IETF Logo Mail Archive

Re: [Curdle] Which curves are MUST and SHOULD ?

"Mark D. Baushke" <mdb@juniper.net> Fri, 11 December 2020 07:34 UTC

Return-Path: <mdb@juniper.net>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDE643A03EF for <curdle@ietfa.amsl.com>; Thu, 10 Dec 2020 23:34:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=O81gpDnf; dkim=pass (1024-bit key) header.d=juniper.net header.b=fJNTf9xJ
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HXqanpvt_Iz8 for <curdle@ietfa.amsl.com>; Thu, 10 Dec 2020 23:34:10 -0800 (PST)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BED23A0365 for <curdle@ietf.org>; Thu, 10 Dec 2020 23:34:08 -0800 (PST)
Received: from pps.filterd (m0108162.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 0BB7TNTM029564; Thu, 10 Dec 2020 23:34:01 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=to : cc : subject : in-reply-to : references : from : mime-version : content-type : content-id : date : message-id; s=PPS1017; bh=CGkuAyI9a+sc1qTF3zpGRnmpi3giA4Dm7o47MVtVhyU=; b=O81gpDnfvK2nmPuCAtp8RHCGwJMOAFnRH2khnNUj0OwUBgp+BpctLQPPu8MscuWzqUG4 YGM2vnCzcxTybl94hVmkHTZY29iFe/FIi4iKAYHQrLGobKkcppgQzgTlgJctLuQm7wAK hXK6u5FgZixGaMA2Ze38PaoasRwQw+h04ShzncUy6/4pnrNxKVtH4Ey4DYEtxlr+N//q 0Bh84+h1cMGM0emdFkmgTgzhYyPDOxCDCHs06GM0z/VE+S4otUnxYlXSbCzST1RMLIVX bbstLe3iigBVPZNKx033rHTOiROgg6SYFadPrdRgZzyOHmbbo06v2+mK/g0Zp+j9B7uM hQ==
Received: from nam02-bl2-obe.outbound.protection.outlook.com (mail-bl2nam02lp2050.outbound.protection.outlook.com [104.47.38.50]) by mx0b-00273201.pphosted.com with ESMTP id 35ak7jvmdu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 10 Dec 2020 23:34:01 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eWLk12xXoEp6OqsMEJ7JPVrSXUccDz7g0rD8vnk5YNpAQPZv+P02QvxKmmQcT2Fti6p2J52oyDUffbsSwvu/LMcQ/892/5PL5t0QPhQdwt442QTrqL++ZjlNY0di7P6PnlVI29yJqelNxtKcPJ1HPJkOu/YR/FQH6hXOUHPMyO5eHVAW+w3ciBn7p0l8Ph2kWrnRNwMnUdlZi+qEQ2p5lKi+xsZVFuz7gVwIe7XpHK3AOYuQwTj32kJiJrsU8d07tN5XqLZf3IatSpAObbwhkHk/7gOvdESCMVYRPyYf7WQFZRlOE9PHJpnFhINLZ2TElBnKzxSLYo26X5RAOMdSWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CGkuAyI9a+sc1qTF3zpGRnmpi3giA4Dm7o47MVtVhyU=; b=iLui7bsaKcwICvUSYvGeET3u9y4sdfD8XU2ibIonOFbT3Bavv4TcY21kdTl7YU8A2M9jGWH/02+vqkxYozE629IwQukHCxTJplcpaYuGQ4mtB+OGnMlaFH2D77Xh+v25iCrbQnzgQUAHw5rh3U8HEW+5mhHyZ1Pgn7Bts3RfsmDigdLCuZdhdcbDupx0F8XygRjjC06QFnZZKGuotQUoIEmVbFpTDLqlfamXSGjvtfqdy0URB0BOhdU+YoMsgjoqrakhFlviTheaGA3QuzNmLrMeLMi46pBh8yM0BYEGT6D9EASkeeaR9mCtPzDyeHN5e0q0qwY1kFUOVckH5I31MA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=softfail (sender ip is 66.129.242.13) smtp.rcpttodomain=gmail.com smtp.mailfrom=juniper.net; dmarc=fail (p=reject sp=reject pct=100) action=oreject header.from=juniper.net; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CGkuAyI9a+sc1qTF3zpGRnmpi3giA4Dm7o47MVtVhyU=; b=fJNTf9xJfbnK579sxKA2jweDwBHT75Zhb6EoLJ4RockNBj20B09c8hnTRO6rMxehLjhWSKjgEDlREm1cY/Hd2wcPj1Ci7ICfeFBrVAo1noa5uvrejD2Sh5gzpmtbGnEk9k6Az6T6ddUnF32Wf7N4pyuAPznXtl6aIfmWwg4JfUc=
Received: from MW4PR03CA0230.namprd03.prod.outlook.com (2603:10b6:303:b9::25) by SN6PR05MB5760.namprd05.prod.outlook.com (2603:10b6:805:fb::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3654.8; Fri, 11 Dec 2020 07:33:59 +0000
Received: from MW2NAM12FT038.eop-nam12.prod.protection.outlook.com (2603:10b6:303:b9:cafe::2c) by MW4PR03CA0230.outlook.office365.com (2603:10b6:303:b9::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3654.13 via Frontend Transport; Fri, 11 Dec 2020 07:33:58 +0000
X-MS-Exchange-Authentication-Results: spf=softfail (sender IP is 66.129.242.13) smtp.mailfrom=juniper.net; gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=fail action=oreject header.from=juniper.net;
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.242.13 as permitted sender)
Received: from P-EXFEND-EQX-02.jnpr.net (66.129.242.13) by MW2NAM12FT038.mail.protection.outlook.com (10.13.180.168) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.3654.10 via Frontend Transport; Fri, 11 Dec 2020 07:33:57 +0000
Received: from P-EXBEND-EQX-01.jnpr.net (10.104.8.52) by P-EXFEND-EQX-02.jnpr.net (10.104.8.55) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 10 Dec 2020 23:33:57 -0800
Received: from P-EXBEND-EQX-01.jnpr.net (10.104.8.52) by P-EXBEND-EQX-01.jnpr.net (10.104.8.52) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 10 Dec 2020 23:33:57 -0800
Received: from p-mailhub01.juniper.net (10.104.20.6) by P-EXBEND-EQX-01.jnpr.net (10.104.8.52) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Thu, 10 Dec 2020 23:33:57 -0800
Received: from eng-mail01.juniper.net (eng-mail01.juniper.net [10.108.17.159]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id 0BB7XsA6018218; Thu, 10 Dec 2020 23:33:56 -0800 (envelope-from mdb@juniper.net)
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
CC: Benjamin Kaduk <kaduk@mit.edu>, Rich Salz <rsalz@akamai.com>, Curdle Mailing List <curdle@ietf.org>, Daniel Migault <mglt.ietf@gmail.com>
In-Reply-To: <1607647129866.76532@cs.auckland.ac.nz>
References: <2CCABC30-F757-4659-9FF3-5AADDD51EE30@akamai.com> <4b681efd49274f03c7e0521e127e031426632ad0.camel@redhat.com> <CADZyTkk--kCWqE7q0Xi5C40V92MuZBktDzQGt_vPSZPiBy7v9w@mail.gmail.com> <18479.1606885358@eng-mail01.juniper.net> <20201205194724.GB64351@kduck.mit.edu>, <37691.1607621661@eng-mail01.juniper.net> <1607647129866.76532@cs.auckland.ac.nz>
Comments: In-reply-to: Peter Gutmann <pgut001@cs.auckland.ac.nz> message dated "Fri, 11 Dec 2020 00:38:48 +0000."
From: "Mark D. Baushke" <mdb@juniper.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <2914.1607672034.1@eng-mail01.juniper.net>
Date: Thu, 10 Dec 2020 23:33:54 -0800
Message-ID: <2917.1607672034@eng-mail01.juniper.net>
X-EXCLAIMER-MD-CONFIG: e3cb0ff2-54e7-4646-8a04-0dae4ac7b136
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-HT: Tenant
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 47766b36-4535-46b6-674e-08d89da71f00
X-MS-TrafficTypeDiagnostic: SN6PR05MB5760:
X-Microsoft-Antispam-PRVS: <SN6PR05MB57601FE198DB7A55CEA1803DBFCA0@SN6PR05MB5760.namprd05.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: iVhKpgWMMZVVh3y9jMI5TWTRhIV45bo2UmH+1Dmc3ZD/bTqAZpvRPTJJqFCV/Y4dicY6VKUQ35nl2H2UY6Z/42vZYJRgEcvW2ouOSCu4cWJODLE5qpbmLJBiLaDctv4JZsXG1AEzBmXUxCCX+uNSTNXpQCBQRGwMhxQX+AouPcR97BvZ9aZp/eDQwljzQEt8xDl7Z/51b/ViuldZQm3dCeira25feAlhOJA12qDhmuJbnq7WlDpgkf9xj/V2qco3lDV2WsjdL02ighgDbvlXsP6Md2iYPAZZMYm8wpEAYQHd0EtSkIsofQ5DSjyt3fnuRoAWJWAHl5m90bPbgzK0E9t7stehzoU20re2rq/zh420AUx0fX58kvYwEkAVfTBEBHG2FTGNLTm8zOBLrpuvpCCym4PcM6vhY7NDVD7XKHdk6J6cHzRt5Yybz0zZgVFQeOO+u7JyN7jIOl8LpXRQdslW6XQrpL4UnkD7T8omy+M2Ag9V/gAfFbMkYovNa7op
X-Forefront-Antispam-Report: CIP:66.129.242.13; CTRY:US; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:P-EXFEND-EQX-02.jnpr.net; PTR:InfoDomainNonexistent; CAT:NONE; SFS:(4636009)(346002)(136003)(376002)(46966005)(70206006)(47076004)(81166007)(356005)(4326008)(8676002)(5660300002)(70586007)(83080400002)(26005)(7696005)(508600001)(86362001)(83380400001)(82310400003)(54906003)(6916009)(426003)(2906002)(186003)(336012)(8936002)(966005); DIR:OUT; SFP:1102;
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Dec 2020 07:33:57.7095 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 47766b36-4535-46b6-674e-08d89da71f00
X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.242.13]; Helo=[P-EXFEND-EQX-02.jnpr.net]
X-MS-Exchange-CrossTenant-AuthSource: MW2NAM12FT038.eop-nam12.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR05MB5760
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.343, 18.0.737 definitions=2020-12-11_01:2020-12-09, 2020-12-11 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 impostorscore=0 spamscore=0 priorityscore=1501 adultscore=0 clxscore=1011 mlxscore=0 bulkscore=0 phishscore=0 lowpriorityscore=0 malwarescore=0 mlxlogscore=999 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2012110046
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/oEKPzmILQofAFf1cFFmVqAa4fVM>
Subject: Re: [Curdle] Which curves are MUST and SHOULD ?
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Dec 2020 07:34:12 -0000

Peter Gutmann <pgut001@cs.auckland.ac.nz> writes:

> Mark D. Baushke <mdb=40juniper.net@dmarc.ietf.org> writes:
> 
> >MAY diffie-hellman-group14-sha1
> >SHOULD NOT diffie-hellman-group-exchange-sha1
> 
> Just wondering why the hardcoded group is MAY but the negotiated, and
> probably more secure, group is SHOULD NOT?

Mostly because diffie-hellman-group14-sha1 is a REQUIRED to implement
algorithm per RFC 4253.

This suggests that all implementations of SSH provide the implementation
as they were mandatory-to-implement in the original standard. So, by
suggesting MAY rather than SHOULD NOT, there is wiggle room for a time
to cross over from current implementtaions to future implementations
with at least one common KeX.

> Is it because lots of legacy stuff will only do the hardcoded group?

RFC 4419 and RFC 8270 provided the diffie-hellman-group-exchange-sha1
and diffie-hellman-group-exchange-sha256 but never specified them as
REQUIRED for an SSH implementation. At best, they are a MAY implement or
possibly they are implicitly a SHOULD given the 38 implementations
described on https://ssh-comparison.quendi.de/comparison/kex.html

It is shown in [TRANS-COLL] that sending thr eg,p diffie-hellman
parameters to a client that does not know what to expect for those
values with only a SHA1 hash allows for a substituion to potentially be
made for the p value. This implies the group-exchange mechanism may be
weaker when SHA1 is used.

I think I also read elsewhere that in a 6K or higher MODP group, there
was a higher possibility of created SHA1 collisions. However, I am
unable to find that reference at present.

The guidance of this draft suggests that any *-sha1 SHOULD NOT be
implemented and that the formerly REQUIRED and group14 SHA1 hashed
parameters MAY be implemented only as a transitional step.

If we were changing this draft into to a BCP, then group1-sha1 would be
certainly be a MUST NOT (due to the group1 of 1024-bits of MODP being so
weak) and group14-sha1 would be a SHOULD NOT or a MUST NOT (the former
to allow for legacy key exchanges and the latter based on a desire to
eliminate SHA1 entirely).

If there is consensus, I would be happy to make ALL *-sha1* KeX
algorithms get changed to MUST NOT as well as note that consistent with
RFC 8270, no group exchange MODP group should be less than 2048 bits...
that is instead of just being the recommended size it be the mandatory
minimum size.

That said, I have heard that there is some hardware in the field that is
barely able to do group1-sha1 and do not implement group14-sha1 even
though it is REQUIRED because it would take the very low power CPUs too
long to do a key exchange at all.

I'd like to hear from anyone who has an opinion if this RFC should be
closer to a BCP than just a deprecation of some KeX algorithms.

	Be safe, stay healthy,
	-- Mark

PS: The following is a summary from the current published -12 draft, my
work-in-progress -13 draft assuming it is NOT attempting to be a BCP and
what I suspect should be used if it were to be a leading BCP.

 Key Exchange Method Name             | draft -12  | draft -13  | BCP
 
 curve25519-sha256                    | SHOULD     | SHOULD     | SHOULD
 curve448-sha512                      | MAY        | MAY        | MAY
 diffie-hellman-group-exchange-sha1   | SHOULD NOT | SHOULD NOT | MUST NOT
 diffie-hellman-group-exchange-sha256 | MAY        | MAY        | MAY
 diffie-hellman-group1-sha1           | SHOULD NOT | SHOULD NOT | MUST NOT
 diffie-hellman-group14-sha1          | SHOULD     | MAY        | MUST NOT
 diffie-hellman-group14-sha256        | MUST       | MUST       | MUST
 diffie-hellman-group15-sha512        | MAY        | MAY        | MAY
 diffie-hellman-group16-sha512        | SHOULD     | SHOULD     | SHOULD
 diffie-hellman-group17-sha512        | MAY        | MAY        | MAY
 diffie-hellman-group18-sha512        | MAY        | MAY        | MAY
 ecdh-sha2-*                          | MAY        | MAY        | MAY
 ecdh-sha2-nistp256                   | SHOULD     | SHOULD     | SHOULD
 ecdh-sha2-nistp384                   | SHOULD     | SHOULD     | SHOULD
 ecdh-sha2-nistp521                   | SHOULD     | SHOULD     | SHOULD
 ecmqv-sha2                           | MAY        | MAY        | MAY
 ext-info-c                           | SHOULD     | SHOULD     | MUST
 ext-info-s                           | SHOULD     | SHOULD     | MUST
 gss-*                                | MAY        | MAY        | MAY
 gss-curve25519-sha256-*              | SHOULD     | SHOULD     | SHOULD
 gss-curve448-sha512-*                | MAY        | MAY        | MAY
 gss-gex-sha1-*                       | SHOULD NOT | SHOULD NOT | MUST NOT
 gss-group1-sha1-*                    | SHOULD NOT | SHOULD NOT | MUST NOT
 gss-group14-sha256-*                 | SHOULD     | SHOULD     | MUST
 gss-group15-sha512-*                 | MAY        | MAY        | MAY
 gss-group16-sha512-*                 | SHOULD     | SHOULD     | SHOULD
 gss-group17-sha512-*                 | MAY        | MAY        | MAY
 gss-group18-sha512-*                 | MAY        | MAY        | MAY
 gss-nistp256-sha256-*                | SHOULD     | SHOULD     | SHOULD
 gss-nistp384-sha384-*                | SHOULD     | SHOULD     | SHOULD
 gss-nistp521-sha512-*                | MAY        | SHOULD     | SHOULD
 rsa1024-sha1                         | MUST NOT   | MUST NOT   | MUST NOT
 rsa2048-sha256                       | MAY        | MAY        | MAY

v2.23.0 | Report a Bug | By Email