Re: RFC 4253 possible errata

Ron Frederick <ronf@timeheart.net> Thu, 22 June 2017 04:44 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E050A127B52 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Wed, 21 Jun 2017 21:44:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.091
X-Spam-Level:
X-Spam-Status: No, score=-4.091 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=timeheart.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BZOCOxqL55UB for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Wed, 21 Jun 2017 21:44:35 -0700 (PDT)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47814126C0F for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Wed, 21 Jun 2017 21:44:35 -0700 (PDT)
Received: by mail.netbsd.org (Postfix, from userid 605) id 37D17855DC; Thu, 22 Jun 2017 04:44:34 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: by mail.netbsd.org (Postfix, from userid 1347) id D2F45855D9; Thu, 22 Jun 2017 04:44:33 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id CD55884D8D for <ietf-ssh@netbsd.org>; Wed, 21 Jun 2017 18:41:40 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Authentication-Results: mail.netbsd.org (amavisd-new); dkim=pass (1024-bit key) header.d=timeheart.net
Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id rXnFTFDlHbF5 for <ietf-ssh@netbsd.org>; Wed, 21 Jun 2017 18:41:40 +0000 (UTC)
Received: from mail-pf0-x241.google.com (mail-pf0-x241.google.com [IPv6:2607:f8b0:400e:c00::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 0B6E684C86 for <ietf-ssh@netbsd.org>; Wed, 21 Jun 2017 18:41:39 +0000 (UTC)
Received: by mail-pf0-x241.google.com with SMTP id w12so32293314pfk.0 for <ietf-ssh@netbsd.org>; Wed, 21 Jun 2017 11:41:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=timeheart.net; s=mail; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=IVpCwhSnSYqQF32uusF9P6hLWPfnNGRVRqY8+d3woDw=; b=d0tuSMGHKecCiQrZr5Kr4kt3bX7FC4tJGOHiHvRPz5M0OBwsTD4t08YWCUhM6t07Vd kBUKqafBnWL4OAXYFXBAhl5POgw52zAy7pqT8xy9VRDqQ+M0N9hEYqGxCwe+HdsfsERj PJ0EBLGA4RWaEZ8ks1rj4Vm1QDw14tt+0zwpw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=IVpCwhSnSYqQF32uusF9P6hLWPfnNGRVRqY8+d3woDw=; b=NCvq1KKe1xLNaBxWoRFfLJrgqEwVU+dHTlmoRp+bMfT0QQGsRngKbJVpkAHJApo0aI KkJZUq168xDpS7v4/dypUKLB8Hn9MjjhOXV2eBkRWYPCzqW46COWCoxBlYbBZ89H/ieV 7rWN2954F4IFj5tabQ1e34+PLNS1hgdGVTiAAgLPbb4B4YoM6613m4VILl5hR5MubeJT gJXt64K9ej0O8lgUOPxFtZe9Q6AEoFtO3zyZ0b0MrJU919u95yn4wufysol1sfmhxrFr CMyVa/GmlP90SZ2mN3APAfXcTudyBp7e6nX9sj7wnlrrvaO7y94ZkYDDTaGqFbhb+q6h 8zhQ==
X-Gm-Message-State: AKS2vOy2662sPqaLANjDswTLloRkvhf2qLWLqXXNvcTsYGoigOTFTttO KATqWX0wRHUHw2+y
X-Received: by 10.84.224.133 with SMTP id s5mr15138413plj.93.1498070498580; Wed, 21 Jun 2017 11:41:38 -0700 (PDT)
Received: from ronfred.symc.symantec.com ([155.64.23.4]) by smtp.gmail.com with ESMTPSA id d88sm37504364pfk.133.2017.06.21.11.41.36 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 21 Jun 2017 11:41:37 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Subject: Re: RFC 4253 possible errata
From: Ron Frederick <ronf@timeheart.net>
In-Reply-To: <80212.1498069205@eng-mail01.juniper.net>
Date: Wed, 21 Jun 2017 11:41:35 -0700
Cc: Curdle WG <curdle@ietf.org>, SSH WG <ietf-ssh@NetBSD.org>, Eric Rescorla <ekr@rtfm.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <50A8EE09-4FB3-4272-956E-E280F90E01A9@timeheart.net>
References: <80212.1498069205@eng-mail01.juniper.net>
To: "Mark D. Baushke" <mdb@juniper.net>
X-Mailer: Apple Mail (2.3273)
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list
List-Unsubscribe: <mailto:majordomo@NetBSD.org?subject=Unsubscribe%20ietf-ssh&body=unsubscribe%20ietf-ssh>

Hi Mark,

On Jun 21, 2017, at 11:20 AM, Mark D. Baushke <mdb@juniper.net> wrote:
> While working with the IETF AD Eric Rescorla <ekr@rtfm.com> doing the AD
> review of draft-ietf-curdle-ssh-modp-dh-sha2, the topic came up of
> validation of the Diffie-Hellman public key on both client and server
> (peers).
> 
> The RFC 4253 Section 8 writes:
> 
> |8.  Diffie-Hellman Key Exchange
> |
> |   The Diffie-Hellman (DH) key exchange provides a shared secret that
> |   cannot be determined by either party alone.  The key exchange is
> |   combined with a signature with the host key to provide host
> |   authentication.  This key exchange method provides explicit server
> |   authentication as defined in Section 7.
> |
> |   The following steps are used to exchange a key.  In this, C is the
> |   client; S is the server; p is a large safe prime; g is a generator
> |   for a subgroup of GF(p); q is the order of the subgroup; V_S is S's
> |   identification string; V_C is C's identification string; K_S is S's
> |   public host key; I_C is C's SSH_MSG_KEXINIT message and I_S is S's
> |   SSH_MSG_KEXINIT message that have been exchanged before this part
> |   begins.
> |
> |   1. C generates a random number x (1 < x < q) and computes
> |      e = g^x mod p.  C sends e to S.
> |
> ...elided...
> 
> |   Values of 'e' or 'f' that are not in the range [1, p-1] MUST NOT be
> |   sent or accepted by either side.  If this condition is violated, the
> |   key exchange fails.
> 
> ...elided...
> 
> The z in range [1, p-1] notation, specifies a closed interval which
> includes the end points which is equivant to 1 <= z <= p-1. The (1, p-1)
> notation specifies an open interval which excludes the endpoints 1 < z <
> p-2.

[Ron] I don’t understand the “p-2” here. Is that a typo? Also, if you want to convert from the closed range [1, p-1], shouldn’t that to be to an open range of (0, p), which would correspond to “0 < z < p”?


> Eric noted that https://tools.ietf.org/rfcmarkup?rfc=7919#section-5.1
> uses open endpoints.
> 
> Eric suggested that my draft should include text that is similar to the
> ext in the RFC 7919 to correct this errata.

[Ron] I see RFC 7919 refers to a closed range [2, p-2]. This would be a change from what is allowed by RFC 4253 today.


> Before I make such a change, I wish understand if what folks have been
> using for the test in their implementations and get a consensus on such
> a change.

[Ron] In asyncssh, the test I’m doing on e & f is “1 <= e < p” and “1 <= f < p", which is essentially the half-open range of [1, p) that is equivalent to the closed range [1, p-1] listed in RFC 4253.
-- 
Ron Frederick
ronf@timeheart.net