Re: Fixing exchange of host keys in the SSH key exchange

Peter Gutmann <pgut001@cs.auckland.ac.nz> Sat, 08 April 2017 03:48 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 463C612709D for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Fri, 7 Apr 2017 20:48:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NXUuDwfcOXhP for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Fri, 7 Apr 2017 20:48:47 -0700 (PDT)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26F8A12778E for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Fri, 7 Apr 2017 20:48:41 -0700 (PDT)
Received: by mail.netbsd.org (Postfix, from userid 605) id C1D4784D9C; Sat, 8 Apr 2017 03:48:39 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id B21F284D91 for <ietf-ssh@netbsd.org>; Sat, 8 Apr 2017 03:48:37 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Authentication-Results: mail.netbsd.org (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id aLnK8OZ-a4NW for <ietf-ssh@netbsd.org>; Sat, 8 Apr 2017 03:48:37 +0000 (UTC)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 62AB784D79 for <ietf-ssh@netbsd.org>; Sat, 8 Apr 2017 03:48:35 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1491623316; x=1523159316; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=sErPhGsQYvbhOruAWqPgIlHmZMG66/ZW/xnP9ucx2Ug=; b=kh6xPAox+XWgRNlOfFs7p+Tu8KOWBoBKfXlpGJPJlkove6JVUn7PpVdl rAQXySc3TPO4I3JZASfYsbSCjvaFNeYEcxF28f1dGXyNQhIVycThtRVIR rnDTrvbA7Ekguo8dMi2p4CESaiy8Q8t1ITy1Qu51dsticz4x05VANG+TL Jb9O5fWTE7xrjaqdP2MpzMAPpolkqqtL674g14huLdnY60MzcPN1w74h1 Lxfbon/to6/EA2rPlhHP4D/AsASqVg3Bu7uBxVcFwxV32v2hDPQSYH5bg K1eFM7zrBm+9zGxQCn2h/0jqvkiBK/QoGkY61NVZEFt8tx4/ueoSbDj3I Q==;
X-IronPort-AV: E=Sophos;i="5.37,169,1488798000"; d="scan'208";a="148585242"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.2.3 - Outgoing - Outgoing
Received: from uxcn13-ogg-b.uoa.auckland.ac.nz ([10.6.2.3]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 08 Apr 2017 15:48:33 +1200
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-ogg-b.UoA.auckland.ac.nz (10.6.2.3) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Sat, 8 Apr 2017 15:48:32 +1200
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1263.000; Sat, 8 Apr 2017 15:48:33 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Mouse <mouse@Rodents-Montreal.ORG>, "ietf-ssh@NetBSD.org" <ietf-ssh@NetBSD.org>
Subject: Re: Fixing exchange of host keys in the SSH key exchange
Thread-Topic: Fixing exchange of host keys in the SSH key exchange
Thread-Index: AQHSrQL9CktYPaoqMkm97HMyMuzyS6G0Bp+AgAU9sgCAAZeYMw==
Date: Sat, 8 Apr 2017 03:48:32 +0000
Message-ID: <1491623291953.19014@cs.auckland.ac.nz>
References: <2216143EDEE342A3A5C9BB786F7FEF7A@Khan> <20170403200250.GB21972@serpens.de> <05DC33124D144EC0B39A5BF58C8E3A33@Khan>, <201704071529.LAA27568@Stone.Rodents-Montreal.ORG>
In-Reply-To: <201704071529.LAA27568@Stone.Rodents-Montreal.ORG>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

Mouse <mouse@Rodents-Montreal.ORG> writes:

>They say, when describing hostkeys-00@openssh.com and hostkeys-
>prove-00@openssh.comcom, that "[i]t also supports graceful key rotation: a
>server may offer multiple keys of the same type for a period (to give clients
>an opportunity to learn them using this extension) before removing the
>deprecated key from those offered".
>
>I cannot see how this is even possible, at least not without a custom kex
>algorithm. With, for example, Diffie-Hellman as defined in 4253 section 8,
>the server presents only one host key to the client, and must choose which
>one to present before kex (and thus authentication) completes.  This then
>gives no room to "offer multiple keys of the same type".

I assumed the offered keys are via "hostkeys-00@openssh.com".com", not in the
keyex.  As the text says, it offers those for awhile, then when it seems all
clients have got a copy it switches the keyex from the old to the new key.

Peter.