IETF Logo Mail Archive

Re: DH group exchange (Re: SSH key algorithm updates)

"Mark D. Baushke" <mdb@juniper.net> Mon, 09 November 2015 22:25 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A2D41B863C for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Mon, 9 Nov 2015 14:25:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6o-jwDay_ene for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Mon, 9 Nov 2015 14:25:20 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CB351B8635 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Mon, 9 Nov 2015 14:25:19 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id 313D714A2C3; Mon, 9 Nov 2015 22:25:16 +0000 (UTC)
Delivered-To: ietf-ssh@NetBSD.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id E733114A2B9 for <ietf-ssh@NetBSD.org>; Mon, 9 Nov 2015 22:25:05 +0000 (UTC)
X-Virus-Scanned: amavisd-new at NetBSD.org
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id 1IfqDA8RIcui for <ietf-ssh@NetBSD.org>; Mon, 9 Nov 2015 22:25:04 +0000 (UTC)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0711.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:711]) by mail.netbsd.org (Postfix) with ESMTP id 64EC214A2B2 for <ietf-ssh@NetBSD.org>; Mon, 9 Nov 2015 22:24:59 +0000 (UTC)
Received: from CO2PR05CA016.namprd05.prod.outlook.com (10.141.241.144) by BLUPR05MB053.namprd05.prod.outlook.com (10.255.210.139) with Microsoft SMTP Server (TLS) id 15.1.318.15; Mon, 9 Nov 2015 22:24:56 +0000
Received: from BY2FFO11FD025.protection.gbl (2a01:111:f400:7c0c::196) by CO2PR05CA016.outlook.office365.com (2a01:111:e400:1429::16) with Microsoft SMTP Server (TLS) id 15.1.318.15 via Frontend Transport; Mon, 9 Nov 2015 22:24:56 +0000
Authentication-Results: spf=softfail (sender IP is 66.129.239.17) smtp.mailfrom=juniper.net; cs.tcd.ie; dkim=none (message not signed) header.d=none;cs.tcd.ie; dmarc=none action=none header.from=juniper.net;
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.17 as permitted sender)
Received: from p-emfe01a-sac.jnpr.net (66.129.239.17) by BY2FFO11FD025.mail.protection.outlook.com (10.1.15.214) with Microsoft SMTP Server (TLS) id 15.1.325.5 via Frontend Transport; Mon, 9 Nov 2015 22:24:55 +0000
Received: from magenta.juniper.net (172.17.27.123) by p-emfe01a-sac.jnpr.net (172.24.192.21) with Microsoft SMTP Server (TLS) id 14.3.123.3; Mon, 9 Nov 2015 14:24:41 -0800
Received: from eng-mail01.juniper.net (eng-mail01.juniper.net [172.17.28.114]) by magenta.juniper.net (8.11.3/8.11.3) with ESMTP id tA9MObD99554; Mon, 9 Nov 2015 14:24:37 -0800 (PST) (envelope-from mdb@juniper.net)
Received: from eng-mail01.juniper.net (localhost [127.0.0.1]) by eng-mail01.juniper.net (Postfix) with ESMTP id 857D61148D; Mon, 9 Nov 2015 14:24:36 -0800 (PST)
To: Niels =?utf-8?Q?M=C3=B6ller?= <nisse@lysator.liu.se>
CC: Peter Gutmann <pgut001@cs.auckland.ac.nz>, denis bider <ietf-ssh3@denisbider.com>, Jeffrey Hutzelman <jhutz@cmu.edu>, "ietf-ssh@NetBSD.org" <ietf-ssh@NetBSD.org>, "stephen.farrell@cs.tcd.ie" <stephen.farrell@cs.tcd.ie>, "jon@siliconcircus.com" <jon@siliconcircus.com>
Subject: Re: DH group exchange (Re: SSH key algorithm updates)
In-Reply-To: <nnziyn2ft7.fsf@armitage.lysator.liu.se>
References: <9A043F3CF02CD34C8E74AC1594475C73F4B5993D@uxcn10-5.UoA.auckland.ac.nz> <2096379125-720@skroderider.denisbider.com> <9A043F3CF02CD34C8E74AC1594475C73F4B599ED@uxcn10-5.UoA.auckland.ac.nz> <55190.1447001241@eng-mail01.juniper.net> <9A043F3CF02CD34C8E74AC1594475C73F4B5A9BC@uxcn10-5.UoA.auckland.ac.nz> <nnziyn2ft7.fsf@armitage.lysator.liu.se>
Comments: In-reply-to: Niels =?utf-8?Q?M=C3=B6ller?= <nisse@lysator.liu.se> message dated "Mon, 09 Nov 2015 19:22:44 +0100."
From: "Mark D. Baushke" <mdb@juniper.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 09 Nov 2015 14:24:36 -0800
Message-ID: <65113.1447107876@eng-mail01.juniper.net>
X-EOPAttributedMessage: 0
X-Microsoft-Exchange-Diagnostics: 1; BY2FFO11FD025; 1:TbCPPvxZ95+txYr27O8kGVUNoWfwofV0Txl3PHTiUTdBSmwadJRH6mPg6y29hNQ9AXcip8f6khvSpXXPlZSaAbFMexv8dw14kLHmRiA3JGuPLTFQqV1d/aZsPkN+FzhcuOg1qoS8+3/Q6XgUlgcY6LnKkeNohk6mq0T6N3s3BmrbIYhYslGe+ljkKQfSW3MyeBNYzkYWZbCks0Vvt+FuSf8j9RDQRwIH5H8MTffm/irZUT35D4ittG9RSb41O8FbSJOEwDNMxwJg13Q661skG5cnOihcU9SqHYDNg2bDojORqZHO7CuTHGYUsuG/JVLWS5tcPrEHv8+NahKVYG8NRrSS5By7pjE5eus+sG9ySkC4r7J0+ge1nmHYFippjedn/jNIaFFzFxIqKh3KiK0a4w==
X-Forefront-Antispam-Report: CIP:66.129.239.17; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(2980300002)(199003)(164054003)(189002)(69596002)(47776003)(50466002)(86362001)(87936001)(23676002)(19580395003)(50986999)(19580405001)(117636001)(76176999)(105596002)(11100500001)(6806005)(106466001)(97736004)(92566002)(2950100001)(81156007)(189998001)(5001920100001)(54356999)(77096005)(110136002)(5003600100002)(5001960100002)(5007970100001)(76506005)(53416004)(93886004)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR05MB053; H:p-emfe01a-sac.jnpr.net; FPR:; SPF:SoftFail; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; BLUPR05MB053; 2:SmWRXdIfXjaXQ9QCXdIln4gkJfqXQk2JNNm/D6TpVAP0YxiCIFijDboWJryio6DNYxzJKVuER/UQD+hPTwk9V+Fc8R/hEVBU63N4eZ1Z9SvYVlaGCG7BfRTvEzQfskgzuBC/AjbV9Z3youflP21sLZkmEkIf1JcVL/RJvrfVMrc=; 3:HhrTKUnpNOgz2EPKgyeMyn0YD79uSotm2M0XGYy/X1ONWpH2pG5AUNcLXN4oagUabK3R7N3UObZquOC1vh4tkCJ7+6mKAT2UazGMxcVng+HaQO5AfD4HtTkXR9F1ilGJU1pYsLaxbtqSbAdTNfIon1qwDB72HHbkGkETSIi+FVIfVB34DLJsnkuZCZlIBQI8SzVWZPDGUzDnuN6HFxYutALU5gIfivlM3wjG4tIf2HU=; 25:hAka7/upjjdx9tzOnL5LklrPoVH7eJK7iMUbraMptR1SSj5iltvBhaBhBZn5Gkd5vBorRkLs4wmRStbELrzsi6UvNCpp2ruSBKvA3XzpuMTjnxibWEXFELAcr0SVr8WbJpAdv86VtVsdODeRfpHG1cylHn6AdQj7z8kRKdPak5m5WTwt3q62xoMQ65iu81M2bfFP3W9XzZl2wvRwPmMELpUICSalXsGePZY/z52jhZcjxFCIJPE7z2CfzkLhyUkQMldBd0UDbyfHqw4aUDr/+A==
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR05MB053;
X-Microsoft-Exchange-Diagnostics: 1; BLUPR05MB053; 20:R8AIt8Qr+G9yYu9zmqYKDPbo72eQ2c8YhYkyfCGs7DhbhcGVUZSkQFE4MEd9Pi8hxIYt5SyTwckMp8ncQBBw1VtV58xDhbEsUlzA5xKM0ZdvPx9/Gasc7p4cfFrtAWEGvvO3Ky2EIog/Ap4tUQKSs97974BNVJYL/iwDKLozSKprGtqSRLeLeH4JqHkq6Ryo6Ns3IHe3zHz9rZYAwN99hy8PB9tN0akw4qmlDiDEDzeuA43uM+3r3btm77tpGFAlYDbMVoWYk4i2gUafRl6CsRGK46rYdUE1YBt0umc5Rp8AQyii5+Is/Xg8aVDgE9E05QfKQQTPP9/cXq3mp7WEYbzvyy9GzJ5pZWnESBd0cuUTnZq2w6KXQxWDNYjeOITlUP9UEnSI+g+9Z4ENP6Zgwak81El2YnQCh+inJzvaN2A4TsUUtupfOZlOMJBjrSiEQIGvNXFXFqQllQ2km5Inphv65yqWJymXpoMiv8zyfaB1AdwdLIkt04xbEigqNx6a; 4:64bjSfMCM6vPDSyKV7ImwbpqhNpM20CTsdcaV6yLvaS/6GSvbLw5a1uXZcIe/AH725WfsG0U3/1FjKAqSyIdG4eVD3EXZFWc12qKmcBaZrbFZkalfWrjZrZpMIncV/x2Bdy4fY0EH5tQ6Zpglpuev8cb+QigFV/i6RroIbp0FB3N+IndDUVfkgAfSVBO4E0XLlpk01xVVqQgCVqv22KlMUKdl76DIlDchhEwQML76qjlgr+n4ZKb8aycMwwhqxh1C/FjQ0+VVKbthVE/0m9bzAjEWKi983n+OzOyIY+utZil4sNki3ECZ18mhpKpS2td0RESjEZ4Ix62CIUg1jwr8GECbrxFwpGXoSOyWrfXUGVEtvaQHjcgT78iRFvmu4j4
X-Microsoft-Antispam-PRVS: <BLUPR05MB0537AA5AF357F933CFF5749BF150@BLUPR05MB053.namprd05.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(138986009662008);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(2401047)(520078)(5005006)(8121501046)(10201501046)(3002001); SRVR:BLUPR05MB053; BCL:0; PCL:0; RULEID:; SRVR:BLUPR05MB053;
X-Forefront-PRVS: 0755F54DD9
X-Microsoft-Exchange-Diagnostics: 1;BLUPR05MB053;23:4alR+HV1CW2A/aGcC5+DdstdACN1bdfia8UEuA7bAaehud/+7Um2JuJyswz2zp8jCwhOz18O8bUIcQfZhkNPXhuPqw/QGyK/3t/IITxzfPtOjJ6B1vZQ2zOMVKBzYLr8WdKeIVWeAAc1TDLxQx+lskegDo7ha/30yDQMuN9MZSray8GCpwPgPeqV7s0Ff2GRTbt4d2BlM+SwAN0aKK4QEJpg19BUo/WFhWs8DyXas+NbQ2QQ+knBdUO7YqYYTHicXpgaC/9CMQltFYUYMGUgdDDmfo0v8s2fHN4S+gsr56FLXda8u0C/XCkJ+Wp9YZvSlFHffnnYVdikqz08HHcEFjvwoGuU1OMKCPG/bmiLsJICFjW0HQbjin03sOXCPg9dLr742gRfRkTXCSiHl7Eu37hDObp9yI1n8OU9EsBYLnaKSEsY7RiuFnkIqq5JuJBGbLWQdxeX0G2Nq/ggGS8RVOEc46t4G1mMfM6w1HJ7u1x7nJF47nSjyWAW6dNk5aaRuP2+2DaZo3vAKIEfzNC+YEROnTnyldis7dCrGlXngqlMaeItbepDa2n1vl4dKNUg0OCQ3cNlK79GGFMIr8OzOobgX1G9LJ4sjk4uD0SiaM/S4H/ip5ZaxZdB5fvWQXY3CsSOJnukIL83DwGQ0y+gEnO1arwKyYO6Bp2T3pybJCmcw+vlzL4W+eS8hR45GRalqdCTMpe6ZrsRyfNvxDy4o0oNvR+MjqI+2jc02Dg2iLWWygWF+a5N9C+aobygO1lSw8HiVDOKF7NwSrReTYanD3FODk5eSeywb8xOP2cjuMNNs5uPyr+ysY7e6GmDNDON0nGdT8ul2tF2d4/X/GcVmzjzipzPBq6VO4FEEbD1hfn2PrWQN3uj1DnNOl+8jmLR5UixOxXTgS7eEQ6cA9yfFDciDSHmbjjlVAnk+EAGG3aGtCeWBtmsTGnmeiRe/VmRKmTKAImQIctUpyo5CD2qIkW8qhCQZ0CN+ie0RrULj3c=
X-Microsoft-Exchange-Diagnostics: 1; BLUPR05MB053; 5:PwPt/pkviK2NoyQD+u/aZ3gxSnMDh7/1bYVOt68uL4pwx5LP+bcsc6e2cfJxmCWWQTg1geRWoLl4INylxDttLKvrhn2TfO6n0SZiRw8Nqg1wqwiChsNgnBmteFBz/EIzdeGVOFoDbETLcMjys7Rkyw==; 24:zmnMwXTsWvtER3A5Umi9DePy58DqcuTI0UHykS17m8H78G0WC8CyGqkgStICQqCg7ECCb9hSQJtp4hXkrtw+D9XuHK5I2dTTxnle9uWYbGw=; 20:/ULHgsdguYcZL9bena6emdhuxke84tv+9m0+wKO7xxdBpv7cFDgNshMLy84Yrfftj/9IdmjDRzzxZ3X9nyBS1Q==
SpamDiagnosticOutput: 1:23
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Nov 2015 22:24:55.3228 (UTC)
X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.17]; Helo=[p-emfe01a-sac.jnpr.net]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR05MB053
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

Hi Niels,

Niels Möller <nisse@lysator.liu.se> writes:

> Peter Gutmann <pgut001@cs.auckland.ac.nz> writes:
> 
> > Since the verification process for both 186 and Lim-Lee generated
> > values is identical, you can verify the keys either way. So the spec
> > would cover both NIST and non-NIST options at the same time,
> > depending on implementer preference.
> 
> I'm not following the fine details here, but does the verification
> step include proving the primality of p (and q)?

There are two validations in FIPS 186-4:
a) Section A.1.1 Generation and Validation of Probable Primes
b) Section A.2.2 Assurance of the Validity of the Generator g

A FIPS implementation of ephemeral Finite Field Cryptography is expected
to generate p,q,g parameters using FIPS 186-4 methods.

There are two validations in NIST SP 800-56A:
a) Section 5.6.1.1 FFC Key Pair Generation
b) Section 5.6.2.4 FFC Full Public Key Validation Routine

A FIPS implementation of Diffie-Hellman is expected to generate a Key
Pair and do parameter validation using NIST SP 800-56A methods.

Right now, an implementation of RFC 4419 may assume a Sophie Germain
prime q with safe prime p such that p = 2q + 1. RFC 4419 section 6.1
Selection of Generator will often lead to values which are outside of
the q-ordered subgroup. Obviously, systems not using the Sophie Germain
and safe primes assumption does not have a q value on which to perform
validation, so from a FIPS point of view the key exchange would fail.

Niels Möller <nisse@lysator.liu.se> writes:

> "Mark D. Baushke" <mdb@juniper.net> writes:
> 
> > I would therefore really like to see it possible to express all of the
> > MODP groups via this new extension if possible.
> 
> I still think it is inappropriate to use group-exchange for groups
> that are going to be widely used. 

I suppose we disagree on this subject.

I believe it to be desirable to make published groups available to the
RFC 4419 extension mechanism when there may not have been time or
sufficient entropy to generate key pairs of the selected size for
ephemeral groups.

> Widely used groups should be subject to negotiation. 

I have no objection to this approach.

As has been noted by Peter, there are many different mechanisms for
generation of the primes to be used for ephemeral groups. It should be
possible to perform FIPS validation on those p,q,g parameters, but to do
that would require an extension to the possible messages to send q to
the client from the server.

As to your suggestion, I have no objection if we also want to add
negotiaion for some more fixed DH MODP groups.

It may also be desirable to setup a way that RFC 3526 groups:

  diffie-hellman-group14-sha256 (2048-bit MODP group - 112 bits of security)
  diffie-hellman-group15-sha256 (3072-bit MODP group - 128 bits of security)

  diffie-hellman-group16-sha384 (4096-bit MODP group - ~150 bits of security)

or

  diffie-hellman-group16-sha512 (4096-bit MODP group - ~150 bits of security)

could be used.

I do not really see a strong need for these:

  group17 (6144-bit MODP Group - ~170 bits of security)
  group18 (8192-bit MODP Group - ~190 bits of security)

at the present time.

> Group-exchange should be used only for ephemeral groups which each
> server discard before they get "widely used".

This is not a bad idea, but right now there exists only the ecdh-sha2-*
KEX which are FIPS compliant. Not all implementations of SSH seem to
want or are able to use ECDH. It is somewhat desirable to have a DH
mechanism that is able to use sha256 which leaves only
diffie-hellman-group-exchange-sha256 at present.

As has been noted, diffie-hellman-group-exchange-sha256 may be difficult
to use in a FIPS compliant manner as many implementations are not
selection a g that allows a FIPS compliant implementation to always
interoperate between client and server.

	Thanks,
	-- Mark

v2.23.0 | Report a Bug | By Email