IETF Logo Mail Archive

Re: [Curdle] call for adoption for draft-mu-curdle-ssh-xmss-00

denis bider <denisbider.ietf@gmail.com> Sat, 23 November 2019 02:39 UTC

Return-Path: <denisbider.ietf@gmail.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83E3612008F for <curdle@ietfa.amsl.com>; Fri, 22 Nov 2019 18:39:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A9YRJfoz4KA2 for <curdle@ietfa.amsl.com>; Fri, 22 Nov 2019 18:39:08 -0800 (PST)
Received: from mail-ot1-x32d.google.com (mail-ot1-x32d.google.com [IPv6:2607:f8b0:4864:20::32d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BD69120826 for <curdle@ietf.org>; Fri, 22 Nov 2019 18:39:08 -0800 (PST)
Received: by mail-ot1-x32d.google.com with SMTP id m15so7932412otq.7 for <curdle@ietf.org>; Fri, 22 Nov 2019 18:39:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fuJxW89hB/HzltoPj+tyaoYNNbRcDGaMHpSdnHSePq4=; b=j/QVAjRxTARCUqcSgA/khCPOldz0L+lvQKK/mkGiP2jldNkLOPaKy3w12L5uDdHPTu rJ76YMMzEaQndLJsKSL91KkQ9fnVgEUn2JAjxCZntxmklw3qVYO0N45PRuguhVQSElLG 4Fzhl7DVDKQ6+27bkZxH8jQBP85sKQUr1EeKB9/C8k8a/Iut8xP3Z7cC5Wgf14WgrWZ0 NcuE9e6IZHN0gVhc1kBk5Nd5c677uv2pagu9HUZEoEIpieHsEjo2btWUVpJBidjubDAQ oAzyJpCMhikigiJERWA1jVOOWaaUVqfRy7ItupV7NudaKHancbbnTLqleiVw7AYAJDsQ mNnA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fuJxW89hB/HzltoPj+tyaoYNNbRcDGaMHpSdnHSePq4=; b=Aw9tk+MEYTr3Bv2ObtgB4Y96AJU2kHqzcz89dAW91JqyV6McbTCjcDVhqril9eLSi7 7dEKuHHspfoGfTMAzoJ6mo/OCgwYUpjqPr/TyjVFhdswNvz/DMNGLhFr4rrYHUo8w4kc AKYXE5x6k53V6gp1+XFr5CBrX6XiI6l5M8xMZlrV1FxUkMGglC0q0i2gw34/fwlz2VST M1QW3R1L6EbmxDKBmCUM6OThL4azkVUaDzSMVAtA0gn5GntpcwpgNsKo/hWQiZ8KU9hg YjZSi52UXGxT+93QqeL3yIHf8QOPP/GE0PRZi0/PLE6e+ZGFAehW7O5a58gsLZFxu/ib v/Ng==
X-Gm-Message-State: APjAAAWp28ejShcPbCmDp8ytiqiO5QX8M1KEua0qhjeEysWuGwlM2AWt ROtWoacrtzXR1QhdXmBJmDqTvviadGMiZzD9cqhKYA==
X-Google-Smtp-Source: APXvYqxAvI/H8QntQf8BmUOu//s7MCL1bTAZbEFvOsa4pkVjtnag1aXJlbjp1kW3U8lXF92WlaPTzqTpSqyDvt8td7s=
X-Received: by 2002:a9d:313:: with SMTP id 19mr13293235otv.197.1574476747658; Fri, 22 Nov 2019 18:39:07 -0800 (PST)
MIME-Version: 1.0
References: <6F37DBC7-172E-44B4-A7E8-C7432BEA3225@isara.com> <CACsn0cnozhq1-cvQr_ojb8v79+6E4xi04gnV33aUAN-8tWWCzw@mail.gmail.com> <2de53edd5bdba6147d922963f4f8d859bd016bb9.camel@redhat.com>
In-Reply-To: <2de53edd5bdba6147d922963f4f8d859bd016bb9.camel@redhat.com>
From: denis bider <denisbider.ietf@gmail.com>
Date: Fri, 22 Nov 2019 20:38:56 -0600
Message-ID: <CADPMZDBrGqbkMtct2EPsLqGOt3=QMHZ_568x_YbEeftwZS=+6Q@mail.gmail.com>
To: Simo Sorce <simo@redhat.com>
Cc: Watson Ladd <watsonbladd@gmail.com>, Daniel Van Geest <Daniel.VanGeest@isara.com>, "Salz, Rich" <rsalz@akamai.com>, curdle <curdle@ietf.org>, Daniel Migault <daniel.migault=40ericsson.com@dmarc.ietf.org>, "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
Content-Type: multipart/alternative; boundary="00000000000040581c0597fa6f09"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/wNBP772dM9eqKchb4vaY5ReegJU>
Subject: Re: [Curdle] call for adoption for draft-mu-curdle-ssh-xmss-00
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Nov 2019 02:39:10 -0000

Those are all valid concerns, however the XMSS key could conceivably be
located on a smart card which contains the key and solves all these
concerns.

An RFC could spell out in all caps that use on a dedicated device is the
only usage case recommended.

On Fri, Nov 22, 2019 at 1:04 PM Simo Sorce <simo@redhat.com> wrote:

> On Thu, 2019-11-21 at 22:44 -0500, Watson Ladd wrote:
> > On Thu, Nov 21, 2019 at 9:44 PM Daniel Van Geest <
> Daniel.VanGeest@isara.com>
> > wrote:
> >
> > > NIST will issue a special publication on stateful hash-based signatures
> > > before the rest of the PQ process completes.  Based on today’s date I’d
> > > hazard a guess that the publication will be next year.
> > >
> > >
> > >
> > > XMSS/HSS is better suited for roots of trust and code signing (and
> > > possibly a few other limited cases, the NIST publication may give
> guidance
> > > here) where the environment where the signature is generated is tightly
> > > controlled.  I’d possibly support its use for limited end-entity
> > > certificates (the only semi-reasonable one I can think of is an EE cert
> > > with a private key in an HSM which is used to sign a TLS delegated
> > > credential of a different PQ or classical algorithm).
> > >
> > >
> > >
> > > The general SSH use case does not fit any tightly-controlled scenario
> like
> > > above, so I oppose adoption of this draft.
> > >
> >
> > Any protocol where ordinary sysadmin tasks like restoring from backup or
> > running salt/Ansible/system de jour can cause a complete and total break
> of
> > security is unsuitable for a lot of servers. when used in SSH.
> Furthermore
> > PQ signatures aren't needed yet: you cannot retroactively attack
> > authorization they way you can encryption. I also oppose adoption.
>
> I am also very concerned about allowing such a fragile construct for
> SSH specifically.
>
> Among all the issues mentioned above I want to add that in practice ssh
> keys are used concurrently by multiple binaries in modern software
> distributions.
>
> For example OpenSSH my be used by an interactive user at the same time
> as another automated process uses libssh. If these processes use the
> same keys without the coordination of a tightly controlled key
> management solution (like an HSM, or a special daemon, or some form of
> mandatory file locking and IPC) we will see an immediate disaster.
>
> Moreover, private keys are commonly copied between different systems by
> users, that behavior is perfectly fine and common nowadays but would be
> catastrophic with this mechanism.
>
> My 2c.
> simo.
>
> --
> Simo Sorce
> RHEL Crypto Team
> Red Hat, Inc
>
>
>
>
>

v2.23.0 | Report a Bug | By Email