Re: RFC 4253 possible errata
Ron Frederick <ronf@timeheart.net> Thu, 22 June 2017 04:44 UTC
Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E050A127B52 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Wed, 21 Jun 2017 21:44:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.091
X-Spam-Level:
X-Spam-Status: No, score=-4.091 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=timeheart.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BZOCOxqL55UB for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Wed, 21 Jun 2017 21:44:35 -0700 (PDT)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47814126C0F for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Wed, 21 Jun 2017 21:44:35 -0700 (PDT)
Received: by mail.netbsd.org (Postfix, from userid 605) id 37D17855DC; Thu, 22 Jun 2017 04:44:34 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: by mail.netbsd.org (Postfix, from userid 1347) id D2F45855D9; Thu, 22 Jun 2017 04:44:33 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id CD55884D8D for <ietf-ssh@netbsd.org>; Wed, 21 Jun 2017 18:41:40 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Authentication-Results: mail.netbsd.org (amavisd-new); dkim=pass (1024-bit key) header.d=timeheart.net
Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id rXnFTFDlHbF5 for <ietf-ssh@netbsd.org>; Wed, 21 Jun 2017 18:41:40 +0000 (UTC)
Received: from mail-pf0-x241.google.com (mail-pf0-x241.google.com [IPv6:2607:f8b0:400e:c00::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 0B6E684C86 for <ietf-ssh@netbsd.org>; Wed, 21 Jun 2017 18:41:39 +0000 (UTC)
Received: by mail-pf0-x241.google.com with SMTP id w12so32293314pfk.0 for <ietf-ssh@netbsd.org>; Wed, 21 Jun 2017 11:41:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=timeheart.net; s=mail; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=IVpCwhSnSYqQF32uusF9P6hLWPfnNGRVRqY8+d3woDw=; b=d0tuSMGHKecCiQrZr5Kr4kt3bX7FC4tJGOHiHvRPz5M0OBwsTD4t08YWCUhM6t07Vd kBUKqafBnWL4OAXYFXBAhl5POgw52zAy7pqT8xy9VRDqQ+M0N9hEYqGxCwe+HdsfsERj PJ0EBLGA4RWaEZ8ks1rj4Vm1QDw14tt+0zwpw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=IVpCwhSnSYqQF32uusF9P6hLWPfnNGRVRqY8+d3woDw=; b=NCvq1KKe1xLNaBxWoRFfLJrgqEwVU+dHTlmoRp+bMfT0QQGsRngKbJVpkAHJApo0aI KkJZUq168xDpS7v4/dypUKLB8Hn9MjjhOXV2eBkRWYPCzqW46COWCoxBlYbBZ89H/ieV 7rWN2954F4IFj5tabQ1e34+PLNS1hgdGVTiAAgLPbb4B4YoM6613m4VILl5hR5MubeJT gJXt64K9ej0O8lgUOPxFtZe9Q6AEoFtO3zyZ0b0MrJU919u95yn4wufysol1sfmhxrFr CMyVa/GmlP90SZ2mN3APAfXcTudyBp7e6nX9sj7wnlrrvaO7y94ZkYDDTaGqFbhb+q6h 8zhQ==
X-Gm-Message-State: AKS2vOy2662sPqaLANjDswTLloRkvhf2qLWLqXXNvcTsYGoigOTFTttO KATqWX0wRHUHw2+y
X-Received: by 10.84.224.133 with SMTP id s5mr15138413plj.93.1498070498580; Wed, 21 Jun 2017 11:41:38 -0700 (PDT)
Received: from ronfred.symc.symantec.com ([155.64.23.4]) by smtp.gmail.com with ESMTPSA id d88sm37504364pfk.133.2017.06.21.11.41.36 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 21 Jun 2017 11:41:37 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Subject: Re: RFC 4253 possible errata
From: Ron Frederick <ronf@timeheart.net>
In-Reply-To: <80212.1498069205@eng-mail01.juniper.net>
Date: Wed, 21 Jun 2017 11:41:35 -0700
Cc: Curdle WG <curdle@ietf.org>, SSH WG <ietf-ssh@NetBSD.org>, Eric Rescorla <ekr@rtfm.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <50A8EE09-4FB3-4272-956E-E280F90E01A9@timeheart.net>
References: <80212.1498069205@eng-mail01.juniper.net>
To: "Mark D. Baushke" <mdb@juniper.net>
X-Mailer: Apple Mail (2.3273)
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list
List-Unsubscribe: <mailto:majordomo@NetBSD.org?subject=Unsubscribe%20ietf-ssh&body=unsubscribe%20ietf-ssh>
Hi Mark, On Jun 21, 2017, at 11:20 AM, Mark D. Baushke <mdb@juniper.net> wrote: > While working with the IETF AD Eric Rescorla <ekr@rtfm.com> doing the AD > review of draft-ietf-curdle-ssh-modp-dh-sha2, the topic came up of > validation of the Diffie-Hellman public key on both client and server > (peers). > > The RFC 4253 Section 8 writes: > > |8. Diffie-Hellman Key Exchange > | > | The Diffie-Hellman (DH) key exchange provides a shared secret that > | cannot be determined by either party alone. The key exchange is > | combined with a signature with the host key to provide host > | authentication. This key exchange method provides explicit server > | authentication as defined in Section 7. > | > | The following steps are used to exchange a key. In this, C is the > | client; S is the server; p is a large safe prime; g is a generator > | for a subgroup of GF(p); q is the order of the subgroup; V_S is S's > | identification string; V_C is C's identification string; K_S is S's > | public host key; I_C is C's SSH_MSG_KEXINIT message and I_S is S's > | SSH_MSG_KEXINIT message that have been exchanged before this part > | begins. > | > | 1. C generates a random number x (1 < x < q) and computes > | e = g^x mod p. C sends e to S. > | > ...elided... > > | Values of 'e' or 'f' that are not in the range [1, p-1] MUST NOT be > | sent or accepted by either side. If this condition is violated, the > | key exchange fails. > > ...elided... > > The z in range [1, p-1] notation, specifies a closed interval which > includes the end points which is equivant to 1 <= z <= p-1. The (1, p-1) > notation specifies an open interval which excludes the endpoints 1 < z < > p-2. [Ron] I don’t understand the “p-2” here. Is that a typo? Also, if you want to convert from the closed range [1, p-1], shouldn’t that to be to an open range of (0, p), which would correspond to “0 < z < p”? > Eric noted that https://tools.ietf.org/rfcmarkup?rfc=7919#section-5.1 > uses open endpoints. > > Eric suggested that my draft should include text that is similar to the > ext in the RFC 7919 to correct this errata. [Ron] I see RFC 7919 refers to a closed range [2, p-2]. This would be a change from what is allowed by RFC 4253 today. > Before I make such a change, I wish understand if what folks have been > using for the test in their implementations and get a consensus on such > a change. [Ron] In asyncssh, the test I’m doing on e & f is “1 <= e < p” and “1 <= f < p", which is essentially the half-open range of [1, p) that is equivalent to the closed range [1, p-1] listed in RFC 4253. -- Ron Frederick ronf@timeheart.net
- RFC 4253 possible errata Mark D. Baushke
- Re: RFC 4253 possible errata Mark D. Baushke
- Re: RFC 4253 possible errata Ron Frederick
- Re: RFC 4253 possible errata Ron Frederick