Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
nisse@lysator.liu.se (Niels Möller ) Sat, 13 February 2016 15:44 UTC
Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B5811A0196 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sat, 13 Feb 2016 07:44:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.094
X-Spam-Level: *
X-Spam-Status: No, score=1.094 tagged_above=-999 required=5 tests=[BAYES_50=0.8, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.006] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rNBX8yKpMqo4 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sat, 13 Feb 2016 07:44:29 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 227301A0194 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Sat, 13 Feb 2016 07:44:29 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id 4059185E13; Sat, 13 Feb 2016 15:44:28 +0000 (UTC)
Delivered-To: ietf-ssh@NetBSD.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 22B1B85DFE for <ietf-ssh@NetBSD.org>; Sat, 13 Feb 2016 15:44:25 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id DoHRshfBLRs7 for <ietf-ssh@netbsd.org>; Sat, 13 Feb 2016 15:44:24 +0000 (UTC)
Received: from mail.lysator.liu.se (mail.lysator.liu.se [130.236.254.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 49FEC84C6C for <ietf-ssh@NetBSD.org>; Sat, 13 Feb 2016 15:44:22 +0000 (UTC)
Received: from mail.lysator.liu.se (localhost [127.0.0.1]) by mail.lysator.liu.se (Postfix) with ESMTP id 7AA9B4000B; Sat, 13 Feb 2016 16:44:19 +0100 (CET)
Received: from armitage.lysator.liu.se (armitage.lysator.liu.se [IPv6:2001:6b0:17:f0a0::83]) by mail.lysator.liu.se (Postfix) with SMTP id 8115E40004; Sat, 13 Feb 2016 16:44:17 +0100 (CET)
Received: by armitage.lysator.liu.se (sSMTP sendmail emulation); Sat, 13 Feb 2016 16:44:17 +0100
From: nisse@lysator.liu.se
To: "Mark D. Baushke" <mdb@juniper.net>
Cc: denis bider <ietf-ssh3@denisbider.com>, Peter Gutmann <pgut001@cs.auckland.ac.nz>, ietf-ssh@NetBSD.org
Subject: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
References: <99035674-2196@skroderider.denisbider.com> <24239.1455263382@eng-mail01.juniper.net>
Date: Sat, 13 Feb 2016 16:44:17 +0100
In-Reply-To: <24239.1455263382@eng-mail01.juniper.net> (Mark D. Baushke's message of "Thu, 11 Feb 2016 23:49:42 -0800")
Message-ID: <nn7fi87gz2.fsf@armitage.lysator.liu.se>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: ClamAV using ClamSMTP
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list
"Mark D. Baushke" <mdb@juniper.net> writes: > a) Should the draft list all of the Key Exchange Method Names > in the https://www.ietf.org/assignments/ssh-parameters/ssh-parameters.xml > table? I think that would be helpful. > If so, does the following capture the desired state? For discussion, it would also be helpful with another column with the previous status of the method. > Key Exchange Method Name Reference Note > diffie-hellman-group14-sha1 RFC4253 OPTIONAL > ecdh-sha2-nistp256 RFC5656 REQUIRED > ecdh-sha2-nistp384 RFC5656 REQUIRED > ecdh-sha2-nistp521 RFC5656 REQUIRED > diffie-hellman-group15-sha256 This Draft REQUIRED I don't think it makes sense with multiple REQUIRED algorithms. (Side note: The exact meaning of REQUIRED is somewhat unclear in the presence of local configuration. I think it means that an implementation MUST implement it and it MUST be enabled in the default configuration. If an algorithm is implemented but disabled in almost every actual configuration, then REQUIRED won't be of any help for interoperability). To me, the point of having a REQUIED algorithm is to make it possible to do a minimalistic implementation cutting off everything optional, and still be able to interoperate. And implementing three different EC curves well is not very minimal. It also seems unfortunate to degrade diffie-hellman-group14-sha1 directly from REQUIRED to OPTIONAL. It would be a nicer rollover to move it to RECOMMENDED (or RECOMMENDED until some specified date, if that's possible). And then elevate *one* other algorithm to REQUIRED, where I think my preference would be for a non-ec dh method, since (1) it's simpler, and (2) I think it's desirable over the coming years to move away from the old curves to "safe curves". If it really is necessary for security, deprecating diffie-hellman-group14-sha1 asap is the right thing to do. But first, I'd like to know if sha1 is believed vulnerable in the setting where it is used, mainly for key expansion. Attacks are a lot easier with input under the attackers control, but I'm not sure that happens when sha1 is used in the key exchange. E.g., I'd be surprised if there are any real issues with using sha1 to expand a *secret* diffie-hellman master key into several subkeys. > b) Is it desirable to specify all of group 14, 15, 16, 17, and 18 as > to the hashing algorithm to be used NOW? Or, is it better to drop > 15 and 17 for now? If so, is it desirable for group14-sha256 to be > REQUIRED, RECOMMENDED, or OPTIONAL ? We probably don't need all of them. I think what's most important is to have sha256 together with one or two groups with estimated security corresponding to some 250-300 bits. Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance.
- draft-baushke-ssh-dh-group-sha2-01 (was Re: DH gr… Mark D. Baushke
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Stephen Farrell
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… IWAMOTO Kouichi
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Mark D. Baushke
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Damien Miller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- RE: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Peter Gutmann
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Niels Möller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Peter Gutmann
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Mark D. Baushke
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Mark D. Baushke
- RE: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Peter Gutmann
- RE: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Peter Gutmann
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Mark D. Baushke
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Niels Möller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Mark D. Baushke
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- RE: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Peter Gutmann
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- RE: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Peter Gutmann
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Damien Miller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Damien Miller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Damien Miller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Mark D. Baushke
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Niels Möller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Mark D. Baushke
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Niels Möller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Damien Miller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Simon Josefsson