IETF Logo Mail Archive

Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)

"Mark D. Baushke" <mdb@juniper.net> Wed, 10 February 2016 17:24 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 560851B2D70 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Wed, 10 Feb 2016 09:24:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FuYdIdaBZIOO for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Wed, 10 Feb 2016 09:24:48 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5050E1B2D6D for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Wed, 10 Feb 2016 09:24:48 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id E8BBC85F0D; Wed, 10 Feb 2016 17:24:46 +0000 (UTC)
Delivered-To: ietf-ssh@NetBSD.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 5ACDA85EBA for <ietf-ssh@NetBSD.org>; Wed, 10 Feb 2016 17:24:40 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id VkJG6OCporeC for <ietf-ssh@netbsd.org>; Wed, 10 Feb 2016 17:24:39 +0000 (UTC)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0789.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc09::789]) by mail.netbsd.org (Postfix) with ESMTP id 1C6AA84CF5 for <ietf-ssh@NetBSD.org>; Wed, 10 Feb 2016 17:24:34 +0000 (UTC)
Received: from SN1PR05CA0027.namprd05.prod.outlook.com (10.163.68.165) by BN1PR05MB060.namprd05.prod.outlook.com (10.255.202.153) with Microsoft SMTP Server (TLS) id 15.1.403.16; Wed, 10 Feb 2016 17:24:32 +0000
Received: from BY2FFO11FD037.protection.gbl (2a01:111:f400:7c0c::104) by SN1PR05CA0027.outlook.office365.com (2a01:111:e400:5197::37) with Microsoft SMTP Server (TLS) id 15.1.403.16 via Frontend Transport; Wed, 10 Feb 2016 17:24:32 +0000
Authentication-Results: spf=softfail (sender IP is 66.129.239.18) smtp.mailfrom=juniper.net; cs.auckland.ac.nz; dkim=none (message not signed) header.d=none;cs.auckland.ac.nz; dmarc=none action=none header.from=juniper.net;
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.18 as permitted sender)
Received: from p-emfe01a-sac.jnpr.net (66.129.239.18) by BY2FFO11FD037.mail.protection.outlook.com (10.1.14.222) with Microsoft SMTP Server (TLS) id 15.1.409.7 via Frontend Transport; Wed, 10 Feb 2016 17:24:31 +0000
Received: from magenta.juniper.net (172.17.27.123) by p-emfe01a-sac.jnpr.net (172.24.192.21) with Microsoft SMTP Server (TLS) id 14.3.123.3; Wed, 10 Feb 2016 09:24:29 -0800
Received: from eng-mail01.juniper.net (eng-mail01.juniper.net [172.17.28.114]) by magenta.juniper.net (8.11.3/8.11.3) with ESMTP id u1AHOQD24444; Wed, 10 Feb 2016 09:24:27 -0800 (PST) (envelope-from mdb@juniper.net)
Received: from eng-mail01.juniper.net (localhost [127.0.0.1]) by eng-mail01.juniper.net (Postfix) with ESMTP id 3FBC111454; Wed, 10 Feb 2016 09:24:26 -0800 (PST)
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
CC: "ietf-ssh@NetBSD.org" <ietf-ssh@NetBSD.org>
Subject: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73F4BEC444@uxcn10-5.UoA.auckland.ac.nz>
References: <9A043F3CF02CD34C8E74AC1594475C73F4BEC444@uxcn10-5.UoA.auckland.ac.nz>
Comments: In-reply-to: Peter Gutmann <pgut001@cs.auckland.ac.nz> message dated "Wed, 10 Feb 2016 08:22:32 +0000."
From: "Mark D. Baushke" <mdb@juniper.net>
X-Phone: +1 408 745-2952 (Office)
X-Mailer: MH-E 8.6; nmh 1.2; GNU Emacs 24.3.1
X-Face: #8D_6URD2G%vC.hzU<dI&#Y9szHj$'mGtUq&d=rXy^L$-=G_-LmZ^5!Fszk:yXZp$k\nTF? 8Up0!v/%1Q[(d?ES0mQW8dRCXi18gK)luJu)loHk, }4{Vi`yX?p?crF5o:LL{6#eiO:(E:YMxLXULB k|'a*EjN.B&L+[J!PhJ*aX0n:5/
Date: Wed, 10 Feb 2016 09:24:26 -0800
Message-ID: <86698.1455125066@eng-mail01.juniper.net>
MIME-Version: 1.0
Content-Type: text/plain
X-EOPAttributedMessage: 0
X-Microsoft-Exchange-Diagnostics: 1; BY2FFO11FD037; 1:pmNkj9liZVgPGfz+3++1sQrNAR3TktzUhsJ76GuB2tgaIZYKZHkoTROY8y8TxLzPSiN2dnosjrYOkFBHRZFr3N1nrWFsDK5HiOrXAXZCMH6AQ70J7nQoClCOVAK1yjhHGZWVnFfjURveYmizVAQswxK7lLwQ7FO6fFZYExD1B4hBNVu7zGn63zSjhYv1e89+Z+ra7hO98qisAp8subhY2S6XMZVf1CX5cxWBAzQXFIpfVl/gwxCtT61KvGBucH8E0F1EwTtPQjeZp0MZTR7BUPE5eeg8WSIqX+wBRHebDCCwssv4Mg57d5mXAo7xzlkbufRREGFM5CNbwd1kSHshfr92BorsJF8FzRF336yxpOd6RVH5JhlvFO6qSeLHYAf6TcXB8lP/lpyr0IwgaBJ0VQ==
X-Forefront-Antispam-Report: CIP:66.129.239.18; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(2980300002)(199003)(164054003)(189002)(5003600100002)(6806005)(4326007)(110136002)(586003)(11100500001)(53416004)(2906002)(19580405001)(50226001)(1096002)(47776003)(86362001)(5001960100002)(76506005)(106466001)(50986999)(1220700001)(117636001)(76176999)(2950100001)(87936001)(50466002)(230783001)(5003940100001)(48376002)(189998001)(92566002)(15975445007)(105596002)(77096005)(2810700001)(19580395003)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN1PR05MB060; H:p-emfe01a-sac.jnpr.net; FPR:; SPF:SoftFail; MLV:sfv; A:1; MX:1; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; BN1PR05MB060; 2:P2+y+T+4LRvQpkQBjAGkPqMgiJMVv0OW92atCowP+XNxyTKuY15cfu5WeoMiLNaNLf0JTvzgjp0V1cm0CRQ7RLLBGvpCOgor1gz3vR3I1iMran36WJo6AV2h98g4ArovgcYx84LloSym9QPTVH/pIg==; 3:4m7P4aeuo7tWVJ3hNtPbJnDsjlxyW1k3P1HXMM4gopoG95Akz7LZnkd06FdLmaBiv9Bt4qu54VdaLSKKgc1wruRVxLk/Ap4shtAhFp2LKcvHhIcaQ1jrH8ywqUUnE4EUFxNHd7JKE01RUkl0JqAMIAGvEzNa7RyAk+EKKLrgmAIQYiqnVThai+w349VjPkzbAkUEvWka9ElFumMJZVOPw4pZmd34o1b8fMbRL6nfsyU=; 25:fZQSRqAg1VFYWmvBaDmFs3LZgUoGoS3V5e453bEExCevta+WIPuJW8AxVRPpgJalH1ImsRFadZgM7+ozSFC3v+eZlfGyklYFeYiK4z7BPQfvTh0s9ttJ9VfR6rgd6cdm5UvAb5otT3oWhXl4J4PO04PJ8SCawf1qzKoKu6A1FmIGHN+L1u+JZFjoCJE/NtWGT3+H6Bc6doi+QULQMd5veuAmIgNTOzNjtlKZQvezL1gD1pKf+BGae04sA1fOxrf5sS3+3tqIqju605JpnfTTucjo7T0v10FfLjy4OaUB5R5S6iKqDZpx908KvR012pRd
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN1PR05MB060;
X-MS-Office365-Filtering-Correlation-Id: 6058f879-f49f-4f48-cd20-08d3323f098f
X-Microsoft-Exchange-Diagnostics: 1; BN1PR05MB060; 20:odOrZqhr92CCjncRo0EkyR9v3A+zqI4moUTUKgej4/0bGWlYGBijTh5izzq9TLqNaianW1stVxreGMOO7NIN2H/GuxYw2UZkR5wr+OQ/g03xJJI/nNypBIDdzSxKp3fm6s1yzIB4Un6E70NlGD6Ak6k/uJgRwwKyWToa2Ee85hVCNnhDb83y3QDxU+uY/hX0pi9LtOZ+cdBuc2Ch0zc2lsEwQAeZlZo6BAWES3ZAo68jCcP/+xgRHjtvokovJ5yBibo2uQtp2yX+kYWPAdSjHPBILCI5m3wUiJjwoDI2D9tuleRZ/tLvb72sl4zyGVbLOQgRPwLDh3LnWg2+v8O8ysBIa3Of56BoKefSGSMmmIEn1r0l2VgTgjDabtWIOsQ7p3PT5WkU03kgKhMsMatdHMYsKeQb/jJW1sbC+a39N8w+8oI4j6vxI2yjo/4CFHQwNBj0zVG3VsnBNzYJ3U5U/kguHhTHzB1sZ1ErDiFbuJz5rgobjHhurCV9fVFX6Akl
X-Microsoft-Antispam-PRVS: <BN1PR05MB060835DE04EC07D8FE75611BFD70@BN1PR05MB060.namprd05.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(2401047)(13017025)(13024025)(5005006)(8121501046)(13018025)(13023025)(13015025)(10201501046)(3002001); SRVR:BN1PR05MB060; BCL:0; PCL:0; RULEID:; SRVR:BN1PR05MB060;
X-Microsoft-Exchange-Diagnostics: 1; BN1PR05MB060; 4:3dI9ayEskbQFw6HYjUA6oOyOLPcS4C3ib7WDrcugb6mK5iX26FPDAnHUeFnvWc3Xai81wzr++++FukM1DhVgu8DjM0dMoM2XruXW0A+RztG5n5/1e55QcAddleYZwBPM6ZO30TyAb7FwKgfarlikbWc082QJiIWQrOwsYX4uLAJAGGuecxpEb9Nug25WSscGuKFp0pO7tV7iuw2Svdi6Wz9rQsUzgcJbls8izlD7lasFPwe5fNMNJ3t5ml50C4+mJnVbm8p4mWl7jkEp7BgXCCaD3ve+f7p/JRe917JOf0cjTiCmuq7iT30lID429YLYnduLwUeX4/9voFQRVXfBiRg2GEdhl79nPkpOa96yi5oAG9K9pNk1q5o8uDK/i0ziYsc1zuzo30w2jS6LZ78eJ9ghY/Dg2AJ294aKOgASzVQ/ujhWg5U1cLDrSFvtidV9YAoMdydxXtYMnNXdGh5rsg==
X-Forefront-PRVS: 0848C1A6AA
X-Microsoft-Exchange-Diagnostics: 1; BN1PR05MB060; 23:ldmqdXhRPD80VW6//Uw4e92g7oiocN5orqPl00WhmkctS5r53AFCIDRYi/vklBLBRDNeRB68CFK9yZbC8DrCFmE9XHOIo9nJ+gcJs2ORKsg6AKJOQZI+zENL0wdqstMyydMBky5GuEmuz4NvqU+87V3RijhZ4dvrjldgJief7afej3XIiVf857pYswSiZCWXTnyeQQr0mohcsYwySzS4ivtnQyXSDSP6rgVO2Ofnae+EOPtlmXGNYvwB3bl615aYRE6AXDUqYEftcfo6QQpRZys0L4gOPu6O3y7JfRuAAOD1DzBOjm7yZQ6KBq0iIlF+hhLMDseO0Dt+OXcskjJa0y3KN8fkbcfELQlO+9oReP+ENIpdHZxWWe4PBCMLYz5sjio4vY1RJHuRjsbFS2uFIZrRE2xAjCp6cr2AITbo9pOevyOg31d5lHB3/188cyiy/ASIAbEZokVdz1DwLDKFRKYqo0XQyl/rT+bR5U6kKBy8Fb4s7j2gMwvtlYxEhpFboxchA8eZIWoVA1Fr5J6CoWoDv4T058hUliiA3HP7pwswwb5kYfpB3vxoHVKc54+gOyHowxi4iR/NYrzp2+dnbRy7CXbhZBm+L3rXpqFmXKWY2Qt8uCHzavhZ4qMEz/yqVsi9qWuI1hgDIv22+ej3Gz6OZOqfkUJRbdNwguCGsLIxPFlWq6bNXFs5A56vWTju/IQQAm26fECSzoAUPw/LtUnVe1gKtiKzX2YWu50gfNGJZ/qZjJV2pJz7uch20bOYwfInwlZT7XTU8ASyovcWIGnYgMEom0Ckli1Jwjnlu5QR4lxoKDNh4FhJuTdVM+o0AqTrHG0PohyL6MSb20PyzJ8ERPrSlX8OVSQDNrWCkNJL6rvhlJy++NBpASB7+SsDWh21RpkO03lgkfygVoMygEogQcr4cbUmCnGsDLyFfECKOiu+/c3JeDVmo/64lgZfA0oJgV8WIYsYYf7RY7ajOhxmPcai0dBnZy61vpaZZVh4cX/FVsdEYtNYcA6fm/SvpFNLMPGl/QRxV6VL7NJS+XPfUY8+4VqL8S9OFz7EZi0=
X-Microsoft-Exchange-Diagnostics: 1; BN1PR05MB060; 5:Gp0uQKsQrAFBXmMa44kr71rBtjP5/JhJesFTDwCMQRy3b8UROLGJYRd4r/5+ykZN5rTaidrH3NQ2+WVx0MRqd2PUooBgpD5Dwr2tSD6tbLjWjDWHG2raeoea83NRkan8HFj9K3d+5Sa0R8d9hW9u7g==; 24:lzEV2UZkTVbKFKnroqr1d6wNbQ2rB+K4Tn4Sf/Lukzx206tYAtHgjutddB65O0lnOSpAJc2fXKfkbv6VyiOOLSxWexKcs+1U0zTLXdMPFWw=
SpamDiagnosticOutput: 1:23
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Feb 2016 17:24:31.1779 (UTC)
X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.18]; Helo=[p-emfe01a-sac.jnpr.net]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1PR05MB060
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

Peter Gutmann <pgut001@cs.auckland.ac.nz> writes:

> Damien Miller <djm@mindrot.org> writes:
> 
> >So my recommendation would be:
> >
> >diffie-hellman-group1-sha1        NOT RECOMMENDED
> >diffie-hellman-group14-sha256     RECOMMENDED
> >diffie-hellman-group16-sha512     RECOMMENDED
> >diffie-hellman-group18-sha512     OPTIONAL
> >
> >(but 16+256 & 18+512 would be fine too)
> 
> From an embedded perspective (which is what triggered this late reply) I'd
> prefer the -256's over the -512's, the less extra huge hash functions I have
> to include code for the better.  I'd also like to see SHA-1 just die, there's
> no reason to specify it in a new spec published in 2016.  Having said that I
> realise that there are other profiles that still specify SHA-1, but then I'd
> like to at least see the wording given as "SHOULD NOT" rather than "NOT
> RECOMMENDED".  The latter is for restaurants, not security-critical
> infrastructure components.

RFC2119 says that "SHOULD NOT" and "NOT RECOMMENDED" have the same meaning.

To make it stronger would mean moving to "MUST NOT" instead.

Today diffie-hellman-group1-sha1 is "REQUIRED" so I only moved to
"NOT RECOMMENDED/SHOULD NOT" are you suggesting a need to move to
"MUST NOT" here?

Today diffie-hellman-group14-sha1 is "REQUIRED" and is not mentioned. Do
you believe that we should change that one to "OPTIONAL/MAY" and select
a new "REQUIRED" key exchange to avoid SHA-1? If so, which one should
now be "REQUIRED" ?

> In fact same with RECOMMENDED and OPTIONAL, what's wrong with SHOULD
> and MAY? 

Nothing is wrong with SHOULD or MAY. Per RFC2119:

   * "RECOMMENDED" and "SHOULD" are equivalent

   * "OPTIONAL" and "MAY" are equivalent

   * "MUST" and "REQUIRED" are equivalent

> Those are more widely-used in standards.

I have seen the terms used interchangeably per RFC2119.

> In particular I'd like to be able to point to SHA-1 as SHOULD NOT
> (which is pretty unambiguous) rather than NOT RECOMMENDED, which seems
> to say that people can keep on using it for as long as they like.

The terms are supposed to be understood in the context of RFC2119.

Are you speaking of the use of SHA-1 in key exchange only?

There is diffie-hellman-group-exchange-sha1 in RFC4419 which also uses
SHA-1. I presume it is currently an OPTIONAL key exchange. Should we
be moving it to a MUST NOT now too?

I have no strong preference for which of the equivalent terms are used
if it helps make the point better. Does it really make the point better?

> It'd also be good to include a note, where the groups are defined not
> down in the security considerations, saying that the SHA-1 option is
> provided for backwards compatibility, shouldn't be used in new
> designs, and should be phased out of existing ones as quickly as
> possible because it's not secure.

The concern for SHA-1 is specified in the Overview nd Rationale
as well as in the Security Considerations section. Where do you
feel it should be noted in addition to those two locations?

> The danger here is is illustrated by the TLS 1.2 RFC:
...elided...

Yes, I think we are currently trying to do the right thing with the
Secure Shell requirements.

I suspect we really do need to have at least one REQUIRED key exchange
mechanism that is common before and after these drafts are published.
Otherwise, we probably need to bump to SSHv3 if we are going to get
rid of all of the MUST NOT algorithms.

Are there any additional thoughts for this draft?

Is it desirable to list out all of the Key Exchange Method names in the
https://www.ietf.org/assignments/ssh-parameters/ssh-parameters.xml table
and their new state?


Key Exchange Method Names

Method Name                           Reference     Note
diffie-hellman-group-exchange-sha1    RFC4419       MUST NOT
diffie-hellman-group-exchange-sha256  RFC4419       MAY
diffie-hellman-group1-sha1            RFC4253       MUST NOT
diffie-hellman-group14-sha1           RFC4253       MAY
ecdh-sha2-nistp256                    RFC5656       MUST
ecdh-sha2-nistp384                    RFC5656       MUST
ecdh-sha2-nistp521                    RFC5656       MUST
ecdh-sha2-*                           RFC5656       Other curves are possible?
ecmqv-sha2                            RFC5656       MAY
gss-gex-sha1-*                        RFC4462       MUST NOT
gss-group1-sha1-*                     RFC4462       MUST NOT
gss-group14-sha1-*                    RFC4462       MUST NOT
gss-*                                 RFC4462       MAY
rsa1024-sha1                          RFC4432       MUST NOT
rsa2048-sha256                        RFC4432       MAY
diffie-hellman-group14-sha256         This Draft    MAY
diffie-hellman-group15-sha256         This Draft    MUST
diffie-hellman-group16-sha512         This Draft    SHOULD
diffie-hellman-group17-sha512         This Draft    MAY
diffie-hellman-group18-sha512         This Draft    MAY

Above I have moved all of the *sha1* exchange methods to MUST NOT
with the exception of diffie-hellman-group14-sha1. Should that one
also be moved to MUST NOT too?

If we want to fix RFC4419 to pass q in addition to g,p so that we are
able to use Lim/Lee primes for q and allow for run-time checking of a g
being a generator of the q-ordered subgroup, does that need to be rolled
into this draft too? What do we want to call this option for negotiation?

Additional comments solicited on these topics.

	Thanks,
	-- Mark

v2.23.0 | Report a Bug | By Email