IETF Logo Mail Archive

Re: rsa-sha2-256/512: handling of incorrect signature encoding

Ron Frederick <ronf@timeheart.net> Mon, 12 September 2016 16:59 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FA67128E19 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Mon, 12 Sep 2016 09:59:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.807
X-Spam-Level:
X-Spam-Status: No, score=-5.807 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.508, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=timeheart.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ELcANWYwAMDJ for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Mon, 12 Sep 2016 09:59:34 -0700 (PDT)
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 287E7128874 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Mon, 12 Sep 2016 09:59:34 -0700 (PDT)
Received: by mail.netbsd.org (Postfix, from userid 605) id D4D7885ED2; Mon, 12 Sep 2016 16:59:33 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: by mail.netbsd.org (Postfix, from userid 1347) id 7C65385EBF; Mon, 12 Sep 2016 16:59:33 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 92F0D85E13 for <ietf-ssh@netbsd.org>; Mon, 12 Sep 2016 02:39:10 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Authentication-Results: mail.netbsd.org (amavisd-new); dkim=pass (1024-bit key) header.d=timeheart.net
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id r_gjW-mNJSJH for <ietf-ssh@netbsd.org>; Mon, 12 Sep 2016 02:39:09 +0000 (UTC)
Received: from mail-pa0-x235.google.com (mail-pa0-x235.google.com [IPv6:2607:f8b0:400e:c03::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id C802C84CE5 for <ietf-ssh@netbsd.org>; Mon, 12 Sep 2016 02:39:09 +0000 (UTC)
Received: by mail-pa0-x235.google.com with SMTP id b2so46175274pat.2 for <ietf-ssh@netbsd.org>; Sun, 11 Sep 2016 19:39:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=timeheart.net; s=mail; h=from:mime-version:subject:message-id:date:to; bh=hAs7/RM3TWdirF4Kmhq5NyiSIMI7KFhE8yOFAUruo5E=; b=YUBKao0rI+fBVsAHyeLbgRfvQ2a5siD+hx0TBqaMgf7hnikGzuTHJQow/Mvf6vD3+R QjnB7I85eZECLMiR2J3UsQdHezYfVTYwbVvS75Q5YWIaJdWSBxFMrNqn2onTkkVDsIGH 80ruhTxMuk0+xQvdDk9b/xRAeeYQrUOD1NEDc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:mime-version:subject:message-id:date:to; bh=hAs7/RM3TWdirF4Kmhq5NyiSIMI7KFhE8yOFAUruo5E=; b=Z75FaR/2DeXVC3pJH9oFpLr1IxGQN8cb5Jbh8stFu4s5UW7KAfnMYiwBTb+1JaRYpE eyQHmiXfwK9c8SS3ymP61g+Gv9yEYj0A1Vdd4dyzfb1nd+X60qDatlbjQci+85+jT+sk 2D/xf9UCm1TXjU0N1sPs9t1yHH1P4bTw2bNF+g4wH6K12QML+o3bHpgIkIXDUx7gn6Or D4EEmAJiCbLa9FWQp+wiQayoZJcZE/nhb3KVOofSrWKENoIcvSgNpjtq1sqUqHvO0iiv Wesrn+Ek4aWZ/kthjSUv7KuySbTxxJjGiA9oitYIMt4t2rP1dCtaXw2+YF4k2QBW1pGu IpzQ==
X-Gm-Message-State: AE9vXwOiomikJf4R/JUYMINGcvLVtqNR7fmsn2R5CyEo3SfbD6JFe/eotxynNkXcDvTSDw==
X-Received: by 10.67.7.170 with SMTP id dd10mr29254803pad.152.1473647949119; Sun, 11 Sep 2016 19:39:09 -0700 (PDT)
Received: from ?IPv6:2601:647:4282:2200:cfa:5497:d692:7eeb? ([2601:647:4282:2200:cfa:5497:d692:7eeb]) by smtp.gmail.com with ESMTPSA id p17sm20062223pfi.7.2016.09.11.19.39.08 for <ietf-ssh@netbsd.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 11 Sep 2016 19:39:08 -0700 (PDT)
From: Ron Frederick <ronf@timeheart.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_1D690562-ED0A-45A1-9063-3214D2BD3C7E"
Mime-Version: 1.0 (Mac OS X Mail 10.0 \(3225\))
Subject: Re: rsa-sha2-256/512: handling of incorrect signature encoding
Message-Id: <88F8D101-CBAA-4E57-AD25-8F403B6B57BC@timeheart.net>
Date: Sun, 11 Sep 2016 19:39:07 -0700
To: ietf-ssh@netbsd.org
X-Mailer: Apple Mail (2.3225)
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

Denis Bider (Bitvise) wrote:
> If you are sending an rsa-sha2-XXX signature, you cannot set all 3 fields in the authentication request to "ssh-rsa", because then this makes for a SHA-1 signature as it was done traditionally, not a SHA-2 signature. To send a SHA-2 signature, at least one field has to contain "rsa-sha2-XXX".
>  
> The draft specifically says the signature format names are "rsa-sha2-XXX", but the public key format name stays "ssh-rsa", which it must stay in order to preserve existing RSA key fingerprints.
>  
> The signature format is defined thus:
>  
>   string    "rsa-sha2-256" / "rsa-sha2-512"
>   string    rsa_signature_blob
>  
> These specifications seem to me very clear and unambiguous. In a user authentication request, when sending a SHA-2 signature, the only correct encoding of algorithm names is as follows:
>  
> byte      SSH_MSG_USERAUTH_REQUEST
> string    user name
> string    service name
> string    "publickey"
> boolean   TRUE
> string    "rsa-sha2-256" / "rsa-sha2-512"
> string    public key blob:
>   string    "ssh-rsa"
>   mpint     e
>   mpint     n
> string    signature:
>   string    "rsa-sha2-256" / "rsa-sha2-512"
>   string    rsa_signature_blob
> If your implementation does not encode the algorithm names this way, it is incorrect. The latest OpenSSH versions encode the algorithm names this way, though a previous version used "ssh-rsa" in the third field by mistake.
>  
> Bitvise SSH Client encodes the fields this way also, and the current version of Bitvise SSH Server expects the algorithm names this way, and only this way.

I did an implementation of this recently for AsyncSSH, and I have matched the above in the case where regular keys are used, with the first and third identifiers being rsa-sha2-256/rsa-sha2-512 and the second identifier remaining ssh-rsa when the new-style signatures are used. However, I also wanted to verify the correct identifiers to use in the certificate case.

Right now, I’m using ssh-rsa-cert-v01@openssh.com <mailto:ssh-rsa-cert-v01@openssh.com> as both the first and second identifier in the certificate case, and only using rsa-sha2-256/rsa-sha2-512 for the third identifier associated with the signature. This seems to work when talking to an OpenSSH server, and in fact OpenSSH doesn’t seem to accept the certificate if the first identifier does not identify that a certificate is being used, even if the second identifier indicates that a certificate was provided as the public key blob.

I know that certificates are OpenSSH-specific, so my apologies in advance if this is the wrong list to ask this question on. I just happened to see this thread in the mailing list archive, and though it would be good to get confirmation from the group.
-- 
Ron Frederick
ronf@timeheart.net

v2.8.7 | Report a Bug | By Email