Re: [Curdle] Genart last call review of draft-ietf-curdle-ssh-curves-09
Christer Holmberg <christer.holmberg@ericsson.com> Mon, 26 August 2019 17:37 UTC
Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63FA0120B31; Mon, 26 Aug 2019 10:37:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id buAlRZBGsB7x; Mon, 26 Aug 2019 10:37:22 -0700 (PDT)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-eopbgr140059.outbound.protection.outlook.com [40.107.14.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EB65120AEB; Mon, 26 Aug 2019 10:37:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hvphiCJkLVAXRoMxUGOzVr65Zv0iHu+YhTTAL3mbw7s6/U2yAroAD4NQogJTY3OFdUBGY9gj1ZTyF/O4nkxUcSWtht1pGhn2cWjpOREee8Ypm9Mjt1iV0MWqkuPeYILS0CnNfam6q5M347HzeHmn/+6P/iqeOvuGvGiXAnh83XXriPSA51JyNob/ZuoYi0EDlCIZFRdG8S9ioOuAY4SWQg8mgFiZEfEy1ez3lM0uzyqHFjjUxxzhTlaa7KinwEVRDRT9B1bECqLwqB841Zdjvg3sYVhCWJIghO9o+e6nkYqcQSlC5/jnDna8/pGKFu5Bgsw8uvhAw/Yd9DzNPifiQg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=j9xxsWIeJjv5LMsY9BQfQ+MtzYWMwIYS2+pEEKpeWPU=; b=WGCBlRSfgrMunQ6UNPFg/hnjKhQpjpTBHMSr9Mqs/n8yTQIY3Dg0jbpiX2663eEaSQFPcW3DMpjWETPebDzKbWmkYEXcvOS94/K/VhaVfSS9MxY7nPT/dnq7lm2LOhfKgb3AkItr68LsvFULLjVXHXTMrAnM1Muf/Z1wtR2DimfHkw1nMC8/U+WUD5UrOkanV1W6rRDqroNJmNibJ/KQdLyvaHMSK5MBIbN/EQoeQFw2S3CDq2ZPYWaJtv5vMpu5n0O7yOd/1rUXxaWiq8aNHKsXXk3meFes/vTUQfB+Dno9NkaTt5qF3qMEnRY8Hb2X7phRKNSYTgDk3VgFRzPTWQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=j9xxsWIeJjv5LMsY9BQfQ+MtzYWMwIYS2+pEEKpeWPU=; b=F40Z7HceF5UCli1coVQ9C8jK5Cs+KIPHvUaa78kWlzimIbqclINHrCXWvGStPd2ZMNY/t0k0VWTnkZOfrsFPX+6AGCDAkL8Ys6GD22Kx93Ne/ADJRhWXrXWK2XpZPpgCXjJjhwrPqRfpCfX3N8LbF7PZalYsuZEAs2mv3SlQbOU=
Received: from VI1PR07MB3167.eurprd07.prod.outlook.com (10.175.243.17) by VI1PR07MB5327.eurprd07.prod.outlook.com (20.178.11.209) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2220.14; Mon, 26 Aug 2019 17:37:16 +0000
Received: from VI1PR07MB3167.eurprd07.prod.outlook.com ([fe80::d031:8cb6:bfb:dc3]) by VI1PR07MB3167.eurprd07.prod.outlook.com ([fe80::d031:8cb6:bfb:dc3%3]) with mapi id 15.20.2199.021; Mon, 26 Aug 2019 17:37:16 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: "Mark D. Baushke" <mdb@juniper.net>
CC: "gen-art@ietf.org" <gen-art@ietf.org>, "curdle@ietf.org" <curdle@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "draft-ietf-curdle-ssh-curves.all@ietf.org" <draft-ietf-curdle-ssh-curves.all@ietf.org>
Thread-Topic: Genart last call review of draft-ietf-curdle-ssh-curves-09
Thread-Index: AQHVXCtcvr2YSg9UakaoGGnxJPuFPKcNqHWs
Date: Mon, 26 Aug 2019 17:37:16 +0000
Message-ID: <VI1PR07MB31676329164CD78688C193E393A10@VI1PR07MB3167.eurprd07.prod.outlook.com>
References: <156647523885.14827.16394888562228822662@ietfa.amsl.com>, <19556.1566836922@contrail-ubm16-mdb.svec1.juniper.net>
In-Reply-To: <19556.1566836922@contrail-ubm16-mdb.svec1.juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [79.134.118.162]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9ee58ba6-cf25-41d1-5614-08d72a4c0999
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:VI1PR07MB5327;
x-ms-traffictypediagnostic: VI1PR07MB5327:
x-microsoft-antispam-prvs: <VI1PR07MB53275DBDD7FDE4579E896BFF93A10@VI1PR07MB5327.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 01415BB535
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(396003)(136003)(376002)(346002)(366004)(189003)(199004)(54906003)(102836004)(66946007)(76116006)(6506007)(53936002)(3846002)(7696005)(316002)(6116002)(66476007)(66556008)(64756008)(66446008)(71190400001)(256004)(74316002)(14454004)(14444005)(26005)(66066001)(6436002)(55016002)(9686003)(1941001)(52536014)(8676002)(25786009)(4326008)(305945005)(5660300002)(186003)(86362001)(7736002)(71200400001)(76176011)(33656002)(2906002)(8936002)(6916009)(99286004)(486006)(476003)(478600001)(11346002)(81156014)(229853002)(446003)(6246003)(44832011)(81166006); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR07MB5327; H:VI1PR07MB3167.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: hrbJxMyEoz2U2k8Bobeejxpqtbq0xVP6X4W89GIp6P8SRUD7khM7eAt/wcvdVVkOMtDD4FRGPW/Jz74UT6l95LSNvbPIb8R/IQRkRtVGajdJbe8HlHHbzzKHJ361rMPu14MC1/7M1hUnbaiQHpd4b6V0L2EilaZ74OrRBZC24tkeiYlADBnYE0qKdt0lnYWhPMvaRmzgLTcgiI04ydeRnAfitsNqAAN9raJcrFZbCi3ygrvH5S5brjcTfQ4hdGc5gt6DnSCA8XCZXj1ODi6z3G84WnY4LXyZS7ympnvxjKo8RX/hiuiWeyL/y8/HDEagXiE9y8GDRLdWP4ZWS8JYlLoMylI0sdzQcNyq9hzDRrCbH3TZNk6FcgeKzyLzleiMrG30z0WZRB6QPAHmVZwOcSPK1cFzdBQDeE38u73f8Z0=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9ee58ba6-cf25-41d1-5614-08d72a4c0999
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Aug 2019 17:37:16.2589 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: pOWHW7qyXe0mGyjflgByXW4HeLddHq+fqWbpGUUs9SuRPFwbDZprtnEReF+e+OtVLuaaMSPw5LveaXHG1GB/8G1RR5MWhhSPz9gGvg9CwP8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB5327
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/8N0FTVNzWE6HptIQFeBpaBfNlJk>
Subject: Re: [Curdle] Genart last call review of draft-ietf-curdle-ssh-curves-09
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Aug 2019 17:37:26 -0000
Hi Mark, Please see inline. I have removed the comments where your suggested solution is fine and I have nothing further to say. Nits/editorial comments: General: --------- QGEN_1: >> - The document uses “as discussed in”, “as defined in”, “as described” >> in terminology. It might be justified to use different terminology in >> some cases, but in general I suggest trying to use consistent terminology. … >The use of "as described in" is found in the standard boilerplate >copyright notice and the boilerplate Requirements language sections. >So, I have migrated from "discussed" to described" for consistentcy. That's good. Section 1: ----------- Q1_1: >> The text says: >> >> ”[RFC5656] describes how elliptic curves are integrated in SSH, and this document reuses those protocol messages.” >> >> …and: >> >> “This document describes how to implement key exchange based on Curve25519 and Curve448 [RFC7748] in SSH.” >> >> - It is unclear to me what “integrated in SSH” means. > > The title of RFC 5656 is "Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer" and this Draft intents to augment the > Elliptic Curve methods defined there. > >> >> Does it mean that RFC 5656 describes the generic procedures for performing SSH key exchanges using elliptic curves, or does it also >> cover other things? > > RFC5656 covers three specific constructions: > > a) Elliptic Curve Diffie-Hellman (ECDH),> > b) Elliptic Curve Menezes-Qu-Vanstone (ECMQV) key agreement, and > c) Elliptic Curve Digital Signature Algorithm (ECDSA). > > This draft does not cover the use of a digital signature algoirthm or apply the Curve25519 or Curve448 constructions to the use of ECMQV and > focuses entirely on ECDH key exchange extensions for a different construction of elliptic curves. Would it be good to indicate that in a note? >> - I think the “this document reuses those protocol messages” sounds a >> little confusing because I don't know what “those protocol message” >>refers to. Perhaps say something like “reuses the protocol messages >> defined in that specification”. > > This draft resuses the SSH_MSG_KEX_ECDH_INIT and SSH_MSG_KEX_ECDH_REPLY > messages which apply to the ECDH construction as in in section 4 of this draft. > > Does this paragraph work as a better replacement for the first paragraph > of the introduction? Or, is it too detailed for a summary introduction? > > Secure Shell (SSH) <xref target="RFC4251"/> is a secure remote > login protocol. The key exchange protocol described in <xref > target="RFC4253"/> supports an extensible set of methods. <xref > target="RFC5656"/> defines how elliptic curves are integrated > into this extensible SSH framework, and this document reuses the > Elliptic Curve Diffie-Hellman (ECDH) key exchange protocol > messages defined in section 7.1 "ECDH Message Numbers" <xref > target="RFC5656"/>. > > It seems a bit detailed to me for an introduction. Let me know if you > have any suggestions on a revision. I think the text looks good, and it is for sure a good clarification for a non-security person like myself :) --- Q1_4: >> The text says: >> >> “The Curve448 key exchange method is novel but similar in spirit,” >> >> - I don't know what this means, since there is now further explanation. > > The paragraph now reads: > >This document describes how to implement key exchange based on >Curve25519 and Curve448 <xref target="RFC7748"/> in SSH. For >Curve25519 with SHA-256 <xref target="RFC6234"/>, the algorithm >described is equivalent to the privately defined algorithm >"curve25519-sha256@libssh.org", which at the time of publication > was implemented and widely deployed in libssh and OpenSSH. The > Curve448 key exchange method is similar but uses SHA-512 <xref > target="RFC6234"/> to further separate it from the Curve25519 > alternative. Looks good. > Would you rather that I use 'This document defines ...' here and in the > abstract rather than 'This document describes ...' ? Please advise. Personally I would use "describe", but my main issue is being consistent - no matter what word is used :) --- Q1_5: >> The text says: >> >> >> “This document provide Curve25519 as the preferred choice, but >> suggests that the fall back option Curve448 is implemented to provide >> an hedge against unforeseen analytical advances against Curve25519 >> and SHA-256.” >> >> - Is the only reason why one should implement Curve448 that something >> MAY happen to Curve25519 in the future? > >No, the Curve448 also has a stronger cryptographic security strength. If >it becomes a requirement to use a minimum of 128 bits of security >strength, then Curve25519 may be rejected by some and thus the need to > provide for something stronger. Wouldn't it be enough to say that, instead of talking about unforeseen analytical advances etc? I noted that the sec-dir reviewer had some comments on that too. Please see below for suggested modified text. > Let me know if you which to have me remove the entire paragraph or not. I think you could keep the paragraph, but instead say something like: “This document provide Curve25519 as the preferred choice, but suggests that the Curve448 is implemented in order to provide 128 bits of security strength, should that become a requirement. At the time of writing this specification high-quality free implementations of Curve25519 had been in deployed use for several years, while Curve448 implementations were slowly appearing, so it was accepted that adoption of Curve448 would be slower." > Should I upload my updated draft-ietf-curdle-ssh-curves-10.xml or > do you have additional suggestions? I haven't seen the update draft yet, but if you are ok with my suggestions you can go ahead to upload. If you are not ok with my suggestions, then let me know :) Regards, Christer
- [Curdle] Genart last call review of draft-ietf-cu… Christer Holmberg via Datatracker
- Re: [Curdle] Genart last call review of draft-iet… Mark D. Baushke
- Re: [Curdle] Genart last call review of draft-iet… Christer Holmberg
- Re: [Curdle] Genart last call review of draft-iet… Mark D. Baushke
- Re: [Curdle] Genart last call review of draft-iet… Christer Holmberg
- Re: [Curdle] Genart last call review of draft-iet… Mark D. Baushke
- Re: [Curdle] Genart last call review of draft-iet… Benjamin Kaduk
- Re: [Curdle] Genart last call review of draft-iet… Christer Holmberg
- Re: [Curdle] [Gen-art] Genart last call review of… Alissa Cooper