IETF Logo Mail Archive

Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)

Damien Miller <djm@mindrot.org> Mon, 15 February 2016 09:11 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB5921A891A for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Mon, 15 Feb 2016 01:11:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.006] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RIW48llhfgLe for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Mon, 15 Feb 2016 01:11:15 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 899B01A6F38 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Mon, 15 Feb 2016 01:11:15 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id 48E5285EF2; Mon, 15 Feb 2016 09:11:14 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 008DD85E70 for <ietf-ssh@netbsd.org>; Mon, 15 Feb 2016 09:11:12 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id R6Y47LFWyefG for <ietf-ssh@netbsd.org>; Mon, 15 Feb 2016 09:11:11 +0000 (UTC)
Received: from newmailhub.uq.edu.au (mailhub2.soe.uq.edu.au [130.102.132.209]) by mail.netbsd.org (Postfix) with ESMTP id DE15284C6C for <ietf-ssh@netbsd.org>; Mon, 15 Feb 2016 09:11:10 +0000 (UTC)
Received: from smtp1.soe.uq.edu.au (smtp1.soe.uq.edu.au [10.138.113.40]) by newmailhub.uq.edu.au (8.14.5/8.14.5) with ESMTP id u1F9AOXK029053; Mon, 15 Feb 2016 19:10:25 +1000
Received: from mailhub.eait.uq.edu.au (hazel.eait.uq.edu.au [130.102.60.17]) by smtp1.soe.uq.edu.au (8.14.5/8.14.5) with ESMTP id u1F9AOJr014157 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 15 Feb 2016 19:10:24 +1000
Received: from natsu.mindrot.org (natsu.mindrot.org [130.102.96.2]) by mailhub.eait.uq.edu.au (8.15.1/8.15.1) with ESMTP id u1F9ANFL017083; Mon, 15 Feb 2016 19:10:23 +1000 (AEST)
Received: by natsu.mindrot.org (Postfix, from userid 1000) id 641D6A4F35; Mon, 15 Feb 2016 20:10:23 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1]) by natsu.mindrot.org (Postfix) with ESMTP id 635B9A4F34; Mon, 15 Feb 2016 20:10:23 +1100 (AEDT)
Date: Mon, 15 Feb 2016 20:10:23 +1100
From: Damien Miller <djm@mindrot.org>
To: denis bider <ietf-ssh3@denisbider.com>
cc: "Mark D. Baushke" <mdb@juniper.net>, Niels Möller <nisse@lysator.liu.se>, Peter Gutmann <pgut001@cs.auckland.ac.nz>, Simon Josefsson <simon@josefsson.org>, ietf-ssh@netbsd.org
Subject: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
In-Reply-To: <362309857-1692@skroderider.denisbider.com>
Message-ID: <alpine.BSO.2.20.1602151947450.4613@natsu.mindrot.org>
References: <362309857-1692@skroderider.denisbider.com>
User-Agent: Alpine 2.20 (BSO 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
X-Scanned-By: MIMEDefang 2.73 on UQ Mailhub
X-Scanned-By: MIMEDefang 2.75 on 130.102.60.17
X-UQ-FilterTime: 1455527427
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

On Mon, 15 Feb 2016, denis bider wrote:

> Being widely implemented is not sufficient for MUST.

No, but it is necessary.

> curve25519-sha256 has
> the unfortunate distinction of being widely deployed right after widespread
> recognition of the need for safe curves, but just before the upping of NSA
> recommendations.

It's a bit weird to see recognition of safe curves accepted in the same
sentence that advice from the NSA is uncritically accepted. Much of the
justification from the so-called safe curves is because most people don't
trust the NSA to set crypto standards any more.

> I intend to implement curve25519-sha256 in Bitvise SSH Server and Client
> when not used under FIPS. However, it cannot be available in FIPS mode,
> because its crypto is not covered by FIPS 140-2.

FIPS has lagged and will always lag current good practice (in which
year did it deprecate single-DES?). IMO FIPS compatibility is not a
justification to deny inclusion of an algorithm in the MUST set (though
it might be a justification for including an algorithm).

> I agree that safe curves are most likely superior to the ecdh-nistp
> curves, and provide greater safety of implementation. However, it puts
> the spec in conflict with reality if we specify a MUST algorithm that
> can't be used by a significant proportion of users.

MUST specifies what implementations have to support, not what users
can/can't use. nistp384/521 is already there for the subset of users
who are shackled to NIST-specified algorithms, but there is a very
substantial user population who want an alternative and
curve25519-sha256 has already proved itself a fine fit.

-d

v2.23.0 | Report a Bug | By Email