IETF Logo Mail Archive

Re: [Curdle] Second AD Review: draft-ietf-curdle-ssh-curves.

"Mark D. Baushke" <mdb@juniper.net> Tue, 13 August 2019 05:05 UTC

Return-Path: <mdb@juniper.net>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54550120073 for <curdle@ietfa.amsl.com>; Mon, 12 Aug 2019 22:05:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zF_Zv6XfRPS0 for <curdle@ietfa.amsl.com>; Mon, 12 Aug 2019 22:05:35 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1636212007C for <curdle@ietf.org>; Mon, 12 Aug 2019 22:05:35 -0700 (PDT)
Received: from pps.filterd (m0108161.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x7D54qfC029370; Mon, 12 Aug 2019 22:05:31 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=to : cc : subject : in-reply-to : references : from : mime-version : content-type : content-id : date : message-id; s=PPS1017; bh=C9LvQCQkR+Ib9K+cnzLUmkAage3GMUx+D6hKjPxS7Gg=; b=IC4p0P+/iYIIRB76xPkmYQ5aF8BNZZdEzAIlzfGsv881gmlt3eQmDl2ZF++sGQ81cgWJ fGTU5ez6rcSZF/eoEo4Iq64qF5P+zgEPjEpwZFnRoswozn93y9EeX3psbqFEXTmyXr0d 0CUhg5o0xKhrHokySqeGGFJQYXULXXxcqZmToYgEPDQfZf+GC8svgae9rMONHQ4gBwHQ hdGQuJGXvZ9Dd6a0Nb7U2de76mZnc0757Vj3KTfoPmF+y4fG3mp68Ut9qZzL6c2HVqRZ W8s3hw8FJ0qFxC+3O+VTVQQhV3GyvI5bQpN0vpCXDVq/Sh8qRhKZvRdONN0Wxj+e2Bqc jQ==
Received: from nam04-co1-obe.outbound.protection.outlook.com (mail-co1nam04lp2056.outbound.protection.outlook.com [104.47.45.56]) by mx0b-00273201.pphosted.com with ESMTP id 2ubkqh06r3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 12 Aug 2019 22:05:31 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YTNM6ocmwLvURmJZ2Ba0DVDSPeJ/HAD5vGBtr+7y6MDLitywz9pogsvIdop/nbLUNXu1xfMqjGim2PIZlXTQmVr52ivX/diHy2jXhfLyYJ6gCC/T+KRoR/gyaH8cPaxcsR6iJ2G3gMnF+JqQzeHBQx3ikk7dYYkpgiwouhr4dCgCd8Zi8x8+cvSoeOC4jTXpLYzZ/pCvL+84yznkk3QzbcIbhO/WBbpnOp//+DhBMvrumyg1V8Qrs5WRqdm344xreKNIEwYnKF48nXV6y1kz9rEjgHtlH3Z3D3hMPOSpQ9OtDdGxttfIswoK4XQxZu2IHpOkx7MsadIiYcMWR3EfQQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=C9LvQCQkR+Ib9K+cnzLUmkAage3GMUx+D6hKjPxS7Gg=; b=lqNrw3sEOtgQ62OoSZzKyih7/oPyLkqh+Btpa+NB+b6LcixBWsGmcipl4/m5JatpyzZW60fGfgKNqftTHyPcf+QEU/iMpVL6X8nzO3HAYHHGyI0LobeqPrY4ZqJv/mWIRpAfvLRDVmH2fqLEREexSpxHQndNs/HTxNj1gFJq4qIksJywnWt2hWypElv9aRApbhXb7Wqjg2f6HB8LydZIqOqdD5Hdj6MHhsYcs6XPakWojBWOiEr56cwcqjxa58dcdAu8EE4P0N6wnl0BRZV9Tn4Srn17/9VmyJWggSR4WpDYjy++wFgwQjQ0lR4S8EP3JzlrRPKMTlGt+5AjstMksQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=softfail (sender ip is 66.129.239.12) smtp.rcpttodomain=ietf.org smtp.mailfrom=juniper.net; dmarc=fail (p=reject sp=reject pct=100) action=oreject header.from=juniper.net; dkim=none (message not signed); arc=none
Received: from CH2PR05CA0001.namprd05.prod.outlook.com (2603:10b6:610::14) by BL0PR05MB4692.namprd05.prod.outlook.com (2603:10b6:208:29::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2157.8; Tue, 13 Aug 2019 05:05:26 +0000
Received: from CO1NAM05FT019.eop-nam05.prod.protection.outlook.com (2a01:111:f400:7e50::202) by CH2PR05CA0001.outlook.office365.com (2603:10b6:610::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2157.14 via Frontend Transport; Tue, 13 Aug 2019 05:05:26 +0000
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.12 as permitted sender)
Received: from P-EXFEND-EQX-01.jnpr.net (66.129.239.12) by CO1NAM05FT019.mail.protection.outlook.com (10.152.96.127) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2178.6 via Frontend Transport; Tue, 13 Aug 2019 05:05:26 +0000
Received: from P-EXBEND-EQX-01.jnpr.net (10.104.8.52) by P-EXFEND-EQX-01.jnpr.net (10.104.8.54) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Mon, 12 Aug 2019 22:05:24 -0700
Received: from P-EXBEND-EQX-01.jnpr.net (10.104.8.52) by P-EXBEND-EQX-01.jnpr.net (10.104.8.52) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Mon, 12 Aug 2019 22:05:24 -0700
Received: from p-mailhub01.juniper.net (10.104.20.6) by P-EXBEND-EQX-01.jnpr.net (10.104.8.52) with Microsoft SMTP Server (TLS) id 15.0.1367.3 via Frontend Transport; Mon, 12 Aug 2019 22:05:24 -0700
Received: from contrail-ubm16-mdb.svec1.juniper.net ([10.163.18.199]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id x7D55NIg015087; Mon, 12 Aug 2019 22:05:23 -0700 (envelope-from mdb@juniper.net)
To: Benjamin Kaduk <kaduk@mit.edu>
CC: Ron Frederick <ronf=40timeheart.net@dmarc.ietf.org>, curdle <curdle@ietf.org>
In-Reply-To: <20190812222754.GE88236@kduck.mit.edu>
References: <CABcZeBM1xaLR2RqYo8_VmO1ue2qr3rn_52MhSDHagKhNF-AYQA@mail.gmail.com> <20190730214702.GS47715@kduck.mit.edu> <31257.1564525402@contrail-ubm16-mdb.svec1.juniper.net> <20190730231321.GU47715@kduck.mit.edu> <CADZyTk=9-pJ8mkwKSDMcZtN2DfD=C2OBDSm6v2pcvp-J2hekqg@mail.gmail.com> <0D4BB5A9-5E34-4038-BD5B-1EE63A67447D@juniper.net> <7859169F-D86B-4027-B060-6BAA6FD6CA6A@timeheart.net> <20190812222754.GE88236@kduck.mit.edu>
Comments: In-reply-to: Benjamin Kaduk <kaduk@mit.edu> message dated "Mon, 12 Aug 2019 17:27:55 -0500."
From: "Mark D. Baushke" <mdb@juniper.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <783.1565672722.1@contrail-ubm16-mdb.svec1.juniper.net>
Date: Mon, 12 Aug 2019 22:05:23 -0700
Message-ID: <784.1565672723@contrail-ubm16-mdb.svec1.juniper.net>
X-EXCLAIMER-MD-CONFIG: e3cb0ff2-54e7-4646-8a04-0dae4ac7b136
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-HT: Tenant
X-Forefront-Antispam-Report: CIP:66.129.239.12; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(4636009)(39860400002)(376002)(136003)(346002)(396003)(2980300002)(199004)(189003)(11346002)(486006)(5660300002)(126002)(476003)(14444005)(8936002)(23726003)(2906002)(46406003)(305945005)(356004)(8676002)(81166006)(81156014)(97876018)(50466002)(117636001)(76176011)(7696005)(16586007)(316002)(26005)(54906003)(446003)(478600001)(4326008)(47776003)(6916009)(97756001)(2171002)(336012)(53936002)(70206006)(229853002)(70586007)(6246003)(86362001)(426003)(186003); DIR:OUT; SFP:1102; SCL:1; SRVR:BL0PR05MB4692; H:P-EXFEND-EQX-01.jnpr.net; FPR:; SPF:SoftFail; LANG:en; PTR:InfoDomainNonexistent; A:1; MX:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: e188b903-f475-45fd-dde8-08d71fabda84
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(4710121)(4711136)(1401327)(2017052603328); SRVR:BL0PR05MB4692;
X-MS-TrafficTypeDiagnostic: BL0PR05MB4692:
X-Microsoft-Antispam-PRVS: <BL0PR05MB46928AFB5A1A031B2BE7AB2BBFD20@BL0PR05MB4692.namprd05.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-Forefront-PRVS: 01283822F8
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: cJtUn8WmVSFdMA0Oq2sWD1CTiEuB+Ml5jnE4AhelXefN/HjVURDWMTOnC+i8QngyhCtUIAINbrRP4P76xfs4cu54+MRqMdcVDschRpsWqzAQB89u5xLsBEJXoCifNM1c5w7tIxZ3xK5ojq07tCtauCIccUAnSmLI6GXPT2lqcEuUFC94mFhGxP2+bH70zM0aj/JUA4++JhRPhLkwBpIlfHvElNdhkpAcr5UwyXwHZfoCo147maa243rpoG+Ud2dh62Yg/v8KU10lZxAp1tixDoDKhTdJbL/2zwPCWFjpoTBfCqY/pBCfKsj06YygH5XX5CuTxxNTQNfDM7HL9YnS4NnF/IKkQbgPil51vw+7bE5M+5lfrzwh6i7uHP2q4bQRCYq3KVPeOIxCL9S10CgnyABIyXdHavnIpq9XNMYgUq4=
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Aug 2019 05:05:26.1136 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: e188b903-f475-45fd-dde8-08d71fabda84
X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.12]; Helo=[P-EXFEND-EQX-01.jnpr.net]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR05MB4692
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-08-13_01:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1906280000 definitions=main-1908130054
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/x82EAE7bJ4-3G6A45_dgPXbFv6Q>
Subject: Re: [Curdle] Second AD Review: draft-ietf-curdle-ssh-curves.
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Aug 2019 05:05:36 -0000

Hi Ron & Ben,

Modulo the date stamp changes and the line break changes, here is what
the modified text looks like after trying to address the comments you
both made.

Let me know if I captured your intended changes correctly or not.

I can either upload a new version, or just roll these changes into the
next version after addressing any other comments during LC.

	Thanks,
	-- Mark

--- draft-ietf-curdle-ssh-curves-09.txt	2019-08-03 14:44:28.000000000 -0700
+++ draft-ietf-curdle-ssh-curves-10.txt	2019-08-12 21:55:24.000000000 -0700
@@ -133,21 +133,25 @@
    are generated as described therein.  Public keys are defined as
    strings of 32 bytes for Curve25519 and 56 bytes for Curve448.
 
-   Key-agreement schemes Curve25519 and Curve448 perform the Diffie-
-   Helman protocol using the functions X25519 and X448, respectively.
-   Implementations SHOULD compute these functions using the algorithms
-   described in [RFC7748].  When they do so, implementations MUST check
-   whether the computed Diffie-Hellman shared secret is the all-zero
-   value and abort if so, as described in Section 6 of [RFC7748].
-   Alternative implementations of these functions SHOULD abort when
-   either input forces the shared secret to one of a small set of
-   values, as discussed in Section 7 of [RFC7748].  Clients and servers
-   MUST fail the key exchange if the length of the received public keys
-   are not the expected lengths.  No further validation is required
-   beyond what is discussed in [RFC7748].  The derived shared secret is
-   32 bytes when Curve25519 is used and 56 bytes when Curve448 is used.
-   The encodings of all values are defined in [RFC7748].  The hash used
-   is SHA-256 for Curve25519 and SHA-512 for Curve448.
+   Key-agreement schemes "curve25519-sha256" and "curve448-sha512"
+   perform the Diffie-Helman protocol using the functions X25519 and
+   X448, respectively.  Implementations SHOULD compute these functions
+   using the algorithms described in [RFC7748].  When they do so,
+   implementations MUST check whether the computed Diffie-Hellman shared
+   secret is the all-zero value and abort if so, as described in
+   Section 6 of [RFC7748].  Alternative implementations of these
+   functions SHOULD abort when either input forces the shared secret to
+   one of a small set of values, as discussed in Section 7 of [RFC7748].
+   Clients and servers MUST fail the key exchange if the length of the
+   received public keys are not the expected lengths.  An abort for
+   these purposes is defined as a disconnect of the session with an
+   appropriate SSH "protocol error" for the fault provided to or by the
+   client.  No further validation is required beyond what is discussed
+   in [RFC7748].  The derived shared secret is 32 bytes when
+   "curve25519-sha256" is used and 56 bytes when "curve448-sha512" is
+   used.  The encodings of all values are defined in [RFC7748].  The
+   hash used is SHA-256 for "curve25519-sha256" and SHA-512 for
+   "curve448-sha512".
 
 3.1.  Shared Secret Encoding
 
@@ -158,9 +162,9 @@
 
    The shared secret, K, is defined in [RFC4253] and [RFC5656] as an
    integer encoded as a multiple precision integer (mpint).
-   Curve25519/448 outputs a binary string X, which is the 32 or 56 byte
-   point obtained by scalar multiplication of the other side's public
-   key and the local private key scalar.  The 32 or 56 bytes of X are
+   Curve25519/448 outputs a binary string X, which is the 32 or 56 byte
+   point obtained by scalar multiplication of the other side's public
+   key and the local private key scalar.  The 32 or 56 bytes of X are
    converted into K by interpreting the octets as an unsigned fixed-
    length integer encoded in network byte order.
 
@@ -215,8 +218,8 @@
    The way the derived binary secret string is encoded into a mpint
    before it is hashed (i.e., adding or removing zero-bytes for
    encoding) raises the potential for a side-channel attack which could
-   determine the length of what is hashed.  This would leak the most
-   significant bit of the derived secret, and/or allow detection of when
+   determine the length of what is hashed.  This would leak the most
+   significant bit of the derived secret, and/or allow detection of when
    the most significant bytes are zero.  For backwards compatibility
    reasons it was decided not to address this potential problem.

v2.23.0 | Report a Bug | By Email