IETF Logo Mail Archive

Re: DH group exchange (Re: SSH key algorithm updates)

"Mark D. Baushke" <mdb@juniper.net> Sun, 08 November 2015 04:34 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FD011B3177 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sat, 7 Nov 2015 20:34:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q0K3azfn2CQT for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sat, 7 Nov 2015 20:34:24 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45EC81B3179 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Sat, 7 Nov 2015 20:34:24 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id AE1CF14A4CF; Sun, 8 Nov 2015 04:34:20 +0000 (UTC)
Delivered-To: ietf-ssh@NetBSD.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id AD06214A4CE for <ietf-ssh@NetBSD.org>; Sun, 8 Nov 2015 04:34:13 +0000 (UTC)
X-Virus-Scanned: amavisd-new at NetBSD.org
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id ubLs4XJkW3ug for <ietf-ssh@NetBSD.org>; Sun, 8 Nov 2015 04:34:12 +0000 (UTC)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0774.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:774]) by mail.netbsd.org (Postfix) with ESMTP id 5E84E14A4CD for <ietf-ssh@NetBSD.org>; Sun, 8 Nov 2015 04:34:11 +0000 (UTC)
Received: from SN1PR05CA0008.namprd05.prod.outlook.com (10.163.68.146) by BN1PR05MB058.namprd05.prod.outlook.com (10.255.202.145) with Microsoft SMTP Server (TLS) id 15.1.312.18; Sun, 8 Nov 2015 04:34:09 +0000
Received: from BN1BFFO11FD054.protection.gbl (2a01:111:f400:7c10::1:135) by SN1PR05CA0008.outlook.office365.com (2a01:111:e400:5197::18) with Microsoft SMTP Server (TLS) id 15.1.318.15 via Frontend Transport; Sun, 8 Nov 2015 04:34:08 +0000
Authentication-Results: spf=softfail (sender IP is 66.129.239.17) smtp.mailfrom=juniper.net; cs.tcd.ie; dkim=none (message not signed) header.d=none;cs.tcd.ie; dmarc=none action=none header.from=juniper.net;
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.17 as permitted sender)
Received: from p-emfe01a-sac.jnpr.net (66.129.239.17) by BN1BFFO11FD054.mail.protection.outlook.com (10.58.145.9) with Microsoft SMTP Server (TLS) id 15.1.325.5 via Frontend Transport; Sun, 8 Nov 2015 04:34:08 +0000
Received: from magenta.juniper.net (172.17.27.123) by p-emfe01a-sac.jnpr.net (172.24.192.21) with Microsoft SMTP Server (TLS) id 14.3.123.3; Sat, 7 Nov 2015 20:34:07 -0800
Received: from eng-mail01.juniper.net (eng-mail01.juniper.net [172.17.28.114]) by magenta.juniper.net (8.11.3/8.11.3) with ESMTP id tA84Y5D19031; Sat, 7 Nov 2015 20:34:05 -0800 (PST) (envelope-from mdb@juniper.net)
Received: from eng-mail01.juniper.net (localhost [127.0.0.1]) by eng-mail01.juniper.net (Postfix) with ESMTP id 91F6F1141B; Sat, 7 Nov 2015 20:34:04 -0800 (PST)
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
CC: Jeffrey Hutzelman <jhutz@cmu.edu>, denis bider <ietf-ssh3@denisbider.com>, Niels Möller <nisse@lysator.liu.se>, "ietf-ssh@NetBSD.org" <ietf-ssh@NetBSD.org>, "stephen.farrell@cs.tcd.ie" <stephen.farrell@cs.tcd.ie>, "jon@siliconcircus.com" <jon@siliconcircus.com>
Subject: Re: DH group exchange (Re: SSH key algorithm updates)
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73F4B59709@uxcn10-5.UoA.auckland.ac.nz>
References: <1990286542-756@skroderider.denisbider.com> <1446868237.5945.12.camel@destiny.pc.cs.cmu.edu>, <87436.1446924769@eng-mail01.juniper.net> <9A043F3CF02CD34C8E74AC1594475C73F4B59709@uxcn10-5.UoA.auckland.ac.nz>
Comments: In-reply-to: Peter Gutmann <pgut001@cs.auckland.ac.nz> message dated "Sun, 08 Nov 2015 03:01:30 +0000."
From: "Mark D. Baushke" <mdb@juniper.net>
X-Mailer: MH-E 8.5; nmh 1.2; GNU Emacs 24.3.1
X-Face: #8D_6URD2G%vC.hzU<dI&#Y9szHj$'mGtUq&d=rXy^L$-=G_-LmZ^5!Fszk:yXZp$k\nTF? 8Up0!v/%1Q[(d?ES0mQW8dRCXi18gK)luJu)loHk, }4{Vi`yX?p?crF5o:LL{6#eiO:(E:YMxLXULB k|'a*EjN.B&L+[J!PhJ*aX0n:5/
Date: Sat, 07 Nov 2015 20:34:04 -0800
Message-ID: <49920.1446957244@eng-mail01.juniper.net>
MIME-Version: 1.0
Content-Type: text/plain
X-EOPAttributedMessage: 0
X-Microsoft-Exchange-Diagnostics: 1; BN1BFFO11FD054; 1:xKJOmXuYMPLr96kYTblSj8Was5guIGS6PGXHFflOX/F85Ujon3IRPGewfM5zQoLjS2hxf5FKgXVDkX8N4wTKEemS1jrAruTkaltXbYFnUvzF1k1SdL6FUw0bJKLsdePibeIvAAVlxUG7n+vWky1iENIUOg8kzatY1XpkkjjZaNYiwxSJW7qoYOxmZa8xe+E7Ingb+/dWX8pN4f7zxcLLZDzv0p1QAbafZTV63cR+UBp4N2uPPwx5ixsSkRRlZVSf+AkBMIyQFSQvuY+pScYNU3/FkPtIP6+BiIvh4IrzFIhu9ysfH8PxCQ+fvpNk5XY3VPEJzjwBZfGRBFNSmKGVAAw5rcBm3EmP/4A19/ZhPnLZdCBCSj32kP4G59GcV1ydM/1iOxQdHF/QooMZF19yag==
X-Forefront-Antispam-Report: CIP:66.129.239.17; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(2980300002)(189002)(199003)(164054003)(86362001)(5003940100001)(189998001)(19580395003)(69596002)(97736004)(19580405001)(105596002)(92566002)(50226001)(47776003)(11100500001)(93886004)(6806005)(117636001)(81156007)(50466002)(5003600100002)(110136002)(5001960100002)(5007970100001)(48376002)(106466001)(2950100001)(87936001)(53416004)(76506005)(50986999)(76176999)(77096005)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN1PR05MB058; H:p-emfe01a-sac.jnpr.net; FPR:; SPF:SoftFail; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; BN1PR05MB058; 2:mDaqdwbjP71mQMUSxDRPZ0nX2FOpZ2nroRfO7xo3VYtzFKrp5uVHqyuVJfrxyO1OGuTrCDN4VOZgTO06g76oi+FTx0HDckr/Td0mzBd4s7SiqhvuQ7cLhnbRzvenh1wBeuS1M1IWS+sQYuyng5QKZ+Hr3+nfr24UZ+ygsjc+bgw=; 3:BUopbQUdABeBW+PzyZoJP5RK7Nj57xxtQ2XSbrdyc9oJ3GED8QpJm9JPjHGT/7x7NO+CTRh3kBinUlJ4kEwF7LdFCaV7TQIQ1i8VovCeZm9glajD/2RHRhR4SPmuUQgjrBnfzIJl0dzqB7SyH7+R1NQv/VsE5HfLMhuJqC8p7OALwPpOGUJrTyR8srs5JLt0Rg/V5hd6tlD7GRe79gRxnp4rd/KPaie/rtPDt48a+Io=; 25:XcR60nRsa4N3BwsKMfW4zUkY0qipuXRaIeBsdWm1khM02RO3Z7bx819i9gwyKdl31tTxbUdLGaOygqvhM+jwBtVk4A70Y9cbC+2AJMA4C2eQs+jf2hJYL6r/ZNp3Vj8jlTZIPubxI/iAq8HBnHCvFk74ppOpGbuWn8BWFFF68BLyZVRANZCdqLfZTHJltA59huxJ5xzWL2W10zYVbSTrzMpzkmAiwBmQhNKG48ZadRywR8IT67/Fkhs2UZETBzHKa0lNbthbTwYMr+uL1u2ZsQ==
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN1PR05MB058;
X-Microsoft-Exchange-Diagnostics: 1; BN1PR05MB058; 20:+vvW5fHD42eFK4jxOs9QoUkDOOUSz4g3rVa3SRt00HXabWtp5JD/M21ZcVSs/5QvLWbCQaPM2VB1VR9hU8MOy4clFDasBiCJnrNOebecFyrg0q+8VMtgsBd6o/hgzx47PHXoxdJ3uuWxzOBGSC1je6CYDhlI1l9LkNk1GGKT9gPauD5uOJ/SIlfke6A1ZUZ1mSt+LHXB5ki7FTS6ZiQJew/FPB/PTbMbnQBqB7mYk2YLw4rpcDht0WDLGUj+ORP69Q1a93HVaE60t3tPJYDNgONE+6YKTzs8XxLNDUsK2T6V2IYJrzEzOcdatQd72gBRDNyTvOinXTbhXDH0YCGsXX8aflthLNS2dTIBPZ/37ad7XaTIShfD7LGN01CiVU3M5C1RCWlKAyuCn/6z2/NBS3+hvSXtG1MDJd2JNKR5YKDNDnw5wn0bNWrqp3+vGY2k2dZvZFP+ALJHhHba7EkeYwoCGaa4LaP2T2QvUlMhUac1001OfCzNROgdDuKst3OM; 4:pESWJWunNLIWMf8ubI3F3fvWMgl26zKaIlektXjeHvLlZ62PqxbdY/BUvNoTVAxp9z3wK4L43rwHGt+ESzsv5RhYnVDqFxzBmiRs+i2iT+RvXHg+oNYBXSPKjlbIaMuRgyJWcoOXUo0SPly0CWBQ+jzUvlEDkQs3g2A2I+nU64Ew7PyNFlZXRH0GsG76VH2cgkgKgTXCBEgKGDibLA2PCO8AcqpD5KJFl7nJIRbXTN4HSgD88jxsZJi9LCtOcV64P5W9eEOYCtvim1HVECCwCVigpEMYhuwMZ4yJQhz/des864SczYrCfFjQBGEfHwAblNUcS0XrWUjVMfSJwsAqYKUn4O0yYRjR7CRajxlVz4yUyyKBJsLzsGnrSX85xW7p
X-Microsoft-Antispam-PRVS: <BN1PR05MB058740028C4A0148620C7A2BF160@BN1PR05MB058.namprd05.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(138986009662008);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(520078)(8121501046)(10201501046)(3002001); SRVR:BN1PR05MB058; BCL:0; PCL:0; RULEID:; SRVR:BN1PR05MB058;
X-Forefront-PRVS: 0754F7E325
X-Microsoft-Exchange-Diagnostics: 1; BN1PR05MB058; 23:88ydHyhhtOrf/qYp3LKNp9096I5X67N6iShddzWECwpZXyECjF758Q4UWFbyPWpS+mI56wZr3a2So7FgwrIT1hPavxbLVbzO6QgQdlS6TVwSBa9AVEJ31UPqlPmTNzaLsok8xBlvdfq3pX5mG+G+xnfZCsK7R+IqbzFyHN4I9t2Awf1uwjKgxkluxoK2pKL3c6Mm4rJ+GZPes5XK7KfuNa5aXAKzlgYz9hFHMvSR9q2uyeis9Nwkll4+IgJlbv0cHFxd6rvd7SNITYDARijVbYGEkXteftBHlzDS3ckZOGiYi5a9+q6zsQtIz4J4iYAjBdLp9LgnollsJjLjq6vdJ4sS30qS5DSVU82CP01KozErLtlBGiEvMUy5OQFLaG9Sq6ToqiKph9CFbGJRjVViXRHDwhKmgw/OAlLNNnYNrWtzjzxru+cG/c2OuL165NVq6+WfbqXit5byzdrdIYC2xarJCXBP3Gkq80QM9tFWE7ghUiTeUkLBX9tTwrG7tDDsGO4JJL8Oj5tavhr3r1gySPCa9fwRbVkjZt0qCswiS4ej06OJDCnUikexLyCCQ2Fv5K8UjHuCbpIltqdL5Hfh1NDW2GpXzGwyWI6tqfC4xPr+/AVQTbAUMFx0cTn72UMco/c5okkp5ld4qZVK+DPF9P42Naoqw+oQyGbKlXhVNnHKHUl2laeM62xvBvDHAkmoE5B08zTB7LFyx7ZSgKPeQFUMktCW75WDCVi6duLL17Xm/ht028+lehVJhvB5m9ubpvnkj8KzZZLjCag6ZiTtde7xJjdzm7VvmI19oF4xgjGrn9v2kJYHqXW1YZAYnqmYtTi1tJ+c+aEWog84K9dMO3WAhc/moJ1IeSU0Lk3vQVOojjDgzMS/IcC57NC89siyhAtgF7VzkunklWe53lLANQpXVB0wBOXjp085ARMAT28xY6hwsYe5bXXTgCUuIQts+oGw7AZdPEtO674IE7z1YLLkf/GTeu6WiZztiGS4kjE=
X-Microsoft-Exchange-Diagnostics: 1; BN1PR05MB058; 5:MqjAMWdjkajbxWtBsnj9Voi8s5PeWmoGbAkVZ76WFQnV3TM3wzxKBIzT5oRq1oL6go/9TTIHTgyAzj5JMLSJM0ccTKG8seC5rmC/mNImiVGnUH0Sxe/fjYGEDqDt94hD1Fy+97cVaSvWUNiO6L4m+w==; 24:BAWbSt72zFfae+3XRPX+t0plcA1f2p+yRvSGJjvUGMAmxSAzWttQsxagEQsz4CVi0g/6srGUph4OYTqavLfLdrmCgHixle6pn8z/9ujgVRo=; 20:9THvsjZjnyE0MT1J6kVQfrahNfHshv29VJQSXFX4gbEb75bVOivtf6qVKwf0h6stmTYdQg3G8chhCvmjPK0ing==
SpamDiagnosticOutput: 1:23
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Nov 2015 04:34:08.0800 (UTC)
X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.17]; Helo=[p-emfe01a-sac.jnpr.net]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1PR05MB058
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

Peter Gutmann <pgut001@cs.auckland.ac.nz> writes:

> Mark D. Baushke <mdb@juniper.net> writes:
> 
> >The root case is the selection of the generator g in RFC 4419 is not
> >sufficient to meet FIPS requirements.
> 
> Since RFC 4419 doesn't specify that q is included in the DH keying material,
> how do you even verify that it meets FIPS requirements? 
 
Perhaps I am misreading RFC 4419...

 
| 3.  Diffie-Hellman Group and Key Exchange
| 
|    The server keeps a list of safe primes and corresponding generators
|    that it can select from.  A prime p is safe if p = 2q + 1 and q is
|    prime.  New primes can be generated in the background.
| 
|    The generator g should be chosen such that the order of the generated
|    subgroup does not factor into small primes; that is, with p = 2q + 1,
|    the order has to be either q or p - 1.  If the order is p - 1, then
|    the exponents generate all possible public values, evenly distributed
|    throughout the range of the modulus p, without cycling through a
|    smaller subset.  Such a generator is called a "primitive root" (which
|    is trivial to find when p is "safe").
| ...
| 3.  C generates a random number x, where 1 < x < (p-1)/2.  It
|        computes e = g^x mod p, and sends "e" to S.

To me, the term '(p-1)/2' implies that we are calculating a value for
'q' ... in other words, I thought that q was a Sophie Germain prime and
an p was the safe prime.

Otherwise, I would have expected us to worry about 1 < x < (p-1)/r for
the case were p = qr + 1 ... and we have no way to make that calculation
without knowning either q or r in the first place.

> You can't actually perform the FIPS tests on it because one of the
> parameters is missing.

True, which also means that you would be unable to ensure that the
random number x is within the proper range for DH which wants 'p = rq +
1' and '1 < x < q' NOT '1 < x < rq' ... so, if the math in RFC 4419 is
using r=2, then we can calculae q as (p-1)/2 ...

> Oh, if anyone knows of any other commonly-used magic values I'm
> missing there, let me know.

I would also like this information.

> The real fix though would be to publish a quick update to '4419
> specifying a SSH_MSG_KEX_DH_GEX2_GROUP which includes the full set of
> DH parameters so that the DH values could be fully verified.

Sure. If you want to allow for things like group25 (RFC 5114), then
having all of the group parameters g,p,q would make it possible. I would
have no problems with that addition.

So far, we have FIPS certified our system with ssh a number of times
with RFC 4419 extensions being available, but assuming that q is derived
from (p-1)/2.

I still think that the update to RFC 4419 should deal with the selection
of the parameters and runtime validation checks per FIPS 186 and NIST SP
800-56A.

	Thanks,
	-- Mark

v2.23.0 | Report a Bug | By Email