IETF Logo Mail Archive

New version of rsa-sha2-512 draft posted: no more DSA

denis bider <ietf-ssh3@denisbider.com> Thu, 05 November 2015 17:47 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 339EC1B31D4 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 5 Nov 2015 09:47:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QwAnX0pf_A8t for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 5 Nov 2015 09:47:03 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44C8C1B31D1 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Thu, 5 Nov 2015 09:47:03 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id D2B6614A337; Thu, 5 Nov 2015 17:47:02 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: by mail.netbsd.org (Postfix, from userid 1347) id 7B9DC14A31E; Thu, 5 Nov 2015 17:47:02 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id DCC7D14A323 for <ietf-ssh@netbsd.org>; Thu, 5 Nov 2015 09:13:28 +0000 (UTC)
X-Virus-Scanned: amavisd-new at NetBSD.org
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id Z_yig4BEz3N3 for <ietf-ssh@netbsd.org>; Thu, 5 Nov 2015 09:13:28 +0000 (UTC)
Received: from skroderider.denisbider.com (skroderider.denisbider.com [50.18.172.175]) (using TLSv1.1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 0F1E714A322 for <ietf-ssh@netbsd.org>; Thu, 5 Nov 2015 09:13:27 +0000 (UTC)
X-Footer: ZGVuaXNiaWRlci5jb20=
Received: from localhost ([127.0.0.1]) by skroderider.denisbider.com for ietf-ssh@netbsd.org; Thu, 5 Nov 2015 09:13:25 +0000
Date: Thu, 05 Nov 2015 09:13:25 +0000
Subject: New version of rsa-sha2-512 draft posted: no more DSA
X-User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Message-ID: <1837603091-896@skroderider.denisbider.com>
X-Priority: 3
Importance: Normal
MIME-Version: 1.0
From: denis bider <ietf-ssh3@denisbider.com>
To: ietf-ssh@netbsd.org
Content-Type: multipart/alternative; boundary="=-ycSwRMBYULa9Ob1uvd47"
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

I have posted a new version of the draft: see details below.

As per multiple requests (Hanno Boeck, Peter Gutmann, Damien Miller), I have removed DSA.

I have taken into account Damien's suggestion for rsa-sha2-512, and observed that there appears to be no reason to have rsa-sha2-256, if we have rsa-sha2-512. As far as I can tell, SHA-2 512 should be reasonably available everywhere that SHA-2 256 is available. It is slower on 32-bit platforms, but the performance impact of hashing is negligible compared to the signing operation. It produces a larger digest than SHA-2 256, but this digest easily fits into all reasonable RSA key sizes.

Therefore, this new version of the draft removes both rsa-sha2-256 and dsa-sha2-256, and replaces them with only rsa-sha2-512.

In addition, this version adds a mechanism which the server can use to notify the client of signature algorithms supported, so that the client does not have to guess with authentication requests. Clients will still need to implement guessing due to servers that might not support this, but if the server cares to send this info, this can speed up authentication by one or more round trips.

Unfortunately, since:

- SSH does not have a proper extension negotiation; and since

- clients of at least one ubiquitous implementation will disconnect if any new fields are added to SSH_MSG_SERVICE_REQUEST, SSH_MSG_SERVICE_ACCEPT, or SSH_MSG_USERAUTH_FAILURE;

there seems to be little choice but to send this information in a specially crafted SSH_MSG_IGNORE message. Let us congratulate ourselves on that success. ;)

Let's think things through better with the next protocol.


----- Original Message -----

A new version of I-D, draft-rsa-dsa-sha2-256-01.txt
has been successfully submitted by Denis Bider and posted to the
IETF repository.

Name: draft-rsa-dsa-sha2-256
Revision: 01
Title: Use of RSA Keys with SHA-2 512 in Secure Shell (SSH)
Document date: 2015-11-05
Group: Individual Submission
Pages: 6
URL:            https://www.ietf.org/internet-drafts/draft-rsa-dsa-sha2-256-01.txt
Status:         https://datatracker.ietf.org/doc/draft-rsa-dsa-sha2-256/
Htmlized:       https://tools.ietf.org/html/draft-rsa-dsa-sha2-256-01
Diff:           https://www.ietf.org/rfcdiff?url2=draft-rsa-dsa-sha2-256-01

Abstract:
  This memo defines an algorithm name, public key format, and signature
  format for use of RSA keys with SHA-2 512 for server and client
  authentication in SSH connections. A new mechanism is also defined
  for servers to inform clients of supported signature algorithms during
  client authentication.

v2.23.0 | Report a Bug | By Email