IETF Logo Mail Archive

Re: DH group exchange (Re: SSH key algorithm updates)

denis bider <ietf-ssh3@denisbider.com> Sun, 08 November 2015 15:38 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 271231B3178 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sun, 8 Nov 2015 07:38:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dOfbtPqPeHBt for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sun, 8 Nov 2015 07:38:42 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 521291B3147 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Sun, 8 Nov 2015 07:38:42 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id 600C314A2C2; Sun, 8 Nov 2015 15:38:40 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: by mail.netbsd.org (Postfix, from userid 1347) id 05B0714A2BF; Sun, 8 Nov 2015 15:38:40 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 7D83514A2C2 for <ietf-ssh@netbsd.org>; Sun, 8 Nov 2015 10:30:01 +0000 (UTC)
X-Virus-Scanned: amavisd-new at NetBSD.org
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id 00ijoZ1-dzWC for <ietf-ssh@netbsd.org>; Sun, 8 Nov 2015 10:30:00 +0000 (UTC)
Received: from skroderider.denisbider.com (skroderider.denisbider.com [50.18.172.175]) (using TLSv1.1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id A5B1014A2A5 for <ietf-ssh@netbsd.org>; Sun, 8 Nov 2015 10:30:00 +0000 (UTC)
X-Footer: ZGVuaXNiaWRlci5jb20=
Received: from localhost ([127.0.0.1]) by skroderider.denisbider.com for pgut001@cs.auckland.ac.nz; Sun, 8 Nov 2015 10:29:57 +0000
Date: Sun, 08 Nov 2015 10:29:57 +0000
Subject: Re: DH group exchange (Re: SSH key algorithm updates)
X-User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Message-ID: <2101577796-896@skroderider.denisbider.com>
X-Priority: 3
Importance: Normal
MIME-Version: 1.0
From: denis bider <ietf-ssh3@denisbider.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: ietf-ssh@netbsd.org
Content-Type: multipart/alternative; boundary="=-aqENt4QAqUz62vqQAmd8"
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

> The annoying thing about this change is that it's going to take me
> about 20x as long to do the spec describing it as it will to make
> the code changes, sigh.

That's the thing with writing every spec. :)

I find, though, that the extra effort in writing a spec contributes in important ways to thinking of and addressing corner cases, which an intuitive implementation process might otherwise gloss over. It's 80% more work for what seems like 20% more correctness, but those 20% more correctness tend to make or break the thing, in many cases.

If we had infinite time, we should be writing all the specs.

It might even save us time in the long run... :)


----- Original Message -----
From: Peter Gutmann 
Sent: Sunday, November 8, 2015 03:42
To: denis bider ; Mark D. Baushke 
Cc: Jeffrey Hutzelman ; Niels Möller ; ietf-ssh@NetBSD.org ; stephen.farrell@cs.tcd.ie ; jon@siliconcircus.com 
Subject: RE: DH group exchange (Re: SSH key algorithm updates)

denis bider <ietf-ssh3@denisbider.com> writes:

>If this new draft could specify group generation such that:
>
>- Windows built-in crypto (CNG) running under FIPS mode
>
>- and possibly, but not as critically, the Crypto++ 5.3.0 FIPS-certified module
>
>could reliably use parameters sent by servers that implement the new spec -
>that would be quite awesome.

I don't know if you need to specify the exact generation method, only the
verification checks to perform, which are given in FIPS 186.  The intent is to
create verifiable DH parameters, so the important thing is the verification
mechanism, not the generation one (both safe primes and Lim-Lee primes, for
example, will produce verifiable values).  It would certainly make sense, if
you're using { p, q, g } primes, to require that they be verified as per the
FIPS 186 checks, since that's the point to using them.

The annoying thing about this change is that it's going to take me about 20x
as long to do the spec describing it as it will to make the code changes,
sigh.

One other thing that'd be good to have, based on the Logjam paper, is to
specify some means of distinguishing g from q, since Logjam mentions that
there are implementations that confuse the two.  Does anyone have problems
with requiring that g = <small integer>?  This both makes the DH op much more
efficient, and makes it easy to quickly distinguish g from q without requiring
complex bignum ops.

Peter.

v2.23.0 | Report a Bug | By Email