writes:
> >>> The diffie-hellman-group14-sha1 exchange was a mandatory to implement
> >>> MUST and is now a SHOULD. Similarly for gss-group1-sha1-*
> >> 
> >> no, I think it should be SHOULD NOT, the sha-1 disqualifies it
> >
> > If I remember right about ssh key exchange, it does not rely on the
> > collision resistance at all, it relies on the 2nd preimage resistance,
> 
> I don't think this is the case:
> https://hal.inria.fr/hal-01244855/document

>From that paper:
----------------------------------------------------------------------
	In this attack, the MitM does not tamper
	with the Diffie-Hellman values and hence it does not
	know the connection keys. However, it manages to
	tamper with both Ic and Is , and can therefore down-
	grade the negotiate ciphersuite to a weak cryptographic
	algorithm that the attacker knows how to break.
----------------------------------------------------------------------

So simple answer, do not allow weak ciphers in your policy, as
attacker might do really hard attack to force you to use them:

----------------------------------------------------------------------
	Implementing the target collision for SSH-2 requires
	a chosen-prefix attack on SHA-1 which is still consid-
	ered impractical (at least 2^77 work). Moreover, since the
	two tampered fields Ic and Is are meant to be strings
	(not bitstrings), we cannot use arbitrary collisions. Still,
	we find this attack to be an interesting illustration of
	the use of transcipt collisions for downgrade attacks.
-- 
kivinen@iki.fi