Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 10 February 2016 08:22 UTC
Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6100E1A00DB for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Wed, 10 Feb 2016 00:22:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.002
X-Spam-Level:
X-Spam-Status: No, score=-0.002 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BeQXUuKONHed for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Wed, 10 Feb 2016 00:22:43 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 694E61A00B4 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Wed, 10 Feb 2016 00:22:43 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id C5B4985EDD; Wed, 10 Feb 2016 08:22:42 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 2142D85E6C for <ietf-ssh@netbsd.org>; Wed, 10 Feb 2016 08:22:39 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Authentication-Results: mail.netbsd.org (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id d07P3Uwg-414 for <ietf-ssh@netbsd.org>; Wed, 10 Feb 2016 08:22:38 +0000 (UTC)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id E44E485E57 for <ietf-ssh@netbsd.org>; Wed, 10 Feb 2016 08:22:35 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1455092559; x=1486628559; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=zmvq+CEgbHy7V3kIyGGPyosnMMZyadaCkBUikdz3gRA=; b=k9aiO70EjHongrcPnJsg6aTM7dHTh98tZPE41KhJUwf0sCKykkaemsIa 7TCtg8aqT1DsrMnM9fx44mWsvZqBARf0pSuz+u1EpQ2+4y6o/7zsqF4UP ZnozcX0qVdBTNgcYiHE+GVC8+Z56mIT6/wjSJK+VUuJAeXUVXo1irrXZV v4afthRd/wQ3bhVfH+vlSWw9yXf/3a83cc65w/Sacj+C0kzp/xYX5RBVq xoBZuMazyAW8l5HPyKyjMMnLB6Bx7s+yJ3VV/9da2C4/DYEE+DPzy6R4g sOjkfKd9bIZX0ZQhSkbfUPaDfyCGdcwfrZB0YDkjwM1vHbJ+H+SvGOMK9 A==;
X-IronPort-AV: E=Sophos;i="5.22,425,1449486000"; d="scan'208";a="67118252"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.112 - Outgoing - Outgoing
Received: from uxchange10-fe1.uoa.auckland.ac.nz ([130.216.4.112]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 10 Feb 2016 21:22:33 +1300
Received: from UXCN10-5.UoA.auckland.ac.nz ([169.254.5.153]) by uxchange10-fe1.UoA.auckland.ac.nz ([130.216.4.112]) with mapi id 14.03.0266.001; Wed, 10 Feb 2016 21:22:32 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "ietf-ssh@NetBSD.org" <ietf-ssh@NetBSD.org>
Subject: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
Thread-Topic: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
Thread-Index: AdFj3DBkMdJDQld0Qaiw70eVAW98zw==
Date: Wed, 10 Feb 2016 08:22:32 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73F4BEC444@uxcn10-5.UoA.auckland.ac.nz>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list
Damien Miller <djm@mindrot.org> writes: >So my recommendation would be: > >diffie-hellman-group1-sha1 NOT RECOMMENDED >diffie-hellman-group14-sha256 RECOMMENDED >diffie-hellman-group16-sha512 RECOMMENDED >diffie-hellman-group18-sha512 OPTIONAL > >(but 16+256 & 18+512 would be fine too) From an embedded perspective (which is what triggered this late reply) I'd prefer the -256's over the -512's, the less extra huge hash functions I have to include code for the better. I'd also like to see SHA-1 just die, there's no reason to specify it in a new spec published in 2016. Having said that I realise that there are other profiles that still specify SHA-1, but then I'd like to at least see the wording given as "SHOULD NOT" rather than "NOT RECOMMENDED". The latter is for restaurants, not security-critical infrastructure components. In fact same with RECOMMENDED and OPTIONAL, what's wrong with SHOULD and MAY? Those are more widely-used in standards. In particular I'd like to be able to point to SHA-1 as SHOULD NOT (which is pretty unambiguous) rather than NOT RECOMMENDED, which seems to say that people can keep on using it for as long as they like. It'd also be good to include a note, where the groups are defined not down in the security considerations, saying that the SHA-1 option is provided for backwards compatibility, shouldn't be used in new designs, and should be phased out of existing ones as quickly as possible because it's not secure. The danger here is is illustrated by the TLS 1.2 RFC: Support for the SSLv2 backward-compatible hello is now a MAY, not a SHOULD, with sending it a SHOULD NOT. Support will probably become a SHOULD NOT in the future. That's for a protocol that was known to be insecure thirteen years earlier. In fact all previous versions of TLS said: Warning: The ability to send Version 2.0 client hello messages will be phased out with all due haste. Implementors should make every effort to move forward as quickly as possible. Version 3.0 provides better mechanisms for moving to newer versions. Thats from TLS 1.1 in 2006, so they'd spent more than a decade phasing it out with all due haste. The point is that without text in the spec that implementers can point to saying "if you're still using SHA-1, your product is broken" then it's going to hang around forever, as the TLS experience has shown. Still, as long as the draft doesn't decide to reintroduce support for MD5, like TLS 1.2 did... Peter.
- draft-baushke-ssh-dh-group-sha2-01 (was Re: DH gr… Mark D. Baushke
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Stephen Farrell
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… IWAMOTO Kouichi
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Mark D. Baushke
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Damien Miller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- RE: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Peter Gutmann
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Niels Möller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Peter Gutmann
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Mark D. Baushke
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Mark D. Baushke
- RE: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Peter Gutmann
- RE: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Peter Gutmann
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Mark D. Baushke
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Niels Möller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Mark D. Baushke
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- RE: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Peter Gutmann
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- RE: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Peter Gutmann
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Damien Miller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Damien Miller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Damien Miller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Mark D. Baushke
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Niels Möller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Mark D. Baushke
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Niels Möller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Damien Miller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Simon Josefsson