Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)

denis bider <ietf-ssh3@denisbider.com> Sun, 14 February 2016 08:10 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43C151B3A7F for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sun, 14 Feb 2016 00:10:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.505
X-Spam-Level:
X-Spam-Status: No, score=-0.505 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.006] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jeMFUeL85Ooj for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sun, 14 Feb 2016 00:09:57 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 158641B3A8C for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Sun, 14 Feb 2016 00:09:55 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id D687085EB5; Sun, 14 Feb 2016 08:09:54 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: by mail.netbsd.org (Postfix, from userid 1347) id 9110C85E1A; Sun, 14 Feb 2016 08:09:54 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 2B07C85E1A for <ietf-ssh@netbsd.org>; Sat, 13 Feb 2016 17:49:12 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id Pj6YOr_RIHHW for <ietf-ssh@netbsd.org>; Sat, 13 Feb 2016 17:49:11 +0000 (UTC)
Received: from skroderider.denisbider.com (skroderider.denisbider.com [50.18.172.175]) (using TLSv1.1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 7552084CF5 for <ietf-ssh@netbsd.org>; Sat, 13 Feb 2016 17:49:11 +0000 (UTC)
X-Footer: ZGVuaXNiaWRlci5jb20=
Received: from localhost ([127.0.0.1]) by skroderider.denisbider.com for mdb@juniper.net; Sat, 13 Feb 2016 17:49:04 +0000
Date: Sat, 13 Feb 2016 17:49:04 +0000
Subject: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
X-User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0
Message-ID: <219217362-2196@skroderider.denisbider.com>
X-Priority: 3
Importance: Normal
MIME-Version: 1.0
From: denis bider <ietf-ssh3@denisbider.com>
To: "Mark D. Baushke" <mdb@juniper.net>
Cc: Peter Gutmann <pgut001@cs.auckland.ac.nz>, Niels Möller <nisse@lysator.liu.se>, Simon Josefsson <simon@josefsson.org>, ietf-ssh@netbsd.org
Content-Type: multipart/alternative; boundary="=-fi+9+xlVPEyZTKk620KH"
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

Comments:


- If we're being comprehensive, we should include a position with regard to Curve25519 and Curve448:

https://tools.ietf.org/html/draft-josefsson-ssh-curves-03

I suggest we take the following positions:

curve25519-sha256    SHOULD
curve448-sha256      SHOULD, or MAY?

That being said:


- Given the recent NSA recommendations, it seems to me it would be prudent to update the Curve25519/Curve448 draft, and to replace the SHA-256 algorithm with SHA-512 for Curve448. This would create the method "curve448-sha512" instead of "curve448-sha256".

Simon, what do you think? Could your draft be updated to do that?

It seems to me that this would meet the NSA's long-term guidelines, whereas curve448-sha256 doesn't.


- As Niels points out - now that the modifiers are SHOULD / MAY / ..., we ought to specify the verb this refers to. I would be more comfortable assuming that our target audience are developers, and that these modifiers refer to "implement". I'm less comfortable reaching out to end users, dispensing advice about deployed configurations - but I'm not firmly against it.


- If we're going to have text saying SHA-1 is begrudgingly acceptable for backwards compatibility, we can't simultaneously say that it is "NOT SECURE" in all caps. Conversely - if we do say it is "NOT SECURE", we can't have a graceful transition away from SHA-1. We must in that case pursue an aggressive transition, including condemnation of existing products that use it.

It seems to me we don't have reason enough to be that aggressive. If someone asks why SHA-1 is not currently secure for key exchange, we can't point to a document saying "here's how to break diffie-hellman-group14-sha1". What we have is concerns that such attacks might exist in the future, given weaknesses known today.

Bottom line - I think the following is fine:

"The SHA-1 [algorithm] SHOULD NOT be used. If it is used, it should only be provided for backwards compatibility[,] should not be used in new designs[,] and should be phased out of existing key exchanges as quickly as possible"

But it's not currently accurate to say:

"... because it is NOT SECURE."

It may instead be accurate to say:

"... because of its known weaknesses."


- Niels has suggested that it's onerous to have so many "MUST" curves. We've already reduced the number of MUST curves from three (in RFC 5656) to two (in this draft). I'm not sure that either nistp384 or nistp521 are suitable candidates for demotion. However, if we make changes here, it seems we should keep nistp384 as MUST, and demote nistp521 to SHOULD. This is due to that nistp384 meets current longest-term guidelines; whereas nistp521 seems to be overkill, and slower.

 

----- Original Message -----
From: Mark D. Baushke
Sent: Friday, February 12, 2016 11:48
To: denis bider
Cc: Peter Gutmann ; ietf-ssh@NetBSD.org
Subject: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)

Hi denis,

You have made some good points. I have updated my draft to -02 and it is
in the process of being uploaded to the ietf servers.

For now, you can see the latest edition here:

  https://datatracker.ietf.org/doc/draft-baushke-ssh-dh-group-sha2/

I think I have the normative vs informative references in their proper
locations, please let me know of any nits that still need to be
addressed.

-- Mark