IETF Logo Mail Archive

Re: DH group exchange (Re: SSH key algorithm updates)

"Mark D. Baushke" <mdb@juniper.net> Sun, 08 November 2015 16:47 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3CF71A1C02 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sun, 8 Nov 2015 08:47:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4xJH5HZvdGg9 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sun, 8 Nov 2015 08:47:39 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE6781A1BB3 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Sun, 8 Nov 2015 08:47:39 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id CA5BE14A276; Sun, 8 Nov 2015 16:47:37 +0000 (UTC)
Delivered-To: ietf-ssh@NetBSD.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id BE64A14A1F0 for <ietf-ssh@NetBSD.org>; Sun, 8 Nov 2015 16:47:30 +0000 (UTC)
X-Virus-Scanned: amavisd-new at NetBSD.org
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id sN2MvE35aiBS for <ietf-ssh@NetBSD.org>; Sun, 8 Nov 2015 16:47:30 +0000 (UTC)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0747.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::747]) by mail.netbsd.org (Postfix) with ESMTP id 7687D14A146 for <ietf-ssh@NetBSD.org>; Sun, 8 Nov 2015 16:47:28 +0000 (UTC)
Received: from BLUPR05CA0077.namprd05.prod.outlook.com (10.141.20.47) by BLUPR05MB056.namprd05.prod.outlook.com (10.255.210.151) with Microsoft SMTP Server (TLS) id 15.1.312.18; Sun, 8 Nov 2015 16:47:26 +0000
Received: from BY2FFO11OLC012.protection.gbl (2a01:111:f400:7c0c::128) by BLUPR05CA0077.outlook.office365.com (2a01:111:e400:855::47) with Microsoft SMTP Server (TLS) id 15.1.318.15 via Frontend Transport; Sun, 8 Nov 2015 16:47:26 +0000
Authentication-Results: spf=softfail (sender IP is 66.129.239.17) smtp.mailfrom=juniper.net; cs.tcd.ie; dkim=none (message not signed) header.d=none;cs.tcd.ie; dmarc=none action=none header.from=juniper.net;
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.17 as permitted sender)
Received: from p-emfe01a-sac.jnpr.net (66.129.239.17) by BY2FFO11OLC012.mail.protection.outlook.com (10.1.15.23) with Microsoft SMTP Server (TLS) id 15.1.325.5 via Frontend Transport; Sun, 8 Nov 2015 16:47:25 +0000
Received: from magenta.juniper.net (172.17.27.123) by p-emfe01a-sac.jnpr.net (172.24.192.21) with Microsoft SMTP Server (TLS) id 14.3.123.3; Sun, 8 Nov 2015 08:47:24 -0800
Received: from eng-mail01.juniper.net (eng-mail01.juniper.net [172.17.28.114]) by magenta.juniper.net (8.11.3/8.11.3) with ESMTP id tA8GlMD10713; Sun, 8 Nov 2015 08:47:22 -0800 (PST) (envelope-from mdb@juniper.net)
Received: from eng-mail01.juniper.net (localhost [127.0.0.1]) by eng-mail01.juniper.net (Postfix) with ESMTP id C20DC11496; Sun, 8 Nov 2015 08:47:21 -0800 (PST)
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
CC: denis bider <ietf-ssh3@denisbider.com>, Jeffrey Hutzelman <jhutz@cmu.edu>, Niels Möller <nisse@lysator.liu.se>, "ietf-ssh@NetBSD.org" <ietf-ssh@NetBSD.org>, "stephen.farrell@cs.tcd.ie" <stephen.farrell@cs.tcd.ie>, "jon@siliconcircus.com" <jon@siliconcircus.com>
Subject: Re: DH group exchange (Re: SSH key algorithm updates)
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73F4B599ED@uxcn10-5.UoA.auckland.ac.nz>
References: <9A043F3CF02CD34C8E74AC1594475C73F4B5993D@uxcn10-5.UoA.auckland.ac.nz>, <2096379125-720@skroderider.denisbider.com> <9A043F3CF02CD34C8E74AC1594475C73F4B599ED@uxcn10-5.UoA.auckland.ac.nz>
Comments: In-reply-to: Peter Gutmann <pgut001@cs.auckland.ac.nz> message dated "Sun, 08 Nov 2015 09:42:29 +0000."
From: "Mark D. Baushke" <mdb@juniper.net>
X-Phone: +1 408 745-2952 (Office)
X-Mailer: MH-E 8.5; nmh 1.2; GNU Emacs 24.3.1
X-Face: #8D_6URD2G%vC.hzU<dI&#Y9szHj$'mGtUq&d=rXy^L$-=G_-LmZ^5!Fszk:yXZp$k\nTF? 8Up0!v/%1Q[(d?ES0mQW8dRCXi18gK)luJu)loHk, }4{Vi`yX?p?crF5o:LL{6#eiO:(E:YMxLXULB k|'a*EjN.B&L+[J!PhJ*aX0n:5/
Date: Sun, 08 Nov 2015 08:47:21 -0800
Message-ID: <55190.1447001241@eng-mail01.juniper.net>
MIME-Version: 1.0
Content-Type: text/plain
X-EOPAttributedMessage: 0
X-Microsoft-Exchange-Diagnostics: 1; BY2FFO11OLC012; 1:C6+0GRhLr2TBDWK6JPk2ZnHfqwaRWo+dT/NiGn/DGrut0LT7pW7GFAVPJE5SGDewGAc3//bJcx1NF7zHktl8JonD3rXHk7nPVuKAXMW5Rs6RbzHcE1oLd2cB5GRrOjYzkaA0Sqe9BQ4Ti0eQLHIXydc84Z0eeT7G1MwiJYOcpQyi/f2d0RqAsU1VC15dTTbQZ7WsB29IovcYX6dQFYOdZZCh1wbEegyyDWeRpmC1qyaT6YvnaTtNL+nIFRXKEad1rwCLyLtpLxTdPdOkDs0ffXeemBU9yXfC6I5BVgX3EZXj91vwwB80AWa+iFSiqbrqBONcBrOBBtrdQTfdyxxi9jT04ic5NRZJLvNPZKNZupe+1E8CmzGxkFCBJLHrszO9pt6cmqGbxMDS+2bD9aEhJA==
X-Forefront-Antispam-Report: CIP:66.129.239.17; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(2980300002)(189002)(199003)(7110500001)(5003600100002)(189998001)(5003940100001)(5001960100002)(110136002)(19580395003)(69596002)(87936001)(19580405001)(47776003)(76176999)(50986999)(48376002)(50466002)(86362001)(11100500001)(10710500006)(117636001)(6806005)(5007970100001)(2420400006)(50226001)(53416004)(97736004)(81156007)(76506005)(2950100001)(77096005)(106466001)(105596002)(15975445007)(92566002)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR05MB056; H:p-emfe01a-sac.jnpr.net; FPR:; SPF:SoftFail; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; BLUPR05MB056; 2:msH9k8yKPJ1lNr19C7byDOFUSYch1WvU8qpFe2oDZdoRmGMzkdyYtvXuRN89jD6NdZNyy6YVAo/d4J4HFbDy65G2Tx1wj/AEpnJv3q1/DbeIZIiPtl/4Gdve7gruR3h11Rlt+wve5BCL6oh8Yt2QNgHud8B985mAzKutpk63B8c=; 3:Ehq7WzWPvaNHXq3qR/Vc3i1o06jnteoRZYn4n4Qhxi4Orx9VMZjXkB0IfiXMpIkctMYUCuh7W7DmI646zSKkaCe4imRHzQ5cKcEdE1rSGb6A+kR1g+wwDEgCRLI/l7yjJjWPglMUtVPKtpn0gHyC13rYPQVzD5Ldi4XlBjexJTMkH2nsNFCUn9VG2LRxzHcuLa7rvDjyCGEaD2NvLeYRZxiy3CPSwn9EspcRqJtnM8E=; 25:f5QQVvSbtw4fwumbW/r/VsAK34JG6t7n6eaBHXcQ7Fs9auhLT8UrbVs8GDkB2oSLgmAUqERHQgb0gYwMzvKR8fM4GX3kMPiDMbbUzmPpzvV50gPQtypQcZ+ssDWxhgvpUVqIVxo9sAU4iio/qim8tyujmZ8IFps8Z4B2BLjkoPmsPfpDFbCZ9KU5GBFUU8fYE+VpgNi4dBrXpOpIZihvzmo4H3hVkX/BllyzWgPxm2FDKVKiQfXDVPWdYAWAPf6eFC7VjJCNwIotIKDEixVMIA==
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR05MB056;
X-Microsoft-Exchange-Diagnostics: 1; BLUPR05MB056; 20:DaYR1RQyEXsmB0AqtqaP5Zdg1n5fmBgI699EEilDSnSqbB5B4IjJSgWb/3/jhkiMQpt5z4vu9dcpSKshNL4vTMnD0mcn6kwGgiXVn5p7aYCbchGVCJ/QEY0C92oqvdfravN9/ld0jEaaMlnLHkoMCrZNekx2Sdq9fRxQug9xfjApJ1wnys2yIPPi1ftNpsxDBbvAvLlpq9uI1HT3VhvRlHTMOmRa3jffrAl7/xP6JqfdBVGgvxiNU6SjIOKJF4Sbso0dSyO23AMyctBXhYe0O0BwWDOCHKiB2Cb4ih06+pB50SakNxoSN1y365K6WyAFKn+d73wjPqcy3J1jMi9HZiyvxBmHHSbs22ADWF7B1wJWRH2zMqKhARgdhABz/vGVSdMVJ60Ozm8vHNUOmWCz5jnFpQMq9RUVfgvo3De6T2qzPqRhQaszItbpGkkhSvklYYO6UGfwuZdfotRPQXpHLN107HMSgWD5MGb3UgsW7//c6sd4/tNzxZPy+fi2LYOp; 4:cPzhsisMms/GcWb22fGwGR2ukrbgd9IdmR4qo5azfDDXl3E+hvoOf0bWfO9FiOCsJZqZZTS+9pH2L8v3gnFd+JUO9BB07GDOf67KxuGwXOdfRjiwyst35DWA4ZLRS9i0CiWsj02Z9aMdMmfea9k2+kBvb29CBCfy8UQcMFBAkxImrx8BZUObt4XURWAXYLfF/sUZbkJHu7E/qQgRHvXzrJiALOFRlBftrFiGxkY52+qwOPzA07tx1g4bvl1pm13p4n8bIUI8JNVqlhtD3w4P1YNQ/Kz/yUzz8aRyMv+VLQr4zCqDp7gE23Jgs1Zbi4oLqjenqGzxxpCXCwzZ2tA2pEW7iRgkKhTO/kxiKw14JKYzLnGS+oLoa4B5gXALiL2n
X-Microsoft-Antispam-PRVS: <BLUPR05MB056251CDD974B1A75C2D201BF160@BLUPR05MB056.namprd05.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(520078)(8121501046)(10201501046)(3002001); SRVR:BLUPR05MB056; BCL:0; PCL:0; RULEID:; SRVR:BLUPR05MB056;
X-Forefront-PRVS: 0754F7E325
X-Microsoft-Exchange-Diagnostics: 1; BLUPR05MB056; 23:mZVXnGEvvxzMmuX079RFyP6kQ8/xSooGNe405PhNcYbV0ZjgOeFclJEEhApQREwgf/vT7KZp9uuK2EEOa8XBbNmL/kVhDOpvK3tu0FPVZsPvo3fHRWpR2PEETf8FI63VAGpIWuiKVub+CG5vV/PBVXfFohp+DdSnou180Ts55y5f3YiqzUbqUXX96/JQYkgRLgEWoOCz+AEhFQ5EAR+/q7HX20QHWwioA32TRK36etHaGsy1KQUuyzMSyLCu7BGfjn+JtL1+3oxnGZyS+UbgWVo8o2GtkgBKM3KKbsBVXPat9wa2Fl9NSmTIsOE6nDB7/GdbJuqsWd4EI9z6Bz0B/qpxej9Em7qx03ae/ImERslQA+1O4j8uYLzOpX2NphmEy9ffMTlaWZJM87yMAvu0LSg3uqBUyXIAuZLwo3Bbb2qudaiFvSFT/VL8QZ1GoECZ2VDP6oGC7/0U+sKSG5gBqu2zf5rd1SGxqJPyjAsaPSeaVs/L3bj5sOpmgzZWoWsrTensRuhwxqnOdn9szXdeBPgw3krWWBafBZidET/5Ru/f1t9ZfEOm9njzgSkXR/wnWgrYOloaerFQt8Yhis4l62ZmQdIlht24FV0bY5hNaMffM5ZFDBnpG8T/EoBCnFZFnptJ550mLTG0LexdHBOxkC1hvXNlsVR369ukUGn4qS8T1DWONRa9nSICfofUVAdL3ISiD/Q6DDeMwt1hKc2gsnx3Q2iu4Dnl8ZUzJwotUU+nd6jQNfoKF9HfLuOIBQGOEdmq1h0b33AjA0E7fN1IMb9YfI0etF5trlW0w8AN3df9x/8hCCYg9V+4WB3SHDUrhSVPnbkYVmYY4zC+1jOulQi0Sc5RW+Iez8QJNXLcqXc88mzHzpPGBYRsbJnLFyGbbvmgsvOjVlDZbZ1qkB3mLCxs3Q8LfnrOuEU18yfV9DeCsl/t/kI/IaghIblxfxWCLzJqpVBG8CFJQpEONviLnEL+45YsJJ1sFWBgQPz0fUjkk3f7Hc1K5Qc5zEntbAkzjGfzrymCqEXBwi7hRL8EIfBD9NOAr1824PJXC9jemMw=
X-Microsoft-Exchange-Diagnostics: 1; BLUPR05MB056; 5:1pTzoCQtH0SWW0D9eXnLDYXs0MD5MWqFOh48/NHV6QlTAm7jJq3DSe07hTM6WEFzk7UKTLEMwqZaNYdVS5BOdbOsm1v/jqN5pzXxFS2D+Ew9e3qcbFA7dsCeeZVuvOwCPdh3TSejtJoQxpKtQI1VlA==; 24:jBUFjDXTUJCkM/Xifs74osiHS9zOJxAW/RbwZShOaXsCgcbaGIuNJ8DepuKlBItWdHDCAzcmvFodgEYU/v4KeB0IIFj6zKulE9k12g7gbac=; 20:o2BS8CwQl4AqSOwLF4iDFMErbhPRyRQImTcS0L4e9iPUzzxBO5i83eyBrRoWwsQmRayla+FBoiNnhg6e+hzrUQ==
SpamDiagnosticOutput: 1:23
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Nov 2015 16:47:25.3847 (UTC)
X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.17]; Helo=[p-emfe01a-sac.jnpr.net]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR05MB056
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

Peter Gutmann <pgut001@cs.auckland.ac.nz> writes:

> denis bider <ietf-ssh3@denisbider.com> writes:

> I don't know if you need to specify the exact generation method, only
> the verification checks to perform, which are given in FIPS 186. 

Actually, it depends on the evaluation lab somewhat, but they typically
want evaluations to use generation and verification based on FIPS 186-4
appendix A.1 and show the code that is doing the generation if it is
inside of the crypto module.

Validation of existing DH FCC domain parameters is expected to use the
methods in section A.1.

Section A.1.1.2 outlines the method of generation of probable primes.
However, it limits the values of the number of bits of p and q based on
L and N values taken from section 4.2. Where the max is L=3072 and N=256
apparnetly resuing the same table as for DSA parameters.

I would hope generating a lot of 2048-bit and 3072-bit DH primes would
be sufficient for now.

A possible method to generate larger DH parameters is to generate primes
in any way you can and then validate them using one of the primality
proving algorithms in http://cr.yp.to/primetests.html ... of course as
it is not FIPS-approved, that would need to be done outside of the
crypto boundary. :-(

There seems to be little use of DH primes being much bigger than 4096
bits right now in any case. It becomes easier to move to ECDH for
performance.

> The intent is to create verifiable DH parameters, so the important
> thing is the verification mechanism, not the generation one (both safe
> primes and Lim-Lee primes, for example, will produce verifiable
> values). It would certainly make sense, if you're using { p, q, g }
> primes, to require that they be verified as per the FIPS 186 checks,
> since that's the point to using them.

Yes. That said, I do not find any FIPS or NIST documents talking about
Lim-Lee primes for use in FIPS certified systems.

> The annoying thing about this change is that it's going to take me
> about 20x as long to do the spec describing it as it will to make the
> code changes, sigh.

That always seems to be the way of things.

> One other thing that'd be good to have, based on the Logjam paper, is
> to specify some means of distinguishing g from q, since Logjam
> mentions that there are implementations that confuse the two. Does
> anyone have problems with requiring that g = <small integer>? This
> both makes the DH op much more efficient, and makes it easy to quickly
> distinguish g from q without requiring complex bignum ops.

Well, if you look at group25, you see that g is larger than q.

I know that at one time, a few of our govenmental customers were
twisting arms over implemnting group25 everywhere and were not happy
that it was not possible for SSH at that time.

I would therefore really like to see it possible to express all of the
MODP groups via this new extension if possible.

	Just my $0.02,
	-- Mark

v2.23.0 | Report a Bug | By Email