Re: [Curdle] [saag] Time for SSH3?
Watson Ladd <watsonbladd@gmail.com> Thu, 21 December 2023 01:18 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1296C18FCD5; Wed, 20 Dec 2023 17:18:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3dGWhi7eEr4J; Wed, 20 Dec 2023 17:18:48 -0800 (PST)
Received: from mail-oa1-x2e.google.com (mail-oa1-x2e.google.com [IPv6:2001:4860:4864:20::2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0271EC18FCD8; Wed, 20 Dec 2023 17:18:47 -0800 (PST)
Received: by mail-oa1-x2e.google.com with SMTP id 586e51a60fabf-2042df6864bso49810fac.1; Wed, 20 Dec 2023 17:18:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1703121527; x=1703726327; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=v+HRntSN0dhkjwgeOfesNdRSCVson1lDl9v5ZzxK100=; b=k7lF4l5Q78XZvsz9RtA+990zWIsblVJzipzCm9Xtc51TXyfIveIq7S4DJWOYZYa02G 0U/obPz3jOYTDgN/188VdqgsTosy2uGgkvMzPLSts2dc60d6OVShGN/M16ZTwVr+39Mc Hwz+gOA06jGhlMnpulge+dAC3736edPWucckRS2ui6CBbAK8bY3W4K6C8qFQ8+DfBtvd +KCLQG4LY4q/7mU7loz+WoRLqv6SENqfGmGLa9ZwhFj+P6kY35n9vrieAZYlwozDbmMT IWMZQS3fyu7KCHd2Vg3/mKVj1vZ1rl9CTVaiOGELIX7ON0PT3mQSBNYxOJJF52bIKYby ybxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1703121527; x=1703726327; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=v+HRntSN0dhkjwgeOfesNdRSCVson1lDl9v5ZzxK100=; b=izUtQSEVPSZ7FftviYMSCr8iifnkUvf9wcpk/3XR6vttBGUGrool4hvLRexUIorIRa UcjLhVPQXZ8rHYZ+L/6IKpZjluvYads9CaFT10vZAtDf6dcW3VSn7p0m36BybgTTRmdk qjYSSRQwVD2fWmG8yzwYc4mZTE2726AtIhMaSzWpn+d8215RpLBnWRBdg0XrxXPGU3gU xvMGKJ3bd+G1I1RRXNPle485oUPQSoq/feOXhkvEXas/c/yAg/06IJqMg9lv08YRmtbV hcIw+dGKIz6SMF4/ofSIdCXM/MkWAOVd9fngaR936vAIaoJW9VUbBcdIl1CyL9Ms/4/E pTxg==
X-Gm-Message-State: AOJu0YyrHMmHeQO6sj2bhxe5AFjZucl+GZRTBlG7w3LqWm3TjZdPbmYL BU7Qw/D3dCBckr3YJHWIfP5TEvbbj5dbv67/ycs=
X-Google-Smtp-Source: AGHT+IENhOtphd3C6oNU+xwD/Wg5cr6JWxhQ6Qtx0HYmYhz7cfxUe2F6RVruk/rPzi7sY+q4RUhMUjobOfQ0Jl52mn4=
X-Received: by 2002:a05:6870:6486:b0:204:de5:a581 with SMTP id cz6-20020a056870648600b002040de5a581mr843878oab.35.1703121526870; Wed, 20 Dec 2023 17:18:46 -0800 (PST)
MIME-Version: 1.0
References: <GVXPR07MB96789816DE49A02D46AC25628996A@GVXPR07MB9678.eurprd07.prod.outlook.com> <SY4PR01MB6251678A7FD714B5CDC26A8FEE96A@SY4PR01MB6251.ausprd01.prod.outlook.com> <30cd214d9666d142cd8987ead79d5b42.squirrel@mail.ihtfp.org> <20231220163501.GB297455@mit.edu> <SY4PR01MB625177AA4A7EA68E90AFEA54EE95A@SY4PR01MB6251.ausprd01.prod.outlook.com>
In-Reply-To: <SY4PR01MB625177AA4A7EA68E90AFEA54EE95A@SY4PR01MB6251.ausprd01.prod.outlook.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Wed, 20 Dec 2023 17:18:35 -0800
Message-ID: <CACsn0cmumHP_Gzh=-LgV7uRxm0mRh+2EyNG-vvRBFFkL3WH0pg@mail.gmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: Theodore Ts'o <tytso@mit.edu>, Derek Atkins <derek@ihtfp.com>, "curdle@ietf.org" <curdle@ietf.org>, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, saag <saag@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/yn71MgXirldHbfWoPDryR4FPIb8>
Subject: Re: [Curdle] [saag] Time for SSH3?
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Dec 2023 01:18:51 -0000
On Wed, Dec 20, 2023 at 5:10 PM Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote: > > Theodore Ts'o <tytso@mit.edu> writes: > > >Well, one of the algorithms in question is chacha20-poly1305@openssh.com, > >which is the default for OpenSSH, which is why the preprint claims that 77% > >of all ssh connections are vulnerable. > > And this is a major part of the problem. If you look at what this > vulnerability involves, the exploitable issue is a combination of an > @openssh.com crypto mechanism, another @openssh.com crypto mechanism, and an > @openssh.com crypto extension (assuming server-sig-algs, ping, etc aren't a > big deal). > > You may be seeing a pattern here. > > Not wanting to specifically bash OpenSSH but simply pointing out a problem, > these are homebrew crypto mechanisms that never went through any kind of > independent review like the rest of the SSH crypto but merely appeared one day > in the dominant implementation, which forced everyone else to track down where > they were documented (in the bottom of a locked filing cabinet stuck in a > disused lavatory with a sign on the door saying 'Beware of the Leopard') and > figure out a compatible implementation. > > In contrast TLS' EtM went through the full RFC process with independent review > and plenty of nitpicking (RFC 7366), and AFAIK no such attack exists for that. > This wasn't a failure of the SSH standards process or protocol because it's > something that was never part of the SSH standard or (RFC-documented) SSH > protocol, it's a third-party homebrew add-on that everyone else was forced to > adopt. Are you sure you want to say the RFC process provides the sort of security analysis that prevents these attacks in TLS? Bleichenbacher, Insecure rengotiation, bodos doc on CBC, BREACH, CRIME, Poodle, Insecure DH params, Triple Handshake, Lucky 13. What's really stopped this dismal parade is actual analysis by people who know what they are doing, together with motivated deployers of properly analyzed protocols. Sincerely, Watson Ladd -- Astra mortemque praestare gradatim
- [Curdle] Time for SSH3? John Mattsson
- Re: [Curdle] Time for SSH3? Ilari Liusvaara
- Re: [Curdle] Time for SSH3? Peter Gutmann
- Re: [Curdle] [saag] Time for SSH3? Derek Atkins
- Re: [Curdle] [saag] Time for SSH3? Eric Rescorla
- Re: [Curdle] [saag] Time for SSH3? Theodore Ts'o
- Re: [Curdle] [saag] Time for SSH3? Stephen Farrell
- Re: [Curdle] [saag] Time for SSH3? Dmitry Belyavsky
- Re: [Curdle] [saag] Time for SSH3? David Schinazi
- Re: [Curdle] [saag] Time for SSH3? Tim Hollebeek
- Re: [Curdle] [saag] Time for SSH3? Theodore Ts'o
- Re: [Curdle] [saag] Time for SSH3? Peter Gutmann
- Re: [Curdle] [saag] Time for SSH3? Peter Gutmann
- Re: [Curdle] [saag] Time for SSH3? Watson Ladd
- Re: [Curdle] Time for SSH3? Matt Johnston
- Re: [Curdle] Time for SSH3? Peter Gutmann
- Re: [Curdle] [saag] Time for SSH3? Paul Wouters
- Re: [Curdle] [saag] Time for SSH3? Peter Gutmann
- Re: [Curdle] [saag] Time for SSH3? Orie Steele
- Re: [Curdle] [saag] Time for SSH3? Theodore Ts'o