Re: [secdir] Secdir last call review of draft-ietf-curdle-ssh-kex-sha2-14

Mališa Vučinić <malisa.vucinic@inria.fr> Mon, 01 March 2021 14:49 UTC

Return-Path: <malisa.vucinic@inria.fr>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AE613A1D77; Mon, 1 Mar 2021 06:49:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LK8hBrmxA_dA; Mon, 1 Mar 2021 06:49:02 -0800 (PST)
Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78C263A1D75; Mon, 1 Mar 2021 06:49:01 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.81,215,1610406000"; d="p7s'?scan'208";a="495482332"
Received: from adsl-46-161-92090.crnagora.net (HELO [192.168.100.4]) ([46.161.92.90]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/AES256-GCM-SHA384; 01 Mar 2021 15:48:58 +0100
User-Agent: Microsoft-MacOutlook/10.11.0.180909
Date: Mon, 01 Mar 2021 15:48:56 +0100
From: Mališa Vučinić <malisa.vucinic@inria.fr>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: secdir@ietf.org, curdle@ietf.org, draft-ietf-curdle-ssh-kex-sha2.all@ietf.org, last-call@ietf.org
Message-ID: <45ED078E-4F15-430F-A6BC-2C0691EDD9B4@inria.fr>
Thread-Topic: Secdir last call review of draft-ietf-curdle-ssh-kex-sha2-14
References: <161426245763.32636.14586046669535474103@ietfa.amsl.com> <20210228010137.GU21@kduck.mit.edu>
In-Reply-To: <20210228010137.GU21@kduck.mit.edu>
Mime-version: 1.0
Content-type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3697458536_1444056079"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/pefzS1_RrAVy_E1OriaWHXAWSUg>
Subject: Re: [secdir] Secdir last call review of draft-ietf-curdle-ssh-kex-sha2-14
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Mar 2021 14:49:06 -0000

Thanks Ben, a couple of comments inline, enclosed within [MV] ... [/MV].

Mališa

On 28/02/2021 02:01, "Benjamin Kaduk" <kaduk@mit.edu> wrote:

    Hi Mališa,
    
    Thanks for the detailed review!
    
    I can only answer for some of the points, so hopefully Mark can chime in as
    needed.
    
    On Thu, Feb 25, 2021 at 06:14:18AM -0800, Mališa Vučinić via Datatracker wrote:
    > Reviewer: Mališa Vučinić
    > Review result: Has Issues
    > 
    > I reviewed this document as part of the Security Directorate's ongoing effort
    > to review all IETF documents being processed by the IESG.  These comments were
    > written primarily for the benefit of the Security Area Directors.  Document
    > authors, document editors, and WG chairs should treat these comments just like
    > any other IETF Last Call comments.
    > 
    > I have found this document to have several issues related to the normative
    > language, imprecise wording, and inconsistent structure. Security
    > Considerations section is too generic and needs to detail the considerations of
    > using specific methods. My detailed comments are given below and I would
    > suggest a major editorial pass over the document.
    > 
    > Technical comments
    > ===================
    > 
    > Section 1.2.2.
    > “The minimum MODP group that MAY be used is the 2048-bit MODP group14.
    > Implementations SHOULD support a 3072-bit MODP group or larger.” - The use of
    > RFC2119 keywords here does not seem appropriate. These are the guiding
    > principles for specifying requirement levels of specific key exchange methods,
    > which are given in Section 3.
    > 
    > Section 1.2.3:
    > “The use of a SHA-2 Family hash with RSA 2048-bit keys has sufficient security.”
    > - Please define “sufficient” security
    > 
    > “The rsa1024-sha1 key exchange has less than 2048 bits and MUST NOT be
    > implemented.” - My view of Sections 1.2.1, 1.2.2 and 1.2.3  is that they give a
    > recap of public-key approaches with corresponding security levels when used
    > with different parameters. II am missing how a normative text on rsa1024-sha1
    > key exchange belongs here, and not to Section 3.4. Only in this section
    > (compared to 1.2.1 and 1.2.2) you reference specific SSH key exchange methods.
    > What does the security strength column in Table 3 refer to? The security level
    > of the RSA variant or of the hash function? Please make this consistent with
    > 1.2.1 and 1.2.2.
    
    It seems that an overarching consideration here is that we only need to
    make any given normative statement once in the document, and can refer to
    it or make other supporting statements as needed in other parts of the
    document.  I probably didn't pay as much care to this point in my review as
    I could have...

[MV] Agreed. [/MV]
    
    > Section 3.1:
    > “All of the key exchanges using the SHA-1 hashing algorithm should be
    > deprecated and phased out of use because SHA-1 has security concerns, as
    > documented in [RFC6194].” "It is reasonable to retain the
    > diffie-hellman-group14-sha1 exchange for interoperability with legacy
    > implementations.  The diffie-hellman-group14-sha1 key exchange MAY be
    > implemented.” - This text is conflicting with the statement just above that
    > SHA-1 should be deprecated, as you keep SHA1-based method as MAY for legacy
    > interop. Could you point me to the relevant discussion in the working group
    > where this decision has been made? Could you comment in the text on security
    > properties of the construct.
    
    The concern here is that diffie-hellman-group14-sha1 was one of only two
    "MUST implement" algorithms in the previous version of the spec, and that
    both (1) moving directly from "MUST" to "MUST NOT" is a huge leap that
    requires correspondingly strong justification; and (2) there was desire
    preserve the option to have backwards compatibility with non-updated
    implementations that, for example, only had the old MTI key-exchange
    method.
    
    There's some more extensive text discussing this that was produced in
    response to the genart review; the last consolidated version is at
    https://mailarchive.ietf.org/arch/msg/gen-art/GSb7vxgIDwu8ocOfiFwTRhTsoF0/
    but a few more edits were suggested in follow-up messages.
    
[MV] Thanks for the pointer and detailing the reasoning! [/MV]


    > “The SHA-2 Family of hashes [RFC6234] is the only one which is more secure than
    > SHA-1 and has been standardized for use with SSH key exchanges.” - “is the only
    > one which is more secure than SHA-1” seems too general of a statement, what
    > about SHA3?
    
    SHA3 is not standardized for use with SSH key exchange (yet).  The options
    are pretty limited when we limit it to just standardized ones.

[MV] 
This was really a subtle editorial comment: the statement read to me as (1) "SHA-2 is the only hash function which is more secure than SHA-1"; (2) "SHA-2 has in addition been standardized for use with SSH key exchanges". My comment was referring to (1). 

To me, one simple "that" would make a difference:

[OLD] The SHA-2 family of hashes [RFC6234] is the only one which is more secure than SHA-1 and has been standardized for use with SSH key exchanges. [/OLD]
[NEW] The SHA-2 family of hashes [RFC6234] is the only one which is more secure than SHA-1 and that has been standardized for use with SSH key exchanges. [/NEW]

I am not a native speaker so please feel free to disregard if this doesn't make any sense :)

[/MV]
    
    > Section 3.2.3:
    > - Title of the section got me confused. Sections 3.2.2 and 3.2.1 already
    > discuss ECDH-based key exchange methods. Could you make a clear differentiation
    > between the methods referenced in this section in terms of their cryptographic
    > core from those discussed in 3.2.2 and 3.2.1
    > 
    > “All of the NISTP curves named therein are mandatory to implement if any of
    > that RFC is implemented.” - Since this document does not update RFC 5656, I am
    > missing how it is appropriate to make this statement.
    
    My reading of this statement is that it is already a requirement of RFC
    5656 §10.1:
    
       Every SSH ECC implementation MUST support the named curves below.
       [table including nistp256, nistp384, and nistp521]

[MV] In the sense that the statement is just reiterating the requirement of RFC 5656 ? Sounds good. [/MV]
    
    > Section 3.3.1:
    > “This random selection from a set of pre-generated moduli for key exchange uses
    > SHA2-256 as defined in [RFC4419].” - RFC 4491 defines two key exchange methods,
    > diffie-hellman-group-exchange-sha1 using SHA1, and
    > diffie-hellman-group-exchange-sha256 using SHA-256. In this section you do not
    > mention the former. Phrasing “This key exchange MAY be used.” leaves ambiguity
    > which of the two methods you refer to.
    > 
    > Section 6:
    > - Security Considerations section is extremely generic and needs to be
    > improved. Referencing security considerations of the SSH protocol in RFC 4251
    > is appropriate, but since the point of this document is the update of the
    > requirement level of key exchange methods, the last paragraph should be
    > extended and more specific. While the discussion in Section 1.1 gives details
    > on the attacks on SHA-1, which can be referenced here, I would suggest
    > reiterating in the Security Considerations the practical consequences of using
    > the SHA-1 -based methods that are listed as SHOULD NOT, but also the
    > rsa1024-sha1 method that is listed as MUST NOT. Please stress the security
    > considerations of using diffie-hellman-group14-sha1 which is still a MAY.
    > 
    > Editorial comments and nits
    > ===================
    > 
    > - Please explicitly reference each table in the text. I would further suggest
    > adding a table in each section discussing new requirement levels of specific
    > key exchange methods, even if it would consist of a single entry, in order to
    > have a consistent structure.
    > 
    > Section 1:
    > “This document updates [RFC4250] [RFC4253] [RFC4432] [RFC4462] by changing the
    > requirement level ("MUST" moving to "SHOULD" or "MAY" or "SHOULD NOT", and
    > "MAY" moving to "MUST" or "SHOULD" or "SHOULD NOT" or "MUST NOT") of various
    > key-exchange mechanisms.” - The specific updates to these documents are spread
    > out throughout the text and pretty hard to grasp. It would be nice to see Table
    > 6 updated, by adding the reference RFC that is being updated, alongside the RFC
    > specifying the key exchange method, and maybe an old requirement level.
    > 
    > Section 1.1:
    > - introduce protocol parameters I_C and I_S
    
    These are standard protocol elements from RFC 4253; we should probably have
    a note at the top of the document that we freely use the terminology from
    that document.

[MV] Works for me, but adding "protocol parameters" in that sentence wouldn't hurt either. [/MV]
    
    -Ben
    
    > Section 3:
    > “and provides a suggested suitability for implementation of MUST, SHOULD,
    > SHOULD NOT, and MUST NOT.  Any method not explicitly listed MAY be
    > implemented.” - there are some explicit MAYs in the document, yet MAY is not
    > listed here.
    > 
    > Section 3.2.1:
    > “The use of SHA2-256 (also known as SHA-256 and sha256) as defined in [RFC6234]
    > for integrity is a reasonable one for this method” - “this” method not clear.
    > Be explicit and mention curve25519-sha256 key exchange method.
    > 
    > "it shares the same performance and security characteristics as curve25519-sha2”
    > - the key exchange method as standardized seems to be curve25519-sha256.
    > 
    > Section 3.2.2:
    > “It uses SHA2-512 (also known as SHA-512) defined in [RFC6234] for integrity.”
    > - “it” refers to the curve, not to the key exchange method. Rephrase to e.g.
    > corresponding key exchange method(s)
    > 
    > Section 3.2.1 and 3.2.2:
    > - Shuffle the content in these sections, first introduce the key exchange
    > methods, then talk about curves and hash function they use
    > 
    > Section 3.2.3:
    > - s/The are described in /These are described in
    > - s/Diffie Hellman/Diffie-Hellman
    > - s/elliptic curve Diffie Hellman/Elliptic-curve Diffie-Hellman
    > 
    > Section 3.3.1:
    > - You open a section with “This” which is confusing. Please rephrase.
    > - Add a table summarizing the requirement level per method, even if it consists
    > of a single method, in order to be consistent with other sections.
    > 
    > Section 3.3.2
    > - Please add some context and differentiation from Section 3.3.1
    > - Can you reference the RFC that specifies the methods discussed in this
    > section?
    > 
    > Section 3.5
    > “There are two key exchange methods, ext-info-c and ext-info-s, defined in
    > [RFC8308] which are not actually key exchanges.” - s/two key exchange
    > methods/two methods
    > 
    > 
    >