IETF Logo Mail Archive

Re: [Curdle] Kathleen Moriarty's Yes on draft-ietf-curdle-ssh-dh-group-exchange-05: (with COMMENT)

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Sat, 16 September 2017 01:03 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 999131323B4; Fri, 15 Sep 2017 18:03:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ILdxvmG355tS; Fri, 15 Sep 2017 18:03:15 -0700 (PDT)
Received: from mail-qt0-x22b.google.com (mail-qt0-x22b.google.com [IPv6:2607:f8b0:400d:c0d::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A76B4126B71; Fri, 15 Sep 2017 18:03:15 -0700 (PDT)
Received: by mail-qt0-x22b.google.com with SMTP id i13so3593146qtc.11; Fri, 15 Sep 2017 18:03:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=jzD3TjFA5+wvIfdt6P/6oXQDJOdNJsUztl4ANLZEpeQ=; b=Sl6syIaTFcFFJ8+36Gag3t8gp8KUXk14xXiHbaiSmU3XG5UREoF/YK3fzoMPopQKIw owmDZvPpz8ZG9Cnp8qPJJPL8AdupK/7Y+OF3gx+zH7uG6l2VuBZ4e1MDfEK7W/zwdUK5 yH//Z/vNXOLzIF7FRyjqbklyID7Ri382jjZnf0oooA7uqkq2Y4sRkH21+xx/IwrltGxL MlNQkM+orhehS8alTAvFhuzYUMiu7wVqAd97mE3efrIg7tvTwgAg8LbGDU/63I2gqRKU auk8Oaznnh95TtYM0jLTQ2jRYpbY0WPqHURT2pBuF6m3nm4Iz6rVxIlAo0wsY3NGxUQF z70Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=jzD3TjFA5+wvIfdt6P/6oXQDJOdNJsUztl4ANLZEpeQ=; b=ZYlmObjwpXif5O8tYqI1FJTc+1rFptmDD/WymaEjIqlsZowLGfp6ojx8XmaFEbsajC DQeTH+XhEv2y3rZ73/Rx/Pw9d4LWf8Q6K713H1D2tZKoRNpdXUWiu0PrNRxrQmd1d5gH rAlBN9LyMmoYoZbF9uSN/2kfEPRiyxAtMGNMzZwi9m6GugHvhVkVWe1wQ/kfmBbJYPrw R2rtLn8af1m45EI0TrC4hf/2EyGVXkOT67kMC66X4pNxZ6AjkrDcjsFvBT2ZjKqF3s6c +54FV89IDhu4ZoZY+zAtHQM2EzBXhCC7JRs85r6WDw/8kzQsu9NHIGL0LczyCuEs9S5/ Alyg==
X-Gm-Message-State: AHPjjUhoGsuOKavPkayVblJ9JLy+DUvLtk3JVTKOFvVlyu+W37kr0ALB zDTarAdvFcQHs8UYGkY=
X-Google-Smtp-Source: AOwi7QCWf+SEj/qAkPGK2gHXn5b4AMJ1VgwPH1KvLtLWK/5iejR2AtROazEEtk03yXv/a/oFVnvh6g==
X-Received: by 10.237.42.79 with SMTP id k15mr38424421qtf.222.1505523794587; Fri, 15 Sep 2017 18:03:14 -0700 (PDT)
Received: from [192.168.1.6] (209-6-124-204.s3530.c3-0.arl-ubr1.sbo-arl.ma.cable.rcncustomer.com. [209.6.124.204]) by smtp.gmail.com with ESMTPSA id i84sm1483626qkh.17.2017.09.15.18.03.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 15 Sep 2017 18:03:13 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-296DF410-C223-4BA5-9F78-27D1B9CD2D59"
Mime-Version: 1.0 (1.0)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Mailer: iPhone Mail (14F89)
In-Reply-To: <CAKKJt-d0qCZO8kwgwn2QRKC4xScuJLVPQLBxqHW96zYy9y6YSg@mail.gmail.com>
Date: Fri, 15 Sep 2017 21:03:12 -0400
Cc: "Mark D. Baushke" <mdb@juniper.net>, "Salz, Rich" <rsalz@akamai.com>, Loganaden Velvindron <logan@hackers.mu>, draft-ietf-curdle-ssh-dh-group-exchange <draft-ietf-curdle-ssh-dh-group-exchange@ietf.org>, curdle <curdle@ietf.org>, curdle <curdle-chairs@ietf.org>, The IESG <iesg@ietf.org>, Daniel Migault <daniel.migault@ericsson.com>
Content-Transfer-Encoding: 7bit
Message-Id: <D0124A32-1977-426C-87C0-756C2FF807B7@gmail.com>
References: <CAHbuEH7O=v2k7UWH-nw-+G80oW7q-pK=F7vxB91BfLRuGsXCJw@mail.gmail.com> <CAKKJt-d0qCZO8kwgwn2QRKC4xScuJLVPQLBxqHW96zYy9y6YSg@mail.gmail.com>
To: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/qNDiw6gDc6LSa6RUrtvEeiFeEvA>
Subject: Re: [Curdle] Kathleen Moriarty's Yes on draft-ietf-curdle-ssh-dh-group-exchange-05: (with COMMENT)
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Sep 2017 01:03:19 -0000

Hi,

Sent from my iPhone

> On Sep 15, 2017, at 6:05 PM, Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com> wrote:
> 
> Speaking as someone whose primary connection to crypto is transporting bytes whether the transport protocol can understand them or not ...
> 
>> On Fri, Sep 15, 2017 at 3:41 PM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> wrote:
>> Hi Mark,
>> 
>> On Fri, Sep 15, 2017 at 3:59 PM, Mark D. Baushke <mdb@juniper.net> wrote:
>> > Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> writes:
>> >
>> >> Mark,
>> >>
>> >> Thanks for your detailed response, I appreciate it.  Inline.
>> >
>> > Trimmed response, likewise inline.
>> >
>> >> On Fri, Sep 15, 2017 at 2:25 PM, Mark D. Baushke <mdb@juniper.net> wrote:
>> >> > Salz, Rich <rsalz@akamai.com> writes:
>> >> >
>> >> Embedded equipment is a tough problem.
>> >
>> > Yes.
>> >
>> >> So for this, your worried about new purchases.
>> >
>> >> If it's already purchased, then we are talking an audit issue and
>> >> possibly not having funds to buy some million dollar piece of
>> >> equipment that happens to support less than 2048.
>> >
>> > Well, one hopes that with a million dollar piece of equipment, there is
>> > a support cotract and a way to update the software in that box.
>> 
>> One would think, but that's a real example and nothing could be done.
>> It's not uncommon either.
>> 
>> >
>> > I was more concerned with needing to sell software to manage thousands
>> > of very low price embedded devices and still be able to inter-operate
>> > between the management station and the devices.
>> >
>> > For example, a conformant implementation that MUST use 2048 bit keys,
>> > but needs to talk to a device only able to use 1024 bit keys has a
>> > problem. Likewise if the embedded devices only support
>> > diffie-hellman-group1-sha1 as they were two small and slow to manage
>> > with diffie-hellman-group14-sha1 when deployed as a read-only device.
>> >
>> > Does my management station get to talk to those old devices when MUST is
>> > present and exact conformance to the specification is mandated?
>> 
>> OK, thanks for providing that example, it's helpful and I see your
>> point better now.
>> 
>> >
>> >> Hmm, in the past, I've done thing to mitigate threats like isolating
>> >> such hosts when the threat warranted measures. I see your point, I'm
>> >> just trying to walk through real instances of issues to make sure we
>> >> are considering options well.
>> >
>> > Yes, and I really appreciate that we are getting this into the archive.
>> >
>> >> > For draft-ietf-curdle-ssh-dh-group-exchange, RFC4419 does not use the
>> >> > word "MUST" for the current 1024 bit value. So, in this case, just
>> >> > updating a SHOULD from a SHOULD seems reasonable to me. If it were a
>> >> > MUST, then I would probably advocate for SHOULD NOT as the step down.
>> >> >
>> >> > For example, I would have no objection to adding text which says that
>> >> > the min value in the SSH_MSG_KEY_DH_GEX_REQUEST SHOULD NOT be less than
>> >> > 2048.
>> >> >
>> >> > fwiw: I also suspect that 2048 will not survive more than another couple
>> >> > of years and would not mind saying that "n SHOULD be 3072 or greater". I
>> >> > do not believe that view is accepted by everyone, so 2048 bits is what
>> >> > is in place for now.
>> >>
>> >> Hmm, than it would be good to make a note of this so those who are
>> >> replacing embedded equipment make the leap to a higher value than
>> >> 2048.  This can be in the non normative text.
> 
> I've had a comment with someone within the last 24 hours about whether having text that says, roughly, if you're using less than 2048 bits and can't go higher, you should probably expect that if this does become a MUST, that might happen very suddenly ("attack + CERT advisory + vendors who can go higher turning off anything lower than 2048 = you can only talk to people who can't do 2048, and they're all vulnerable to a known exploit" is a layperson's understanding, but I hope that's not too muddy to make sense).

I wish, but until it's phased out, some hosts will have no choice but to talk to hosts at 1024.  That's why I'm poking at this a bit, how much can we improve things deployed/being deployed.

> 
> If that was a decent idea, and "you might want to be adding 3072 if you can't do it now" is a good idea, this is turning into an advisory section, and I like that, even if you don't have consensus for normative statements now.
> 
> Is that going to make things better? (I'm assuming it won't make them perfect)

How about something along the lines of (please tweak, this is off the cuff):

It's recommended that you implement no less than 3072 bits in new deployments with the expectation of a minimum of 3072 bits within a few years.  It's understood that devices will be deployed for many years and implementing to the bare minimum recommended value is not advised.

Thank you & at the end of the day, I balloted yes but hope that we provide good guidance for implementors.

Best regards,
Kathleen 
> 
> Spencer
>  
>> >
>> > So, using words like 'desirable' rather than recommended or should?
>> > I guess that might be a way to approach it for this particular draft.
>> >
>> > I am less certain how to deal with the more general issue of algorithm
>> > deprecation in the security area. Guessing wrong can be very expensive.
>> >
>> >> There are a few published RFCs (I think some CMS RFCs) that took on a
>> >> notion of SHOULD - and SHOULD + as well as MUST + MUST -.  I see the
>> >> JOSE algorithms RFC also uses recommended + and recommended -.  The
>> >> minus shows that although this is kinda okay now, it really isn't
>> >> recommended and shouldn't be in new products.
>> >
>> > Yes, I had used that in early drafts of draft-ietf-curdle-ssh-kex-sha2
>> > and eventually removed it due to comments not liking it.
>> 
>> Hmm, I still see a table with the SHOULD, MUST, etc. listed out for
>> that draft?  I don't see the use of SHOULD +/-, MUST +/- and think it
>> might help in cases like this draft where you have mushy guidance.
>> 
>> I still think some warning that 2048 as the minimum recommendation may
>> change to 3072 or greater in a couple of years should be in a non
>> normative statement for developers to plan ahead as a minimum.
>> 
>> >
>> >> Do you think that approach could help to allow some flexibility, but
>> >> also show 1024 is on it's way out the door and 2048 will follow soon?
>> >
>> > I do not think that moving to 'a min value of 2048  SHOULD+ be used'
>> > will do much to help this particular case.
>> 
>> I would actually be recommending min value of SHOULD - as it will not
>> be recommended in a few years and is on a decline.  SHOULD + typically
>> indicates that it will be required as a MUST next, whereas in this
>> case, it will be deprecated in a few years.
>> 
>> Thanks,
>> Kathleen
>> 
>> >
>> >         -- Mark
>> 
>> 
>> 
>> --
>> 
>> Best regards,
>> Kathleen
>

v2.23.0 | Report a Bug | By Email