< draft-ietf-curdle-rsa-sha2-03-rpetrov.txt | draft-ietf-curdle-rsa-sha2-03.txt > | |||
---|---|---|---|---|
skipping to change at page 2, line 29 ¶ | skipping to change at page 2, line 29 ¶ | |||
1.1. Requirements Terminology | 1.1. Requirements Terminology | |||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
2. Public Key Algorithms | 2. Public Key Algorithms | |||
This memo adopts the style and conventions of [RFC4253] in specifying | This memo adopts the style and conventions of [RFC4253] in specifying | |||
how use of a public key algorithm is indicated in SSH. | how use of a signature algorithm is indicated in SSH. | |||
The following new public key algorithms are defined: | The following new signature algorithms are defined: | |||
rsa-sha2-256 RECOMMENDED sign Raw RSA key | rsa-sha2-256 RECOMMENDED sign Raw RSA key | |||
rsa-sha2-512 OPTIONAL sign Raw RSA key | rsa-sha2-512 OPTIONAL sign Raw RSA key | |||
These algorithms are suitable for use both in the SSH transport | These signature algorithms are suitable for use both in the SSH transport | |||
layer [RFC4253] for server authentication, and in the authentication | layer [RFC4253] for server authentication, and in the authentication | |||
layer [RFC4252] for client authentication. | layer [RFC4252] for client authentication. | |||
2.1. Public Key Format | ||||
Since RSA keys are not dependent on the choice of hash function, both | Since RSA keys are not dependent on the choice of hash function, both | |||
new algorithms reuse the public key format of the existing "ssh-rsa" | new algorithms reuse the public key format of the existing "ssh-rsa" | |||
algorithm as defined in [RFC4253]: | algorithm as defined in [RFC4253]: | |||
string "ssh-rsa" | string "ssh-rsa" | |||
mpint e | mpint e | |||
mpint n | mpint n | |||
All aspects of the "ssh-rsa" format are kept, including the encoded | All aspects of the "ssh-rsa" format are kept, including the encoded | |||
string "ssh-rsa", in order to allow users' existing RSA keys to be | string "ssh-rsa", in order to allow users' existing RSA keys to be | |||
used with the new signature formats, without requiring re-encoding, | used with the new signature formats, without requiring re-encoding, | |||
or affecting already trusted key fingerprints. | or affecting already trusted key fingerprints. | |||
2.2. Signature Encoding | ||||
Signing and verifying using these algorithms is performed according to | Signing and verifying using these algorithms is performed according to | |||
the RSASSA-PKCS1-v1_5 scheme in [RFC3447] using SHA-2 [FIPS-180-4] as | the RSASSA-PKCS1-v1_5 scheme in [RFC3447] using SHA-2 [FIPS-180-4] as | |||
hash; MGF1 as mask function; and salt length equal to hash size. | hash; MGF1 as mask function; and salt length equal to hash size. | |||
For the algorithm "rsa-sha2-256", the hash used is SHA-2 256. | For the algorithm "rsa-sha2-256", the hash used is SHA-2 256. | |||
For the algorithm "rsa-sha2-512", the hash used is SHA-2 512. | For the algorithm "rsa-sha2-512", the hash used is SHA-2 512. | |||
The resulting signature is encoded as follows: | The resulting signature is encoded as follows: | |||
string "rsa-sha2-256" / "rsa-sha2-512" | string "rsa-sha2-256" / "rsa-sha2-512" | |||
string rsa_signature_blob | string rsa_signature_blob | |||
The value for 'rsa_signature_blob' is encoded as a string containing | The value for 'rsa_signature_blob' is encoded as a string containing | |||
S - an octet string which is the output of RSASSA-PKCS1-v1_5, of | S - an octet string which is the output of RSASSA-PKCS1-v1_5, of | |||
length equal to the length in octets of the RSA modulus. | length equal to the length in octets of the RSA modulus. | |||
2.3. Use for server authentication | 2.1. Use for server authentication | |||
To express support and preference for one or both of these algorithms | To express support and preference for one or both of these algorithms | |||
for server authentication, the SSH client or server includes one or | for server authentication, the SSH client or server includes one or | |||
both algorithm names, "rsa-sha2-256" and/or "rsa-sha2-512", in the | both algorithm names, "rsa-sha2-256" and/or "rsa-sha2-512", in the | |||
name-list field "server_host_key_algorithms" in the SSH_MSG_KEXINIT | name-list field "server_host_key_algorithms" in the SSH_MSG_KEXINIT | |||
packet [RFC4253]. If one of the two host key algorithms is negotiated, | packet [RFC4253]. If one of the two host key algorithms is negotiated, | |||
the server sends an "ssh-rsa" public key as part of the negotiated key | the server sends an "ssh-rsa" public key as part of the negotiated key | |||
exchange method (e.g. in SSH_MSG_KEXDH_REPLY), and encodes a signature | exchange method (e.g. in SSH_MSG_KEXDH_REPLY), and encodes a signature | |||
with the appropriate signature algorithm name - either "rsa-sha2-256", | with the appropriate signature algorithm name - either "rsa-sha2-256", | |||
or "rsa-sha2-512". | or "rsa-sha2-512". | |||
2.4. Use for client authentication | 2.2. Use for client authentication | |||
To use this algorithm for client authentication, the SSH client sends | To use this algorithm for client authentication, the SSH client sends | |||
an SSH_MSG_USERAUTH_REQUEST message [RFC4252] encoding the "publickey" | an SSH_MSG_USERAUTH_REQUEST message [RFC4252] encoding the "publickey" | |||
method, and encoding the string field "public key algorithm name" with | method, and encoding the string field "public key algorithm name" with | |||
the value "rsa-sha2-256" or "rsa-sha2-512". The "public key blob" | the value "rsa-sha2-256" or "rsa-sha2-512". The "public key blob" | |||
field encodes the RSA public key using the "ssh-rsa" format identifier. | field encodes the RSA public key using the "ssh-rsa" algorithm name. | |||
The signature field, if present, encodes a signature using an | The signature field, if present, encodes a signature using an | |||
signature format identifier that MUST match the algorithm name in SSH authentication request - either | algorithm name that MUST match the SSH authentication request - either | |||
"rsa-sha2-256", or "rsa-sha2-512". | "rsa-sha2-256", or "rsa-sha2-512". | |||
For example, an SSH "publickey" signed authentication request using an | For example, an SSH "publickey" authentication request using an | |||
"rsa-sha2-512" algorithm would be properly encoded as follows: | "rsa-sha2-512" signature would be properly encoded as follows: | |||
byte SSH_MSG_USERAUTH_REQUEST | byte SSH_MSG_USERAUTH_REQUEST | |||
string user name | string user name | |||
string service name | string service name | |||
string "publickey" | string "publickey" | |||
boolean TRUE | boolean TRUE | |||
string "rsa-sha2-512" | string "rsa-sha2-512" | |||
string public key blob: | string public key blob: | |||
string "ssh-rsa" | string "ssh-rsa" | |||
mpint e | mpint e | |||
skipping to change at page 4, line 21 ¶ | skipping to change at page 4, line 21 ¶ | |||
Servers that accept rsa-sha2-* signatures for client authentication | Servers that accept rsa-sha2-* signatures for client authentication | |||
SHOULD implement the extension negotiation mechanism defined in | SHOULD implement the extension negotiation mechanism defined in | |||
[SSH-EXT-INFO], including especially the "server-sig-algs" extension. | [SSH-EXT-INFO], including especially the "server-sig-algs" extension. | |||
When authenticating with an RSA key against a server that does not | When authenticating with an RSA key against a server that does not | |||
implement the "server-sig-algs" extension, clients MAY default to an | implement the "server-sig-algs" extension, clients MAY default to an | |||
ssh-rsa signature to avoid authentication penalties. | ssh-rsa signature to avoid authentication penalties. | |||
4. IANA Considerations | 4. IANA Considerations | |||
Consistent with Section 8 of [RFC4251] and Section 4.6 of [RFC4250], | IANA is requested to update the "Secure Shell (SSH) Protocol | |||
this document makes the following registrations: | Parameters" registry, to extend the table Public Key Algorithm Names: | |||
In the Public Key Algorithm Names registry: | - To the immediate right of the column Public Key Algorithm Name, | |||
- The SSH public key algorithm "rsa-sha2-256". | a new column is to be added, titled Signature Algorithm Name. For | |||
- The SSH public key algorithm "rsa-sha2-512". | existing entries, the column Signature Algorithm Name should be | |||
assigned the same value found under Public Key Algorithm Name. | ||||
This document creates no new registries. | - Immediately following the existing entry for "ssh-rsa", two sibling | |||
entries are to be added: | ||||
P. K. Alg. Name Sig. Alg. Name Reference Note | ||||
ssh-rsa rsa-sha2-256 [this document] Section 2 | ||||
ssh-rsa rsa-sha2-512 [this document] Section 2 | ||||
5. Security Considerations | 5. Security Considerations | |||
The security considerations of [RFC4253] apply to this document. | The security considerations of [RFC4253] apply to this document. | |||
The National Institute of Standards and Technology (NIST) Special | The National Institute of Standards and Technology (NIST) Special | |||
Publication 800-131A [800-131A] disallows the use of RSA and DSA keys | Publication 800-131A [800-131A] disallows the use of RSA and DSA keys | |||
shorter than 2048 bits for US government use after 2013. Keys of 2048 | shorter than 2048 bits for US government use after 2013. Keys of 2048 | |||
bits or larger are considered acceptable. | bits or larger are considered acceptable. | |||
skipping to change at page 5, line 28 ¶ | skipping to change at page 5, line 28 ¶ | |||
FIPS Publication 180-4, August 2015, | FIPS Publication 180-4, August 2015, | |||
<http://dx.doi.org/10.6028/NIST.FIPS.180-4>. | <http://dx.doi.org/10.6028/NIST.FIPS.180-4>. | |||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
[RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography | [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography | |||
Standards (PKCS) #1: RSA Cryptography Specifications | Standards (PKCS) #1: RSA Cryptography Specifications | |||
Version 2.1", RFC 3447, February 2003. | Version 2.1", RFC 3447, February 2003. | |||
[RFC4250] Lehtinen, S. and C. Lonvick, "The Secure Shell (SSH) | ||||
Protocol Assigned Numbers", RFC 4250, January 2006. | ||||
[RFC4251] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) | ||||
Protocol Architecture", RFC 4251, January 2006. | ||||
[RFC4252] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) | [RFC4252] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) | |||
Authentication Protocol", RFC 4252, January 2006. | Authentication Protocol", RFC 4252, January 2006. | |||
[RFC4253] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) | [RFC4253] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) | |||
Transport Layer Protocol", RFC 4253, January 2006. | Transport Layer Protocol", RFC 4253, January 2006. | |||
7.2. Informative References | 7.2. Informative References | |||
[800-131A] National Institute of Standards and Technology (NIST), | [800-131A] National Institute of Standards and Technology (NIST), | |||
"Transitions: Recommendation for Transitioning the Use of | "Transitions: Recommendation for Transitioning the Use of | |||
End of changes. 14 change blocks. | ||||
25 lines changed or deleted | 21 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |