IETF Logo Mail Archive

Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)

Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 10 February 2016 08:22 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6100E1A00DB for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Wed, 10 Feb 2016 00:22:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.002
X-Spam-Level:
X-Spam-Status: No, score=-0.002 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BeQXUuKONHed for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Wed, 10 Feb 2016 00:22:43 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 694E61A00B4 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Wed, 10 Feb 2016 00:22:43 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id C5B4985EDD; Wed, 10 Feb 2016 08:22:42 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 2142D85E6C for <ietf-ssh@netbsd.org>; Wed, 10 Feb 2016 08:22:39 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Authentication-Results: mail.netbsd.org (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id d07P3Uwg-414 for <ietf-ssh@netbsd.org>; Wed, 10 Feb 2016 08:22:38 +0000 (UTC)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id E44E485E57 for <ietf-ssh@netbsd.org>; Wed, 10 Feb 2016 08:22:35 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1455092559; x=1486628559; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=zmvq+CEgbHy7V3kIyGGPyosnMMZyadaCkBUikdz3gRA=; b=k9aiO70EjHongrcPnJsg6aTM7dHTh98tZPE41KhJUwf0sCKykkaemsIa 7TCtg8aqT1DsrMnM9fx44mWsvZqBARf0pSuz+u1EpQ2+4y6o/7zsqF4UP ZnozcX0qVdBTNgcYiHE+GVC8+Z56mIT6/wjSJK+VUuJAeXUVXo1irrXZV v4afthRd/wQ3bhVfH+vlSWw9yXf/3a83cc65w/Sacj+C0kzp/xYX5RBVq xoBZuMazyAW8l5HPyKyjMMnLB6Bx7s+yJ3VV/9da2C4/DYEE+DPzy6R4g sOjkfKd9bIZX0ZQhSkbfUPaDfyCGdcwfrZB0YDkjwM1vHbJ+H+SvGOMK9 A==;
X-IronPort-AV: E=Sophos;i="5.22,425,1449486000"; d="scan'208";a="67118252"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.112 - Outgoing - Outgoing
Received: from uxchange10-fe1.uoa.auckland.ac.nz ([130.216.4.112]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 10 Feb 2016 21:22:33 +1300
Received: from UXCN10-5.UoA.auckland.ac.nz ([169.254.5.153]) by uxchange10-fe1.UoA.auckland.ac.nz ([130.216.4.112]) with mapi id 14.03.0266.001; Wed, 10 Feb 2016 21:22:32 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "ietf-ssh@NetBSD.org" <ietf-ssh@NetBSD.org>
Subject: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
Thread-Topic: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
Thread-Index: AdFj3DBkMdJDQld0Qaiw70eVAW98zw==
Date: Wed, 10 Feb 2016 08:22:32 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73F4BEC444@uxcn10-5.UoA.auckland.ac.nz>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

Damien Miller <djm@mindrot.org> writes:

>So my recommendation would be:
>
>diffie-hellman-group1-sha1        NOT RECOMMENDED
>diffie-hellman-group14-sha256     RECOMMENDED
>diffie-hellman-group16-sha512     RECOMMENDED
>diffie-hellman-group18-sha512     OPTIONAL
>
>(but 16+256 & 18+512 would be fine too)

From an embedded perspective (which is what triggered this late reply) I'd
prefer the -256's over the -512's, the less extra huge hash functions I have
to include code for the better.  I'd also like to see SHA-1 just die, there's
no reason to specify it in a new spec published in 2016.  Having said that I
realise that there are other profiles that still specify SHA-1, but then I'd
like to at least see the wording given as "SHOULD NOT" rather than "NOT
RECOMMENDED".  The latter is for restaurants, not security-critical
infrastructure components.

In fact same with RECOMMENDED and OPTIONAL, what's wrong with SHOULD and MAY?
Those are more widely-used in standards.  In particular I'd like to be able to
point to SHA-1 as SHOULD NOT (which is pretty unambiguous) rather than NOT
RECOMMENDED, which seems to say that people can keep on using it for as long
as they like.

It'd also be good to include a note, where the groups are defined not down in
the security considerations, saying that the SHA-1 option is provided for
backwards compatibility, shouldn't be used in new designs, and should be
phased out of existing ones as quickly as possible because it's not secure.
The danger here is is illustrated by the TLS 1.2 RFC:

  Support for the SSLv2 backward-compatible hello is now a MAY, not a SHOULD,
  with sending it a SHOULD NOT.  Support will probably become a SHOULD NOT in
  the future.

That's for a protocol that was known to be insecure thirteen years earlier.
In fact all previous versions of TLS said:

 Warning: The ability to send Version 2.0 client hello messages will be
          phased out with all due haste. Implementors should make every
          effort to move forward as quickly as possible. Version 3.0
          provides better mechanisms for moving to newer versions.

Thats from TLS 1.1 in 2006, so they'd spent more than a decade phasing it out
with all due haste.

The point is that without text in the spec that implementers can point to
saying "if you're still using SHA-1, your product is broken" then it's going
to hang around forever, as the TLS experience has shown.

Still, as long as the draft doesn't decide to reintroduce support for MD5,
like TLS 1.2 did...

Peter.

v2.23.0 | Report a Bug | By Email