IETF Logo Mail Archive

Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 & draft-ietf-curdle-ssh-kex-sha2

"Mark D. Baushke" <mdb@juniper.net> Mon, 12 September 2016 20:57 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C3C512B127 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Mon, 12 Sep 2016 13:57:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.708
X-Spam-Level:
X-Spam-Status: No, score=-5.708 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.508, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=junipernetworks.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wiD8a0o_8_bx for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Mon, 12 Sep 2016 13:57:47 -0700 (PDT)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 561FC12B12C for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Mon, 12 Sep 2016 13:57:37 -0700 (PDT)
Received: by mail.netbsd.org (Postfix, from userid 605) id 1BC3485ED8; Mon, 12 Sep 2016 20:57:36 +0000 (UTC)
Delivered-To: ietf-ssh@NetBSD.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 6879D85ED3 for <ietf-ssh@NetBSD.org>; Mon, 12 Sep 2016 20:57:32 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Authentication-Results: mail.netbsd.org (amavisd-new); dkim=pass (1024-bit key) header.d=junipernetworks.onmicrosoft.com
Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id geCdbHrs4GNd for <ietf-ssh@netbsd.org>; Mon, 12 Sep 2016 20:57:31 +0000 (UTC)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0707.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe48::707]) by mail.netbsd.org (Postfix) with ESMTP id A698F85EAB for <ietf-ssh@NetBSD.org>; Mon, 12 Sep 2016 20:57:30 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=junipernetworks.onmicrosoft.com; s=selector1-juniper-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=/U1EOeoSyYjPBJk4XxL7MGAvuEmBwaHzXKDMhi6MFBI=; b=eUyGKHK8HRyWIngW6FhjdH3ZG9GV8IEMZxMU06IquhMpcZuAD7EMeoEA90/CU8gC0FShmiGfF2RQKoeIhKLax8GY6s61g3LjQroejFXVSwLJhPcsyCHakyqOKyh04h8g+86xPsAPPkMd1WzWCh+UhiALHbXCm+ZBesjKkocWArA=
Received: from DM2PR0501CA0033.namprd05.prod.outlook.com (10.162.29.171) by DM2PR0501MB1200.namprd05.prod.outlook.com (10.160.245.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.629.6; Mon, 12 Sep 2016 20:57:28 +0000
Received: from BY2FFO11FD049.protection.gbl (2a01:111:f400:7c0c::199) by DM2PR0501CA0033.outlook.office365.com (2a01:111:e400:5148::43) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.629.6 via Frontend Transport; Mon, 12 Sep 2016 20:57:28 +0000
Authentication-Results: spf=softfail (sender IP is 66.129.239.18) smtp.mailfrom=juniper.net; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=juniper.net;
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.18 as permitted sender)
Received: from p-emfe01a-sac.jnpr.net (66.129.239.18) by BY2FFO11FD049.mail.protection.outlook.com (10.1.15.186) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.619.6 via Frontend Transport; Mon, 12 Sep 2016 20:57:27 +0000
Received: from p-mailhub01.juniper.net (10.160.2.17) by p-emfe01a-sac.jnpr.net (172.24.192.21) with Microsoft SMTP Server (TLS) id 14.3.123.3; Mon, 12 Sep 2016 13:57:22 -0700
Received: from eng-mail01.juniper.net (eng-mail01.juniper.net [172.17.28.114]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id u8CKvKnw003290; Mon, 12 Sep 2016 13:57:20 -0700 (envelope-from mdb@juniper.net)
Received: from eng-mail01.juniper.net (localhost [127.0.0.1]) by eng-mail01.juniper.net (Postfix) with ESMTP id 3609811446; Mon, 12 Sep 2016 13:57:20 -0700 (PDT)
To: "denis bider (Bitvise)" <ietf-ssh3@denisbider.com>
CC: Tero Kivinen <kivinen@iki.fi>, Curdle <curdle@ietf.org>, IETF SSH <ietf-ssh@NetBSD.org>
Subject: Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 & draft-ietf-curdle-ssh-kex-sha2
In-Reply-To: <CF59D773EDE144398E7063D79D96CCD0@Khan>
References: <41049.1473653352@eng-mail01.juniper.net> <22486.43242.802279.610275@fireball.acr.fi> <53468.1473704115@eng-mail01.juniper.net> <CF59D773EDE144398E7063D79D96CCD0@Khan>
Comments: In-reply-to: "denis bider (Bitvise)" <ietf-ssh3@denisbider.com> message dated "Mon, 12 Sep 2016 13:56:56 -0600."
From: "Mark D. Baushke" <mdb@juniper.net>
Date: Mon, 12 Sep 2016 13:57:20 -0700
Message-ID: <77212.1473713840@eng-mail01.juniper.net>
MIME-Version: 1.0
Content-Type: text/plain
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-HT: Tenant
X-Forefront-Antispam-Report: CIP:66.129.239.18; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(7916002)(2980300002)(189002)(199003)(53416004)(15975445007)(105596002)(106466001)(19580405001)(76506005)(305945005)(47776003)(2950100001)(81156014)(11100500001)(19580395003)(69596002)(86362001)(4326007)(2906002)(8676002)(77096005)(50986999)(586003)(189998001)(97736004)(54356999)(5660300001)(92566002)(356003)(81166006)(76176999)(50466002)(93886004)(230783001)(5003940100001)(7696004)(117636001)(48376002)(87936001)(7126002)(68736007)(2810700001)(626004)(8936002)(110136003)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR0501MB1200; H:p-emfe01a-sac.jnpr.net; FPR:; SPF:SoftFail; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; BY2FFO11FD049; 1:Z3hM5GIYRo2vWTVFF/TVZ3H57aUO6AlaWqsp2RLT2vFJEPMkdUaqiLhOxT7eVVXxLzN/dMmhu0vXzymDmJHN619oCIIXR15vPXzbmKipbmTPhU1yyOvvzjWjUq0RoOqJ637HhWkCRN4mMUkJMNd1hZaxe/eV5RkZ465x91OiPkEwHhFRzoPC5w688aiFw05FXNGhLNVzdsIy8FWwtFzZaODDFrVl+gf0YY9dJL2BryyGgGtK17ZF0KoalVW7aBc0v0Vy678nxJlJpVpcdg0tgsVGaeJB7OPMqWr1fzmkQt9gcUCj9wfaI8E7VH/snny/rPVc+OA6kf5/Vh3d99TtTo/qgABENvt7sLucwCdcuXdLMzD4VWpCBbxbK3h0ENiMTXcTQf8tq0vu/ZK532/Cs4BZGzSr7+ZKdooYBF8m1+oVf1PZufzLazqxeOQLDCZ/H42uD9ZsbGv+xQ7ecC8vULwLxy4eTIyE++DQxhL2qcyDWJ4ksdw9TF2JB70IN0LK4M6DljhmOCRBWojJroORqIJ8R/qaiMZGY+cA1+yhILrOCInjKl3JUh6wKrkQXJCp
X-MS-Office365-Filtering-Correlation-Id: 5151719f-ee98-413f-c140-08d3db4f67d2
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM2PR0501MB1200;
X-Microsoft-Antispam-PRVS: <DM2PR0501MB1200800667AD47DA54818742BFFF0@DM2PR0501MB1200.namprd05.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(76576733993138)(165104125076784)(65766998875637)(131022147185803);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040176)(601004)(2401047)(13017025)(13015025)(13023025)(13024025)(13018025)(8121501046)(5005006)(10201501046)(3002001)(6055026); SRVR:DM2PR0501MB1200; BCL:0; PCL:0; RULEID:; SRVR:DM2PR0501MB1200;
X-Forefront-PRVS: 006339698F
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Sep 2016 20:57:27.7796 (UTC)
X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.18]; Helo=[p-emfe01a-sac.jnpr.net]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR0501MB1200
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

denis bider (Bitvise) <ietf-ssh3@denisbider.com> writes:

> Yeah. :( These algorithms (AEAD_AES_128_GCM and AEAD_AES_256_GCM)
> really ought to be considered SHOULD NOT. The real SHOULD versions are
> aes128-gcm@openssh.com and aes256-gcm@openssh.com, which currently do
> not have a formal spec, but are defined as "what RFC 5647 says, but
> with reasonable rules for algorithm negotiation".

I admit I like the OpenSSH specification better myself.

> We ought to make this formal by specifying new algorithm names
> aes128-gcm and aes256-gcm, and defining this in roughly the same way
> (what RFC 5647 says, but with reasonable negotiation rules). It should
> be identical to the @openssh.com versions, except with formally
> adopted names.
> 
> If we want to do this, I can write up this spec.

I think the only reason I have seen folks list AEAD_AES_nnn_GCM in
requirements documents is to appease the either Common Criteria or FIPS
standards.

Things got odd when the NIST SP 800-38D references were put into the
FIPS 140-2 Implementation Guidance in section A.5 in March 2009. It
changed last year, but it is still not entirely clear how this section
impacts SSH. The section provides techniques for generation an IV that
are acceptable for the purpose of FIPS 140-2 validations, but only list
TLS-v1.2 and IPsec-v3.

Folks who want to read the current details can look in
http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf
Section A.5 was last modified on August 7, 2015.

The NIST SP 800-38D should be found at this URL:
http://dx.doi.org/10.6028/NIST.SP.800-38D

(it redirects to
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38D.pdf).
The 8.2.1 Deterministic Construction alternative seems to be the only
one that still meets the FIPS 140-2 guidance.

> > 3) Public Key Algorithm Names
> This table should be expanded with another column, Signature Algorithm
> Name. For most algorithms, it's just a copy of the value in Public Key
> Algorithm Name. For ssh-rsa, however, there need to be two additional
> lines, for three total:
> 
> ssh-rsa   ssh-rsa        [RFC4253]       Section 6.6
> ssh-rsa   rsa-sha2-256   (other draft)   Section 2
> ssh-rsa   rsa-sha2-512   (other draft)   Section 2
> 
> The "other draft" in this case is the rsa-sha2 draft.
> 
> I should modify that draft to update this table in this way. The
> current version of the draft does not suggest adding the extra column,
> but instead adds the new signature algorithm names in the existing
> Public Key Algorithm Name column, which is not fully correct (and may
> mislead implementers).

That sounds like a good plan to me.

	-- Mark

v2.8.7 | Report a Bug | By Email