IETF Logo Mail Archive

Re: rsa-sha2-256/512: handling of incorrect signature encoding

"denis bider \(Bitvise\)" <ietf-ssh3@denisbider.com> Mon, 12 September 2016 21:36 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7361A12B09F for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Mon, 12 Sep 2016 14:36:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.807
X-Spam-Level:
X-Spam-Status: No, score=-5.807 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.508, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=denisbider.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HVrO7R6PTudP for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Mon, 12 Sep 2016 14:36:40 -0700 (PDT)
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78B5612B090 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Mon, 12 Sep 2016 14:36:40 -0700 (PDT)
Received: by mail.netbsd.org (Postfix, from userid 605) id 9458A85ED7; Mon, 12 Sep 2016 21:36:39 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: by mail.netbsd.org (Postfix, from userid 1347) id 46B9185ED3; Mon, 12 Sep 2016 21:36:39 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 2DDE885ED0 for <ietf-ssh@netbsd.org>; Mon, 12 Sep 2016 19:15:29 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Authentication-Results: mail.netbsd.org (amavisd-new); dkim=pass (2048-bit key) header.d=denisbider.com
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id TKhjGhIGrT8d for <ietf-ssh@netbsd.org>; Mon, 12 Sep 2016 19:15:28 +0000 (UTC)
Received: from skroderider.denisbider.com (skroderider.denisbider.com [50.18.172.175]) (using TLSv1.1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 4A5FF84CFD for <ietf-ssh@netbsd.org>; Mon, 12 Sep 2016 19:15:28 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=denisbider.com; s=mail; h=from:subject:date:message-id:to:mime-version:content-type:in-reply-to: references; bh=9U6g2sVjtvC9XuZJHmR1WYJorC/+XDHQN6FXqXjVDnk=; b=OJ4BmlEefFVHROmsZn6rspOl3Zi13n+9jveX4IkZBzHOcEkTGdC0jmakU28n3HALtlAPeKj9E0GWb YzCpys4F173JAupSbHK1ypqAvgWHOC7SUYUc76TvJ0GUC7N75S+6FxP5DmfIUqz1WVm7YcsOUWv5vs RR4mPBmIlk9YL1NjE1NQ7ip+k+VjSk0IKSIY4I0IpiscTAX0vzxOVFqsjKf/ycn8SSTavuuPT80uhh oPFV/YgYmHM1yhoPUqIBj/dJPjpvQIefUPqAkUuFlLjnLek0+tLW5x3NoIDKi3MFSO8oSDRkMNapyI 4XeXmEpgF26VCwveIj/Nt1L6iDWGJ/g==
X-Footer: ZGVuaXNiaWRlci5jb20=
Received: from localhost ([127.0.0.1]) by skroderider.denisbider.com (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)); Mon, 12 Sep 2016 20:15:22 +0100
Message-ID: <5A3D7904D0C749668769F3F30009C436@Khan>
From: "denis bider \(Bitvise\)" <ietf-ssh3@denisbider.com>
To: "Ron Frederick" <ronf@timeheart.net>, <ietf-ssh@netbsd.org>
References: <88F8D101-CBAA-4E57-AD25-8F403B6B57BC@timeheart.net>
In-Reply-To: <88F8D101-CBAA-4E57-AD25-8F403B6B57BC@timeheart.net>
Subject: Re: rsa-sha2-256/512: handling of incorrect signature encoding
Date: Mon, 12 Sep 2016 13:14:20 -0600
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_003F_01D20CF7.928CEB90"
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

Hello Ron,

I’m not familiar with the OpenSSH certificate implementation, but there is an RFC specifying the use of X.509 certificates in SSH that defines its own key type for RSA with SHA-2 based signatures:

https://tools.ietf.org/html/rfc6187

I don’t know what your users require, but from our users we are seeing requests to implement X.509 as per this RFC, not the @openssh versions.

denis


From: Ron Frederick 
Sent: Sunday, September 11, 2016 20:39
To: ietf-ssh@netbsd.org 
Subject: Re: rsa-sha2-256/512: handling of incorrect signature encoding

Denis Bider (Bitvise) wrote:

  If you are sending an rsa-sha2-XXX signature, you cannot set all 3 fields in the authentication request to "ssh-rsa", because then this makes for a SHA-1 signature as it was done traditionally, not a SHA-2 signature. To send a SHA-2 signature, at least one field has to contain "rsa-sha2-XXX".

  The draft specifically says the signature format names are "rsa-sha2-XXX", but the public key format name stays "ssh-rsa", which it must stay in order to preserve existing RSA key fingerprints.

  The signature format is defined thus:

    string    "rsa-sha2-256" / "rsa-sha2-512"
    string    rsa_signature_blob

  These specifications seem to me very clear and unambiguous. In a user authentication request, when sending a SHA-2 signature, the only correct encoding of algorithm names is as follows:

  byte      SSH_MSG_USERAUTH_REQUEST
  string    user name
  string    service name
  string    "publickey"
  boolean   TRUE
  string    "rsa-sha2-256" / "rsa-sha2-512"
  string    public key blob:
    string    "ssh-rsa"
    mpint     e
    mpint     n
  string    signature:
    string    "rsa-sha2-256" / "rsa-sha2-512"
    string    rsa_signature_blob
  If your implementation does not encode the algorithm names this way, it is incorrect. The latest OpenSSH versions encode the algorithm names this way, though a previous version used "ssh-rsa" in the third field by mistake.

  Bitvise SSH Client encodes the fields this way also, and the current version of Bitvise SSH Server expects the algorithm names this way, and only this way.

I did an implementation of this recently for AsyncSSH, and I have matched the above in the case where regular keys are used, with the first and third identifiers being rsa-sha2-256/rsa-sha2-512 and the second identifier remaining ssh-rsa when the new-style signatures are used. However, I also wanted to verify the correct identifiers to use in the certificate case.

Right now, I’m using ssh-rsa-cert-v01@openssh.com as both the first and second identifier in the certificate case, and only using rsa-sha2-256/rsa-sha2-512 for the third identifier associated with the signature. This seems to work when talking to an OpenSSH server, and in fact OpenSSH doesn’t seem to accept the certificate if the first identifier does not identify that a certificate is being used, even if the second identifier indicates that a certificate was provided as the public key blob.

I know that certificates are OpenSSH-specific, so my apologies in advance if this is the wrong list to ask this question on. I just happened to see this thread in the mailing list archive, and though it would be good to get confirmation from the group.
-- 
Ron Frederick
ronf@timeheart.net

v2.8.7 | Report a Bug | By Email