IETF Logo Mail Archive

Re: [Curdle] Mirja Kühlewind's Discuss on draft-ietf-curdle-ssh-curves-10: (with DISCUSS and COMMENT)

denis bider <denisbider.ietf@gmail.com> Wed, 28 August 2019 22:46 UTC

Return-Path: <denisbider.ietf@gmail.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 922061200E3; Wed, 28 Aug 2019 15:46:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id igDj8c7ZdR8d; Wed, 28 Aug 2019 15:46:33 -0700 (PDT)
Received: from mail-ot1-x330.google.com (mail-ot1-x330.google.com [IPv6:2607:f8b0:4864:20::330]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE6861200CD; Wed, 28 Aug 2019 15:46:33 -0700 (PDT)
Received: by mail-ot1-x330.google.com with SMTP id o101so1468036ota.8; Wed, 28 Aug 2019 15:46:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=uVnU3SjgVehWFFaJzesZUTpYZldW6sFzFAy64UyNPMg=; b=X7tYTA74Opv/3IFc+GML5l8Zswe6uwHfKrMz5+KrrBEnlTrCjibLyPh7yAjZ5aSmME iRdRtX68UAEIDpmgxMSLieRA/xu5iZgdtpOZtkg67V3VZASco2tArMnTbVsO8lFxUA5K l6Rr45KiWs+G7CzJ/CmHgeFA2JN5N+19dJJWLohBVOqrQ4awe2OZcA7u+mWPkuXgxsgY MbNaQHqM1fsKS6sfvPU4gTwEmn0xwKA/qWVYigjOoJHL6KGLAKTo/hqdQROY6fkNGuqS t6HMADoMz8Po3DIhi3WfwIQY4KOMZbejHiT13FUqb+YiDbDHkSAxWesRFYZ73u7H79ut IWWQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uVnU3SjgVehWFFaJzesZUTpYZldW6sFzFAy64UyNPMg=; b=DdzMImrrAw0BmO6wA3GV1yqBe0Xfu87RrsBBj1Y2SxdIxZFH4AgFYLgV/gw1ESanuy LGH4QkiHo0ZJ7Gp3MpptJ8esTJwXq7BXrlKoW4OYUbaagFmADrrcHUROKlxKLz1Td29c xNTGXZnm9b8Wy1M7T+Zm76d+ZC0NOFp72rKfehsQC5xR5vIYsgjuD763YA17v3KinNrB 17JtBrkXdvq4hUtbRY+Eg59q2odO32N1DgBmmMuC530uG+wI71lnowQaKUQN8jYIqOxm zRqwkskLqdmkmlGDEy+bRhvZLh7Red2uUoNrx87gTxvfRGUlFdZGxiLwieFGU1sgfMOR qCBw==
X-Gm-Message-State: APjAAAV4NZJykKYlM9ttHL6IjHdS+xD5q8tFMzfFUcRiOCQ5sBM6DNxe CaXl8olnVthiJa6AsPdJgLWFexz8qVQeoGSkoBc=
X-Google-Smtp-Source: APXvYqzCPbIFeEBOKImWwlpteKNEJityOgzwW1JTqNxS5Rm4J5y0K5yBuRJiszz4+Ur+h3ssvWtgxzhD8DJjtBqGeiI=
X-Received: by 2002:a9d:4004:: with SMTP id m4mr4858856ote.146.1567032393240; Wed, 28 Aug 2019 15:46:33 -0700 (PDT)
MIME-Version: 1.0
References: <156699015116.32300.11396032996637636651.idtracker@ietfa.amsl.com> <18058.1567007603@contrail-ubm16-mdb.svec1.juniper.net> <be7c3562-2a26-6d11-8db6-b485e9b4aa22@badcode.be>
In-Reply-To: <be7c3562-2a26-6d11-8db6-b485e9b4aa22@badcode.be>
From: denis bider <denisbider.ietf@gmail.com>
Date: Wed, 28 Aug 2019 17:46:21 -0500
Message-ID: <CADPMZDCWN-Quidx=F8NVYeCs=8SbJ0q5b+veeE5t0n6VqebhQQ@mail.gmail.com>
To: Aris Adamantiadis <aris@badcode.be>
Cc: "Mark D. Baushke" <mdb@juniper.net>, Mirja Kühlewind <ietf@kuehlewind.net>, curdle <curdle@ietf.org>, Daniel Migault <daniel.migault@ericsson.com>, draft-ietf-curdle-ssh-curves@ietf.org, curdle-chairs <curdle-chairs@ietf.org>, The IESG <iesg@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000269b500591352991"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/sutsGFn9Bzu0gEXBuBYjHZwLq04>
Subject: Re: [Curdle] Mirja Kühlewind's Discuss on draft-ietf-curdle-ssh-curves-10: (with DISCUSS and COMMENT)
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2019 22:46:37 -0000

With regard to the following:

> Additionally it doesn't really help the end user who would
> see this message, because this is clearly an implementation
> issue within the SSH software stack, not something that the
> user can tweak in a configuration file.

I think it's important to note that this reasoning, in general, is false.
As someone who has directly supported users of SSH software over 20 years,
it is highly useful if the user can send log files which contain technical
information, even if the user doesn't understand that information. It can
dramatically reduce the effort needed to figure out an issue, and increases
the odds that it will be figured out at all.

The part of the argument about protecting sensitive information is valid,
but implementers also tend to run with that much further than it's useful.
For example, there are implementations which use this reasoning to try to
deny the other party information about the software name and version in the
SSH version string. This greatly frustrates figuring out problems when
connecting to those implementations (what software is this to begin with?)
and makes it difficult to implement compatibility workarounds (how do we
tell this broken implementation from others when it's going out of its way
to disguise itself?). From this perspective, I am thankful to developers
like OpenSSH for their policy to always include the software name and
version in the SSH version string, that's a godsend that greatly helps when
we need to work around a compatibility issue.

In general - protect sensitive information, yes; but consider that every
piece of information that's removed also makes things substantially more
difficult for tech support and compatibility.

denis


On Wed, Aug 28, 2019 at 12:08 PM Aris Adamantiadis <aris@badcode.be> wrote:

> Le 28-08-19 à 17:53, Mark D. Baushke a écrit :
>
> > In section 3, the appropriate SSH "protocol error" might be one of a
> > two:
> >
> >    SSH_ERR_KEY_INVALID_EC_VALUE for zeros found for the all-zero shared
> >    secret
> >
> > and
> >
> >    SSH_ERR_SIGNATURE_INVALID if the blob is not the correct size for a
> >    public key
> >
> > However, an implementation miight return SSH_ERR_SIGNATURE_INVALID
> > rather than SSH_ERR_KEY_INVALID_EC_VALUE depending on how the
> > implementation was written.
> >
> > As long as the connection aborts and does not continue in the case of a
> > "protocol error", it is sufficient in my opinion.
> >
> > Is it really needful to be prescriptive in this given that many
> > implementations of this code have already been fielded and I do not
> > have any ability to know which design choices they made?
>
> Hi Mark,
>
> I would think it's best that as little information as possible about the
> error is sent over the SSH connection. This vector was historically used
> to exploit other cryptographic protocols, enabling attacks such as
> padding oracles and others. Additionally it doesn't really help the end
> user who would see this message, because this is clearly an
> implementation issue within the SSH software stack, not something that
> the user can tweak in a configuration file.
>
> I'd then recommend a SHOULD send SSH_ERR_SIGNATURE_INVALID for all cases
> where protocol errors happen when handling the shared secret or the
> peer's key, if we really wish to be prescriptive, something I don't
> think is important.
>
>
> _______________________________________________
> Curdle mailing list
> Curdle@ietf.org
> https://www.ietf.org/mailman/listinfo/curdle
>

v2.23.0 | Report a Bug | By Email