RE: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)

[Peter Gutmann <pgut001@cs.auckland.ac.nz>]

denis bider <ietf-ssh3@denisbider.com> writes:

>It seems to me we don't have reason enough to be that aggressive. If someone
>asks why SHA-1 is not currently secure for key exchange, we can't point to a
>document saying "here's how to break diffie-hellman-group14-sha1". 

We can however point to mass-market, mainstream products, and mainstream
industry groups (e.g. the CAB Forum), that have banned SHA-1 outright:

  Effective 1 January 2016, CAs MUST NOT issue any new Subscriber certificates
  or Subordinate CA certificates using the SHA-1 hash algorithm.

Go to a site using SHA-1 right now with Chrome or Firefox and you'll get an
indicator that the connection is untrusted, i.e. it'll be treated worse than
if it wasn't encrypted at all (which is pretty stoopid, but that's a different
issue).  MSIE will also start doing this in a couple of months, if they don't
move the date up yet again.

For crypto as most people experience it, use of SHA-1 will be flagged as
insecure, or (for CA use) banned outright.  So we have a pretty good precedent
for warning about SHA-1:

  In line with widespread industry practice that deprecates SHA-1 as insecure
  from January 2016, the SHA-1 [algorithm] SHOULD NOT be used. If it is used,
  it should only be provided for backwards compatibility[,] should not be used
  in new designs[,] and should be phased out of existing key exchanges as
  quickly as possible. Since SHA-1 is being actively phased out, anyone
  continuing to use it should expect increasing problems in its use, for
  example public CAs will no longer issue certificates using SHA-1.

I think that's a fair warning to people of what's in store for SHA-1, so no-
one can say they weren't warned.

Peter.