IETF Logo Mail Archive

Re: [Curdle] Second AD Review: draft-ietf-curdle-ssh-curves.

"Mark D. Baushke" <mdb@juniper.net> Tue, 30 July 2019 22:23 UTC

Return-Path: <mdb@juniper.net>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 170F41201C9; Tue, 30 Jul 2019 15:23:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9wfFI878BWHr; Tue, 30 Jul 2019 15:23:28 -0700 (PDT)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2A401201C7; Tue, 30 Jul 2019 15:23:28 -0700 (PDT)
Received: from pps.filterd (m0108156.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x6UMJVsN014904; Tue, 30 Jul 2019 15:23:27 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=to : cc : subject : in-reply-to : references : from : mime-version : content-type : content-id : content-transfer-encoding : date : message-id; s=PPS1017; bh=gg4VyOToXNFivPO638v7q9A4P38AMoPZ/batDBBzSnM=; b=gKQ5kv/fsgc3jBmz8l/xi97YxnR7la/X+WjsP04IMCRYzF0clupyfWO1FiQP81XhHBMb XCILF3/n7uDriOaRK/PlomdK0gTaEPR1HbF7T38IjQ28WTQr9pmsfxLPeF5MBHruSBtL x/MTIX4v+qpNg1wragIKjxjKADOZ1nWxqoVAspBuij8EBCkdd9yWvGwlhbAmQ+/jr2jh e09opMlFI7kxKyglyo7N/jFMhPhOaDqM++zdyq6HCi1Jt181v7T60FuF8HUPBD2NJ4he 94BSh+kT3UJiC/Ed0gg3DLx9abw2DQ1XjvAkud8pG9r/LpK5BvgjJNoV8Rn+Htgbe0Ud MQ==
Received: from nam03-co1-obe.outbound.protection.outlook.com (mail-co1nam03lp2057.outbound.protection.outlook.com [104.47.40.57]) by mx0a-00273201.pphosted.com with ESMTP id 2u2uwy092v-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 30 Jul 2019 15:23:27 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=R/Qx9sZf6A8VFk+gchc3xt5cDwmB1LyQfsqQ0nQ4/ShUtYIsdLPHUr6CZsjCa0wr/ovgfjlWyoc+uj6m/KbjHdA3foQFyJPuNDH6N7E85xM90DDQBEMbAiSwR4oXAOMv3VsOpxHJl7zEOFqjB4wKAYu0lOdpdxmZA6Ec2SQItvEybRcybWI57njm1JYz+rlUzB3tW2fKQyF68XA0BBCvm2TooQ/0qUBN+eyJ6F/bfHky5sYz79FsVOUFigzQR+PB5rwUDHzQJDc4KYnIJsNAqm8Askeo2l/KoebQGExbtxe7mVzQPRWTsqAt1rTcvqyNV+tXPQIInQBx5cBBwqTMzQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gg4VyOToXNFivPO638v7q9A4P38AMoPZ/batDBBzSnM=; b=YUyKq3d4b/36yFN3tl21NRoIoe7oEEiFv8XMM9DM6IKEDcyihFJzlR5t9FIDRSYtIVb5KJ6urEYV0PUHfp2tOlg5rggqr6r96T5g1I35EwHhGcIsSOYhhArdzRkbHlLkdKwxz59n3MPIo9HKVom7h0JaN5gPFqJMaCaKvB39K2lavjFNO03H5AoNlUohMlNjay/LVI/H1Qeu1GdMa454czGvRxmQOMC8YIhzL2XuO713AqCnWxailgD78MDq9GgLyOpdunlbnv3NlhJCbozReelI8HGfRmbecNN24hCLR99anjVUe47AOdA+h9914qaQlN/IGoYsoH6KEfs3XixYLg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=softfail (sender ip is 66.129.239.12) smtp.rcpttodomain=ietf.org smtp.mailfrom=juniper.net;dmarc=fail (p=reject sp=quarantine pct=100) action=oreject header.from=juniper.net;dkim=none (message not signed);arc=none
Received: from BN3PR05CA0036.namprd05.prod.outlook.com (2603:10b6:400::46) by BN7PR05MB4276.namprd05.prod.outlook.com (2603:10b6:406:f6::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2136.9; Tue, 30 Jul 2019 22:23:25 +0000
Received: from CO1NAM05FT031.eop-nam05.prod.protection.outlook.com (2a01:111:f400:7e50::205) by BN3PR05CA0036.outlook.office365.com (2603:10b6:400::46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2136.7 via Frontend Transport; Tue, 30 Jul 2019 22:23:25 +0000
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.12 as permitted sender)
Received: from P-EXFEND-EQX-01.jnpr.net (66.129.239.12) by CO1NAM05FT031.mail.protection.outlook.com (10.152.96.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2136.7 via Frontend Transport; Tue, 30 Jul 2019 22:23:24 +0000
Received: from P-EXBEND-EQX-02.jnpr.net (10.104.8.53) by P-EXFEND-EQX-01.jnpr.net (10.104.8.54) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Tue, 30 Jul 2019 15:23:24 -0700
Received: from P-EXBEND-EQX-01.jnpr.net (10.104.8.52) by P-EXBEND-EQX-02.jnpr.net (10.104.8.53) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Tue, 30 Jul 2019 15:23:24 -0700
Received: from p-mailhub01.juniper.net (10.104.20.6) by P-EXBEND-EQX-01.jnpr.net (10.104.8.52) with Microsoft SMTP Server (TLS) id 15.0.1367.3 via Frontend Transport; Tue, 30 Jul 2019 15:23:23 -0700
Received: from contrail-ubm16-mdb.svec1.juniper.net ([10.163.18.199]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id x6UMNMd9014872; Tue, 30 Jul 2019 15:23:23 -0700 (envelope-from mdb@juniper.net)
To: Benjamin Kaduk <kaduk@mit.edu>
CC: draft-ietf-curdle-ssh-curves.all@ietf.org, curdle <curdle@ietf.org>
In-Reply-To: <20190730214702.GS47715@kduck.mit.edu>
References: <CABcZeBM1xaLR2RqYo8_VmO1ue2qr3rn_52MhSDHagKhNF-AYQA@mail.gmail.com> <20190730214702.GS47715@kduck.mit.edu>
Comments: In-reply-to: Benjamin Kaduk <kaduk@mit.edu> message dated "Tue, 30 Jul 2019 16:47:02 -0500."
From: "Mark D. Baushke" <mdb@juniper.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <31256.1564525402.1@contrail-ubm16-mdb.svec1.juniper.net>
Content-Transfer-Encoding: quoted-printable
Date: Tue, 30 Jul 2019 15:23:22 -0700
Message-ID: <31257.1564525402@contrail-ubm16-mdb.svec1.juniper.net>
X-EXCLAIMER-MD-CONFIG: e3cb0ff2-54e7-4646-8a04-0dae4ac7b136
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-HT: Tenant
X-Forefront-Antispam-Report: CIP:66.129.239.12; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(4636009)(39860400002)(396003)(136003)(376002)(346002)(2980300002)(199004)(189003)(46406003)(97756001)(54906003)(97876018)(356004)(8676002)(336012)(81166006)(316002)(47776003)(229853002)(8936002)(8746002)(81156014)(26005)(70586007)(4326008)(70206006)(86362001)(7696005)(476003)(6916009)(2171002)(69596002)(126002)(305945005)(6246003)(446003)(53936002)(11346002)(426003)(2906002)(76176011)(478600001)(5660300002)(186003)(23726003)(14444005)(50466002)(117636001)(486006)(68736007)(62816006); DIR:OUT; SFP:1102; SCL:1; SRVR:BN7PR05MB4276; H:P-EXFEND-EQX-01.jnpr.net; FPR:; SPF:SoftFail; LANG:en; PTR:InfoDomainNonexistent; A:1; MX:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: d77e13dd-59aa-4faa-8185-08d7153c89cd
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(4710121)(4711136)(1401327)(2017052603328); SRVR:BN7PR05MB4276;
X-MS-TrafficTypeDiagnostic: BN7PR05MB4276:
X-Microsoft-Antispam-PRVS: <BN7PR05MB427640562307E45128AF8051BFDC0@BN7PR05MB4276.namprd05.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-Forefront-PRVS: 0114FF88F6
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: AP0lXzduHKCpTZuWfiNx246J0esMnOWZRLE2x5ZNoU3olqqsMRTjAxJqMQpQZ2v/lfo4jHnEVd3co2DY2Ujkt87H+aIUIzrTq9a4hkEG5tRcKiE7+5PG+7oZHmiRy4ZZZfR/Qo+Z17a432pzFHLxTJ5LoHi1df+FLM9odq6UmGIVRoo04U4maseTKWzpB9S+goJlKQzNLwQ1sQ3VhAzWO71HvtQMhNu0JLpb6MuJfqSSn0pVCmUipTf8zNQACkGOJAg5Z8mgX+1aV2kWszLJ5S4SH4CaUArvXc8lGwprJc9SsUv7RueWb7E3I5YAz1pV9eJ+i3jq00yzfJr4azIyOBy3b2ULQgomE4JodlEN6SIuFtq+HdDmmFbA1nF1UXVbY3xourFi7SYAcTCIGMtUdvkTYOW7cGzfw6LTdJ+5kyg=
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Jul 2019 22:23:24.8520 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: d77e13dd-59aa-4faa-8185-08d7153c89cd
X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.12]; Helo=[P-EXFEND-EQX-01.jnpr.net]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR05MB4276
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-07-30_10:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=774 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1906280000 definitions=main-1907300223
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/oeVZ0wlmgdBkwQTfRNJ6vD9_l7M>
Subject: Re: [Curdle] Second AD Review: draft-ietf-curdle-ssh-curves.
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jul 2019 22:23:30 -0000

Benjamin Kaduk <kaduk@mit.edu> writes:

> I took over as responsible AD for this draft from Eric, but I don't
> see any response to this second round of review comments.  Luckily there's
> mot much left, so hopefully we can get a new rev out quickly and move the
> document forward.

I do owe the AD a response to the comments and a new draft.
I regret that other commitments have prevented me from this.

	-- Mark

> Thanks,
> 
> Ben
> 
> On Mon, Dec 24, 2018 at 02:16:24PM -0800, Eric Rescorla wrote:
> > Thanks for addressing my comments.
> > 
> > IMPORTANT
> > S 3.
> >    
> > >      received public keys are not the expected lengths, or if the
> > >      derived shared secret only consists of zero bits. No further
> > >      validation is required beyond what is discussed in [RFC7748].
> > >      The derived shared secret is 32 bytes when Curve25519 is used
> > >      and 56 bytes when Curve448 is used. The encodings of all
> > >      values are defined in [RFC7748]. The hash used is SHA-256 for
> > >      Curve25519 and SHA-512 for Curve448.
> > 
> > This is true if you use the 7748 algorithm, but not necessarily
> > otherwise.
> > 
> > Here is some OK language (from tcpcrypt)
> > 
> >    Key-agreement schemes ECDHE-Curve25519 and ECDHE-Curve448 perform
> >    the Diffie-Helman protocol using the functions X25519 and X448,
> >    respectively. Implementations SHOULD compute these functions
> >    using the algorithms described in [RFC7748]. When they do so,
> >    implementations MUST check whether the computed Diffie-Hellman
> >    shared secret is the all-zero value and abort if so, as described
> >    in Section 6 of [RFC7748]. Alternative implementations of these
> >    functions SHOULD abort when either input forces the shared secret
> >    to one of a small set of values, as discussed in Section 7 of
> >    [RFC7748].
> >
> > COMMENTS
> > S 1.
> > >      key exchange protocol described in [RFC4253] supports an extensible
> > >      set of methods.  [RFC5656] describes how elliptic curves are
> > >      integrated in SSH, and this document reuses those protocol messages.
> > >
> > >      This document describes how to implement key exchange based on
> > >      Curve25519 and Ed448-Goldilocks [RFC7748] in SSH.  For Curve25519
> > 
> > 7748 calls this Curve448 and you do so later, so please be consistent.

	-- Mark

v2.23.0 | Report a Bug | By Email