Re: [Curdle] Straw Poll still in progress for draft-ietf-curdle-ssh-kex-sha2

"Mark D. Baushke" <mdb@juniper.net> Thu, 14 January 2021 20:50 UTC

Return-Path: <mdb@juniper.net>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E38EE3A1651 for <curdle@ietfa.amsl.com>; Thu, 14 Jan 2021 12:50:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.359
X-Spam-Level:
X-Spam-Status: No, score=-3.359 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=2Tj/f9jB; dkim=pass (1024-bit key) header.d=juniper.net header.b=KCINYuJi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aV-v8KMfIyRn for <curdle@ietfa.amsl.com>; Thu, 14 Jan 2021 12:50:05 -0800 (PST)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A16FB3A1652 for <curdle@ietf.org>; Thu, 14 Jan 2021 12:50:05 -0800 (PST)
Received: from pps.filterd (m0108162.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 10EKjNAI014897 for <curdle@ietf.org>; Thu, 14 Jan 2021 12:50:04 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=to : subject : in-reply-to : references : from : mime-version : content-type : content-id : date : message-id; s=PPS1017; bh=qDvkjGiTpuL2Y53FoDHiwVjfTBv8jigaI1G0K0V81mc=; b=2Tj/f9jBQ93s1BTgfjW7JdYBhU5V4+ZkjNaJV+4AcfyaTIOLfd/UJTLjPq1Y4D0/nZ3j raid2bzU/8MjxeR5o9UGjASqQ6PixSS6FNEjWt28jXVbrWPR3yOFJ1wPsX67QLEAOSc8 /hSyJoPMuZbi2cGCCxKqjQxnfP3I+nDxICSPf32EgAIxqyQYM2MY5Y/ngWH1sU/AUWR1 xTUN2y/tjm8z8iGygFPwYRrEwOo0G3SNN3hfNB/XXF3/V6yezditUp+Xfs+Slf1cUO9G DmlAfDbdNMGsP+QJ0OQiMcHQXMH/IHP3DkrTUGjuZkL8w1fOo+pdrSNsVR91P+VDPX2R og==
Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2175.outbound.protection.outlook.com [104.47.55.175]) by mx0b-00273201.pphosted.com with ESMTP id 362sdd0g6v-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <curdle@ietf.org>; Thu, 14 Jan 2021 12:50:04 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Bpp45XZU3YNiE8KXOxetmNj+eAvE115Sfg/GVXxcQ6fx2u3mT8HaGN6oWQNY2R+S7yd7dpaxc7AjPmXTcS8YiPp6FWInNlRY6l7PCSJ99iedOa1DqUj9ZkQlCuUHjs5kcd7GBj/LRJXFDfEKJ+B516eEMjsz+8UYO/8t2i3wFyfT/D3t7lztXs0wyZmPeEnoIuM5uYVnlLV99GjwL/Jtp8RYaSaJBNY3Pe1U03yGyvo+WT7aIzmWrPsICiawA0qqABP0Vf75En7xvIGA2loYgcw5pqrDYq2hUSAa3gpQOSNh4sbkUrxLA2X7pPIo6bETtcen4WasuNf1EvN+n5nbCg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qDvkjGiTpuL2Y53FoDHiwVjfTBv8jigaI1G0K0V81mc=; b=iOpPZ286S9gd6BM1oCftajd/3kFfdsMMaebFO/1wrpU67FJKWFrf5lJGIUjKQ23S1M5bbxKiKx0qoFCLL7GASGbFIgwHaA38PL53rac+Sc2umtkH2qX59s9LlN6FQFT1qC8XOgRiJcPZj8NqmivUbt3CsR1na6j/yjOHFkmR1kUFq4lKnYWRp+vDilkw7zYgvY6i7VJvoy5/foQoOC5k7LyVKJmqwaCqtieEdKU0h9eipe7qrI2A487JcZzRR56IIDguHCRtDUJkbwdINlinMiqRZaI2W3HDhDVgW3FvLY11leWbhVQLAJHwguzP/APQsdV3My4RJxLrq37lKOi38A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=softfail (sender ip is 66.129.239.12) smtp.rcpttodomain=ietf.org smtp.mailfrom=juniper.net; dmarc=fail (p=reject sp=reject pct=100) action=oreject header.from=juniper.net; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qDvkjGiTpuL2Y53FoDHiwVjfTBv8jigaI1G0K0V81mc=; b=KCINYuJi45l2BtBoXYZub30kvDfYzhuiTE5zSnZAF+6cNtYxxMhxFULOo6VPzM/Yc6g5n44aIT3nbilvtwlb5VToYkdBbKcddQlDEYH8EyRYcKYrR/6VAc1ZnLg86T3svtTBSCKCB6toPbUitd1vOMtHuugTA0tkZgJsgsUKNSU=
Received: from DM6PR02CA0102.namprd02.prod.outlook.com (2603:10b6:5:1f4::43) by BL0PR05MB5620.namprd05.prod.outlook.com (2603:10b6:208:6f::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3763.8; Thu, 14 Jan 2021 20:50:02 +0000
Received: from DM6NAM12FT021.eop-nam12.prod.protection.outlook.com (2603:10b6:5:1f4:cafe::dd) by DM6PR02CA0102.outlook.office365.com (2603:10b6:5:1f4::43) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3763.10 via Frontend Transport; Thu, 14 Jan 2021 20:50:01 +0000
X-MS-Exchange-Authentication-Results: spf=softfail (sender IP is 66.129.239.12) smtp.mailfrom=juniper.net; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=fail action=oreject header.from=juniper.net;
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.12 as permitted sender)
Received: from P-EXFEND-EQX-01.jnpr.net (66.129.239.12) by DM6NAM12FT021.mail.protection.outlook.com (10.13.179.220) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.3763.2 via Frontend Transport; Thu, 14 Jan 2021 20:50:01 +0000
Received: from P-EXBEND-EQX-01.jnpr.net (10.104.8.52) by P-EXFEND-EQX-01.jnpr.net (10.104.8.54) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 14 Jan 2021 12:50:00 -0800
Received: from P-EXBEND-EQX-01.jnpr.net (10.104.8.52) by P-EXBEND-EQX-01.jnpr.net (10.104.8.52) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 14 Jan 2021 12:50:00 -0800
Received: from p-mailhub01.juniper.net (10.104.20.6) by P-EXBEND-EQX-01.jnpr.net (10.104.8.52) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Thu, 14 Jan 2021 12:50:00 -0800
Received: from eng-mail03.juniper.net (eng-mail03.juniper.net [10.108.22.11]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id 10EKnxVh019472; Thu, 14 Jan 2021 12:49:59 -0800 (envelope-from mdb@juniper.net)
Received: from eng-mail03 (localhost [127.0.0.1]) by eng-mail03.juniper.net (8.16.1/8.14.9) with ESMTP id 10EKpPd8012937; Thu, 14 Jan 2021 12:51:25 -0800 (PST) (envelope-from mdb@juniper.net)
To: curdle <curdle@ietf.org>
In-Reply-To: <CADZyTkm4wwzWmhuv5SskqhNJcbm363poKiFAoBjJKKUh8X+x5Q@mail.gmail.com>
References: <2CCABC30-F757-4659-9FF3-5AADDD51EE30@akamai.com> <4b681efd49274f03c7e0521e127e031426632ad0.camel@redhat.com> <CADZyTkk--kCWqE7q0Xi5C40V92MuZBktDzQGt_vPSZPiBy7v9w@mail.gmail.com> <18479.1606885358@eng-mail01.juniper.net> <20201205194724.GB64351@kduck.mit.edu> <37691.1607621661@eng-mail01.juniper.net> <1607647129866.76532@cs.auckland.ac.nz> <2917.1607672034@eng-mail01.juniper.net> <012AE120-2516-44F6-B729-ED342A137535@timeheart.net> <ED8F3B46-A5CC-4D14-A714-FD1C0AA67486@akamai.com> <12959BD6-F3AB-418B-8CE0-C3BE43999435@timeheart.net> <40887.1608233724@eng-mail03> <0f4dce32-b362-43d8-85e0-9608ca3427ab@redhat.com> <90135.1609791710@eng-mail03> <7f27ed9c52fbbabd6047b2a1a860afff2656ad76.camel@redhat.com> <758.1609814329@eng-mail03> <25126.1610483420@eng-mail03> <CADPMZDDb3BZWe_2p3eh=14BwhXxBdmAmLXY9K9=y=BwXZ17QdA@mail.gmail.com> <CADZyTkm4wwzWmhuv5SskqhNJcbm363poKiFAoBjJKKUh8X+x5Q@mail.gmail.com>
Comments: In-reply-to: Daniel Migault <mglt.ietf@gmail.com> message dated "Wed, 13 Jan 2021 22:44:35 -0500."
From: "Mark D. Baushke" <mdb@juniper.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <12933.1610657480.1@eng-mail03>
Date: Thu, 14 Jan 2021 12:51:20 -0800
Message-ID: <12936.1610657480@eng-mail03>
X-EXCLAIMER-MD-CONFIG: e3cb0ff2-54e7-4646-8a04-0dae4ac7b136
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-HT: Tenant
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: f95eec41-7f1e-470e-157c-08d8b8cdf676
X-MS-TrafficTypeDiagnostic: BL0PR05MB5620:
X-Microsoft-Antispam-PRVS: <BL0PR05MB56203BB851B5A8B508F77AD2BFA80@BL0PR05MB5620.namprd05.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: wnYa3LQeFENajI3SBJvsneB+n1fnsTKIUFU2/kUo4w646lXT2MnVAHiJ9Dll4TgY0VTiAvWe23k+rqjcSwcj32Kfy9Y0yGnmHMQOLYdj1yOi/iiILQ4Tum5fEupqGjEzuVoeJupPVoycFomXBjSCCMqNORm7aueFnc922VQI+B2QEEMbiQq6pa1AmPHvqbpyKruLQNAmSvjHrvejYg8esPwT3v6Yua2z+Ja6SKHX7TSYhHqkU22l0VLI6SWlZw+0jHZT2hb+z1HaGw8z/8s/fcH/rSy3pkruPiIsK5vFFOUvCQqvUdTbT2vWct3nDYhnMrawIXem2MV/ytfHWj7xgyVoQVyqUO48PMlbUv3roIeZZLuo0nx5bV+MioEe9pGhx0r6Rror8kLmLXDF0jw0GDy9adnHih33Rnq/cJ69XPge5tNiKXMkto+zyr2+PGnhLf3Y3s/fkTPCMbmEQr5i+Al2iC/0eakzHCZLEY9oNofIJL6oWx5Wv16FEz1MHaZCQ0IPuSFARVI9er52Bo27BJOpVjPyfuTTFB+86+RuU7+r8QmPd7fTKdgFHfbfwmwqL+Qvwq0Fjgo2CrUQx7hThEG7FR1cdrNG/QUeU6yyas+TL38OPrG5MkXvRzMCEFn7frACdAer8O4aaJ2Y+xIuOdSCQw875QJCGa0z6nWyDMbpgLB/0NVxbqjipf6alP3lCqL/i67jgTAfLdUCuNOBgDXSYHVHitBvU7pssAqD9zo=
X-Forefront-Antispam-Report: CIP:66.129.239.12; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:P-EXFEND-EQX-01.jnpr.net; PTR:InfoDomainNonexistent; CAT:NONE; SFS:(4636009)(346002)(376002)(136003)(39860400002)(396003)(46966006)(5660300002)(426003)(6916009)(26005)(34020700004)(82310400003)(2906002)(6666004)(4001150100001)(8936002)(9686003)(356005)(70206006)(478600001)(8676002)(66574015)(316002)(7126003)(336012)(70586007)(33716001)(82740400003)(83380400001)(186003)(86362001)(47076005)(81166007)(62816006); DIR:OUT; SFP:1102;
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Jan 2021 20:50:01.3796 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: f95eec41-7f1e-470e-157c-08d8b8cdf676
X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.12]; Helo=[P-EXFEND-EQX-01.jnpr.net]
X-MS-Exchange-CrossTenant-AuthSource: DM6NAM12FT021.eop-nam12.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR05MB5620
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.343, 18.0.737 definitions=2021-01-14_07:2021-01-14, 2021-01-14 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 suspectscore=0 phishscore=0 mlxlogscore=999 priorityscore=1501 spamscore=0 bulkscore=0 impostorscore=0 adultscore=0 lowpriorityscore=0 mlxscore=0 malwarescore=0 clxscore=1015 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2101140120
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/tZqXeCs1v1Tsyv-bIir1a2eMm2A>
Subject: Re: [Curdle] Straw Poll still in progress for draft-ietf-curdle-ssh-kex-sha2
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jan 2021 20:50:08 -0000

Hi,

Per Daniel's request, I plan to close the poll at 5pm PST.

Here is what I have so far.

At present, I have straw poll input from the following individuals:

    Mark Baushke <mdb@juniper.net> (user)
    denis bider <denisbider.ietf@gmail.com> (implementor)
    Ron Frederick <ronf@timeheart.net> (implementor)
    Daniel Migault <mglt.ietf@gmail.com> (user)
    Simo Sorce <simo@redhat.com> (implementor)
    Peter Gutmann <pgut001@cs.auckland.ac.nz> (implementor)

Current weighted voting favors this set of recommendations:

  Kex Algorithm                       Recommendation
====================================================================
 diffie-hellman-group1-sha1:         SHOULD NOT (10)
 diffie-hellman-group14-sha1:        MAY (19)
 diffie-hellman-group-exchange-sha1: SHOULD NOT (8), MAY (2)
 rsa1024-sha1:                       MUST NOT (8), SHOULD NOT (2)
 gss-gex-sha1-*:                     SHOULD NOT (10)
 gss-group1-sha1-*:                  SHOULD NOT (8), MAY (2)
====================================================================

	Be safe, stay healthy,
	-- Mark

PS: Here are the current differences between the published -12 and the
current -13 draft which I plan to upload tonight if no other votes come
in to change the current weighting.

--- draft-ietf-curdle-ssh-kex-sha2-12.txt	2020-11-23 13:25:22.000000000 -0800
+++ draft-ietf-curdle-ssh-kex-sha2-13.txt	2021-01-13 20:50:14.000000000 -0800
@@ -4,9 +4,9 @@
 
 Internet Engineering Task Force                            M. D. Baushke
 Internet-Draft                                    Juniper Networks, Inc.
-Updates: 4250 (if approved)                             23 November 2020
+Updates: 4250 4253 4432 4462 (if approved)               13 January 2021
 Intended status: Standards Track                                        
-Expires: 27 May 2021
+Expires: 17 July 2021
 
 
  Key Exchange (KEX) Method Updates and Recommendations for Secure Shell
@@ -35,11 +35,11 @@
    time.  It is inappropriate to use Internet-Drafts as reference
    material or to cite them other than as "work in progress."
 
-   This Internet-Draft will expire on 27 May 2021.
+   This Internet-Draft will expire on 17 July 2021.
 
 Copyright Notice
 
-   Copyright (c) 2020 IETF Trust and the persons identified as the
+   Copyright (c) 2021 IETF Trust and the persons identified as the
    document authors.  All rights reserved.
 
    This document is subject to BCP 78 and the IETF Trust's Legal
@@ -67,7 +67,7 @@
        1.2.2.  Finite Field Cryptography (FFC) . . . . . . . . . . .   4
        1.2.3.  Integer Factorization Cryptography (IFC)  . . . . . .   5
    2.  Requirements Language . . . . . . . . . . . . . . . . . . . .   5
-   3.  Key Exchange Methods  . . . . . . . . . . . . . . . . . . . .   5
+   3.  Key Exchange Methods  . . . . . . . . . . . . . . . . . . . .   6
      3.1.  SHA-1 and SHA-2 Hashing . . . . . . . . . . . . . . . . .   6
      3.2.  Elliptic Curve Cryptography (ECC) . . . . . . . . . . . .   6
        3.2.1.  curve25519-sha256 and gss-curve25519-sha256-* . . . .   6
@@ -97,7 +97,11 @@
    considered secure is no longer considered secure.  The purpose of
    this RFC is to recommend that some published key exchanges be
    deprecated as well as recommending some that SHOULD and one that MUST
-   be adopted.  This document updates [RFC4250].
+   be adopted.  This document updates [RFC4250] [RFC4253] [RFC4432]
+   [RFC4462] by changing the requirement level ("MUST" moving to
+   "SHOULD" or "MAY" or "SHOULD NOT", and "MAY" moving to "MUST" or
+   "SHOULD" or "SHOULD NOT" or "MUST NOT") of various key-exchange
+   mechanisms.
 
    A key exchange has two components, a hashing algorithm and a public
    key algorithm.  The following subsections describe how to select each
@@ -121,11 +121,28 @@
    are weaknesses in the algorithm.  Therefore, it is desirable to move
    away from using it before attacks become more serious.
 
-   At present, the attacks against SHA-1 are collision attacks that rely
-   on human help rather than a pre-image attack.  So, it is still
-   possible to allow time backward compatibility use of SHA-1 during a
-   SSH key-exchange for a transition to stronger hashing.  However, any
-   such key exchanges should be listed last in the preference list.
+   At present, the attacks against SHA-1 are collision attacks that
+   usually rely on human help rather than a pre-image attack.  SHA-1
+   resistance against 2nd pre-image is still at 160 bits, but SSH does
+   not depend on that, but rather on chosen prefix resistance.
+
+   Transcript Collision attacks are documented in [TRANS-COLL].  This
+   paper shows that the man in the middle does not tamper with the
+   Diffie-Hellman values and does not know the connection keys.
+   However, it manages to tamper with both Ic and Is, and can therefore
+   downgrade the negotiated ciphersuite to a weak cryptographic
+   algorithm that the attacker knows how to break.
+
+   These attacks are still computationally very difficult to perform,
+   but is is desirable that any Key Exchanging using SHA-1 be phased out
+   as soon as possible.
+
+   These attacks are potentially slightly easier when the server
+   provides the Diffie-Hellman parameters such as using the [RFC4419]
+   generated set of diffie-hellman parameters with SHA-1 hashing.  If
+   there is a need for using SHA-1 in a Key Exchange for compatibility,
+   it would be desirable it be listed last in the preference list of key
+   exchanges.
 
    Use of the SHA-2 family of hashes found in [RFC6234] rather than the
    SHA-1 hash is strongly advised.
@@ -145,6 +162,14 @@
 
    SSH uses mathematically hard problems for doing Key Exchange:
 
+
+
+
+Baushke                   Expires 17 July 2021                  [Page 3]
+
+Internet-Draft KEX Method Updates/Recommendations for SSH   January 2021
+
+
    *  Elliptic Curve Cryptography (ECC) has families of curves for Key
       Exchange Methods for SSH.  NIST prime curves with names and other
       curves are available using an object identifier (OID) with
@@ -159,17 +184,6 @@
    *  Integer Factorization Cryptography (IFC) using the RSA algorithm
       is provided for in [RFC4432].
 
-
-
-
-
-
-
-Baushke                    Expires 27 May 2021                  [Page 3]
-
-Internet-Draft KEX Method Updates/Recommendations for SSH  November 2020
-
-
    It is desirable for the security strength of the key exchange be
    chosen to be comparable with the security strength of the other
    elements of the SSH handshake.  Attackers can target the weakest
@@ -251,6 +251,8 @@
    The only IFC algorithm for key exchange is the RSA algorithm via
    [RFC4432].  The minimum modulus size is 2048 bits.  The use of a
    SHA-2 Family hash with RSA 2048-bit keys has sufficient security.
+   The rsa1024-sha1 key exchange has less than 2048 bits and MUST NOT be
+   implemented.
 
            +=====================+=============================+
            | Key Exchange Method | Estimated Security Strength |
@@ -270,18 +272,21 @@
    BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
    capitals, as shown here.
 
-3.  Key Exchange Methods
 
-   This memo adopts the style and conventions of [RFC4253] in specifying
-   how the use of data key exchange is indicated in SSH.
 
 
 
-Baushke                    Expires 27 May 2021                  [Page 5]
+
+Baushke                   Expires 17 July 2021                  [Page 5]
 
-Internet-Draft KEX Method Updates/Recommendations for SSH  November 2020
+Internet-Draft KEX Method Updates/Recommendations for SSH   January 2021
 
 
+3.  Key Exchange Methods
+
+   This memo adopts the style and conventions of [RFC4253] in specifying
+   how the use of data key exchange is indicated in SSH.
+
    This RFC also collects key exchange method names in various existing
    RFCs [RFC4253], [RFC4419], [RFC4432], [RFC4462], [RFC5656],
    [RFC8268], [RFC8731], [RFC8732], and [RFC8308], and provides a
@@ -305,9 +310,10 @@
    is the stronger of the two.  Group14 (a 2048-bit MODP group) is
    defined in [RFC3526].  It is reasonable to retain the diffie-hellman-
    group14-sha1 exchange for interoperability with legacy
-   implementations.  Therefore, diffie-hellman-group14-sha1 SHOULD be
-   implemented and all other *-sha1 key exchanges SHOULD NOT be
-   implemented.
+   implementations.  Therefore, diffie-hellman-group14-sha1 MAY be
+   implemented.  The diffie-hellman-group1-sha1, diffie-hellman-group-
+   exchange-sha1, gss-gex-sha1-*, and gss-group1-sha1-* key exchanges
+   SHOULD NOT be implemented.
 
 3.2.  Elliptic Curve Cryptography (ECC)
 
@@ -519,7 +519,7 @@
      +--------------------------------------+-----------+------------+
      | diffie-hellman-group1-sha1           | RFC4253   | SHOULD NOT |
      +--------------------------------------+-----------+------------+
-     | diffie-hellman-group14-sha1          | RFC4253   | SHOULD     |
+     | diffie-hellman-group14-sha1          | RFC4253   | MAY        |
      +--------------------------------------+-----------+------------+
      | diffie-hellman-group14-sha256        | RFC8268   | MUST       |
      +--------------------------------------+-----------+------------+
@@ -577,7 +577,7 @@
      +--------------------------------------+-----------+------------+
      | gss-nistp384-sha384-*                | RFC8732   | SHOULD     |
      +--------------------------------------+-----------+------------+
-     | gss-nistp521-sha512-*                | RFC8732   | MAY        |
+     | gss-nistp521-sha512-*                | RFC8732   | SHOULD     |
      +--------------------------------------+-----------+------------+
      | rsa1024-sha1                         | RFC4432   | MUST NOT   |
      +--------------------------------------+-----------+------------+
@@ -696,7 +696,7 @@
 
    [IANA-KEX] Internet Assigned Numbers Authority (IANA), "Secure Shell
               (SSH) Protocol Parameters: Key Exchange Method Names",
-              July 2020, <http://www.iana.org/assignments/ssh-
+              December 2020, <http://www.iana.org/assignments/ssh-
               parameters/ssh-parameters.xhtml#ssh-parameters-16>.
 
    [RFC4251]  Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
@@ -725,9 +725,9 @@
 
 
 
-Baushke                    Expires 27 May 2021                 [Page 13]
+Baushke                   Expires 17 July 2021                 [Page 13]
 
-Internet-Draft KEX Method Updates/Recommendations for SSH  November 2020
+Internet-Draft KEX Method Updates/Recommendations for SSH   January 2021
 
 
    [RFC6194]  Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security
@@ -750,6 +750,14 @@
               SHA-2", RFC 8732, DOI 10.17487/RFC8732, February 2020,
               <https://www.rfc-editor.org/info/rfc8732>.
 
+   [TRANS-COLL]
+              Bhargavan, K. and G. Leurent, "Transcript Collision
+              Attacks: Breaking Authentication in TLS, IKE, and SSH",
+              Network and Distributed System Security Symposium - NDSS
+              2016, Feb 2016, San Diego, United
+              States. 10.14722/ndss.2016.23418 . hal-01244855,
+              <https://hal.inria.fr/hal-01244855/document>.
+
 Author's Address
 
    Mark D. Baushke