Re: Binary packet protocol rethink (was: Re: ChaCha20-Poly1305 for SSH)

Simon Josefsson <simon@josefsson.org> Mon, 30 November 2015 10:55 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 891101A905B for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Mon, 30 Nov 2015 02:55:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.01
X-Spam-Level:
X-Spam-Status: No, score=-0.01 tagged_above=-999 required=5 tests=[T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DEUv46yJDyek for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Mon, 30 Nov 2015 02:55:02 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D0DE1A905A for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Mon, 30 Nov 2015 02:55:02 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id B6B9B14A3E9; Mon, 30 Nov 2015 10:54:58 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 81A1014A3E8 for <ietf-ssh@netbsd.org>; Mon, 30 Nov 2015 10:54:53 +0000 (UTC)
X-Virus-Scanned: amavisd-new at NetBSD.org
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id y-cKMgxIdWx4 for <ietf-ssh@netbsd.org>; Mon, 30 Nov 2015 10:54:52 +0000 (UTC)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 66DE314A3AC for <ietf-ssh@netbsd.org>; Mon, 30 Nov 2015 10:54:48 +0000 (UTC)
Received: from latte.josefsson.org ([IPv6:2001:9b0:104:42::a86]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id tAUAsTBj011438 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Mon, 30 Nov 2015 11:54:31 +0100
Date: Mon, 30 Nov 2015 11:54:23 +0100
From: Simon Josefsson <simon@josefsson.org>
To: Damien Miller <djm@mindrot.org>
Cc: Simon Tatham <anakin@pobox.com>, Niels Möller <nisse@lysator.liu.se>, ietf-ssh@netbsd.org
Subject: Re: Binary packet protocol rethink (was: Re: ChaCha20-Poly1305 for SSH)
Message-ID: <20151130115423.704a3d44@latte.josefsson.org>
In-Reply-To: <alpine.BSO.2.20.1511292242300.12629@natsu.mindrot.org>
References: <87egfdxebo.fsf@latte.josefsson.org> <87egfdxebo.fsf@latte.josefsson.org> <nny4dksr3i.fsf@armitage.lysator.liu.se> <1448554180-sup-7145@atreus.tartarus.org> <alpine.BSO.2.20.1511292242300.12629@natsu.mindrot.org>
X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.25; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; boundary="Sig_/sw3.32B.z5Ogc0BgJlZnuTW"; protocol="application/pgp-signature"
X-Virus-Scanned: clamav-milter 0.98.7 at duva.sjd.se
X-Virus-Status: Clean
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

> While we're dropping wishlist items for SSH v.3, here's one of mine:
> 
> Key exchange negotiates an AEAD rather than a cipher and a MAC
> separately, and does so from a greatly trimmed set of options. E.g.
> AES-GCM, chacha20+poly1305 and an AES-CTR+HMAC mode.
> 
> IMO the AEAD primitive is the right metaphor for the security
> properties of the SSH transport protocol. Removing the large
> cartesian product of ciphers x MACs will make testing faster and
> binaries smaller too.

I agree.  I believe there is opportunity to deprecate all pre-AEAD
modes, if there is interest on doing that.  I believe the experience
with TLS is that no non-AEAD mode has the properties that we desire.
Generally, I believe the experience is that you cannot negotiate cipher
and MAC separately, it has to be done together.  Maybe we can draft
something together, and bring it to the curdle IETF WG, it would be in
scope of that process.

Looking at these registries:
http://www.iana.org/assignments/ssh-parameters/ssh-parameters.xhtml#ssh-parameters-17
http://www.iana.org/assignments/ssh-parameters/ssh-parameters.xhtml#ssh-parameters-18

I believe it would be possible to mark all as obsolete/historic, except
for a list of a few known good combinations that we can actually
recommend. As far as I can tell that list would include:

aes128-ctr
aes256-ctr
chacha20-poly1305 (whatever that turns out to be)
umac-* (same here..)
hmac-sha1 (for older ciphers only?)
hmac-sha2-256 (for older ciphers only?)

Any others?

I'm not sure what to make of the RFC 5647 AES-GCM mode.  Nobody seems
to implement that.

/Simon