[Curdle] RSA key transport for SSH (RFC 4432) and forward secrecy
Benjamin Kaduk <kaduk@mit.edu> Thu, 11 February 2021 04:25 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8C9E3A1132 for <curdle@ietfa.amsl.com>; Wed, 10 Feb 2021 20:25:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Level:
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xWpEdtLm5O9J for <curdle@ietfa.amsl.com>; Wed, 10 Feb 2021 20:25:58 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E89C3A1130 for <curdle@ietf.org>; Wed, 10 Feb 2021 20:25:57 -0800 (PST)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 11B4PpbS012585 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <curdle@ietf.org>; Wed, 10 Feb 2021 23:25:56 -0500
Date: Wed, 10 Feb 2021 20:25:51 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: curdle@ietf.org
Message-ID: <20210211042551.GV21@kduck.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/uo-OEckOhU8CKCzwwws6kKNsM2s>
Subject: [Curdle] RSA key transport for SSH (RFC 4432) and forward secrecy
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Feb 2021 04:26:00 -0000
While reviewing draft-ietf-curdle-ssh-kex-sha2, I followed many of the references, which included RFC 4432, which defines the "rsa1024-sha1" (getting deprecated for SHA-1 usage) and "rsa2048-sha256" (which is not) key exchange methods. While the specific construction is claimed to still produce contributory behavior in practice (due to the client-contributed key only ever being used in combination with the hash of server-provided data), it seems to still be the case that if the RSA private key is revealed, the session key is revealed, which is mostly the standard non-forward-secret behavior. Things are perhaps better if you buy into the theory that "it may be a transient key generated solely for this SSH connection, or it may be re-used for several connections" is supposed to prevent indefinite reuse of the RSA keypair, which seems ... not very reassuring. While it's not clear to me that there's specific reason to (say) move the whole RFC to Historic status or claim that it is obsoleted by some more-modern key-exchange method, it does seem likely to me that we could get IETF consensus that actually using rsa2048-sha256 is generally a bad idea. (Or maybe we could get consensus to move it to Historic.) Perhaps an RFC 2026 Applicability Statement would be an appropriate tool for this case? But most likely the best place to start would be to ask how widely it's implemented and if it's known to be in use anywhere...does anyone have data? Thanks, Ben
- [Curdle] RSA key transport for SSH (RFC 4432) and… Benjamin Kaduk
- Re: [Curdle] RSA key transport for SSH (RFC 4432)… Peter Gutmann
- Re: [Curdle] RSA key transport for SSH (RFC 4432)… Mark D. Baushke
- Re: [Curdle] RSA key transport for SSH (RFC 4432)… Peter Gutmann
- Re: [Curdle] RSA key transport for SSH (RFC 4432)… Keith Winstein
- Re: [Curdle] RSA key transport for SSH (RFC 4432)… Mark D. Baushke
- Re: [Curdle] RSA key transport for SSH (RFC 4432)… Ron Frederick
- Re: [Curdle] RSA key transport for SSH (RFC 4432)… Benjamin Kaduk
- Re: [Curdle] RSA key transport for SSH (RFC 4432)… Simon Tatham