[Curdle] RSA key transport for SSH (RFC 4432) and forward secrecy

Benjamin Kaduk <kaduk@mit.edu> Thu, 11 February 2021 04:25 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id C8C9E3A1132 for <curdle@ietfa.amsl.com>; Wed, 10 Feb 2021 20:25:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id xWpEdtLm5O9J for <curdle@ietfa.amsl.com>; Wed, 10 Feb 2021 20:25:58 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E89C3A1130 for <curdle@ietf.org>; Wed, 10 Feb 2021 20:25:57 -0800 (PST)
Received: from kduck.mit.edu ([]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 11B4PpbS012585 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <curdle@ietf.org>; Wed, 10 Feb 2021 23:25:56 -0500
Date: Wed, 10 Feb 2021 20:25:51 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: curdle@ietf.org
Message-ID: <20210211042551.GV21@kduck.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/uo-OEckOhU8CKCzwwws6kKNsM2s>
Subject: [Curdle] RSA key transport for SSH (RFC 4432) and forward secrecy
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Feb 2021 04:26:00 -0000

While reviewing draft-ietf-curdle-ssh-kex-sha2, I followed many of the
references, which included RFC 4432, which defines the "rsa1024-sha1"
(getting deprecated for SHA-1 usage) and "rsa2048-sha256" (which is not)
key exchange methods.  While the specific construction is claimed to still
produce contributory behavior in practice (due to the client-contributed
key only ever being used in combination with the hash of server-provided
data), it seems to still be the case that if the RSA private key is
revealed, the session key is revealed, which is mostly the standard
non-forward-secret behavior.

Things are perhaps better if you buy into the theory that "it may be a
transient key generated solely for this SSH connection, or it may be
re-used for several connections" is supposed to prevent indefinite reuse of
the RSA keypair, which seems ... not very reassuring.

While it's not clear to me that there's specific reason to (say) move the
whole RFC to Historic status or claim that it is obsoleted by some
more-modern key-exchange method, it does seem likely to me that we could
get IETF consensus that actually using rsa2048-sha256 is generally a bad
idea.  (Or maybe we could get consensus to move it to Historic.)  Perhaps
an RFC 2026 Applicability Statement would be an appropriate tool for this

But most likely the best place to start would be to ask how widely it's
implemented and if it's known to be in use anywhere...does anyone have