IETF Logo Mail Archive

DH group exchange (Re: SSH key algorithm updates)

denis bider <ietf-ssh3@denisbider.com> Sat, 07 November 2015 09:31 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7AD21B2E95 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sat, 7 Nov 2015 01:31:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.909
X-Spam-Level:
X-Spam-Status: No, score=-3.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FGTeVsvwQ6P5 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sat, 7 Nov 2015 01:31:32 -0800 (PST)
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 815A21B2E5D for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Sat, 7 Nov 2015 01:31:32 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id 08FF114A2E1; Sat, 7 Nov 2015 09:31:32 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: by mail.netbsd.org (Postfix, from userid 1347) id A0E6614A20E; Sat, 7 Nov 2015 09:31:31 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 6216414A1EC for <ietf-ssh@NetBSD.org>; Sat, 7 Nov 2015 03:33:17 +0000 (UTC)
X-Virus-Scanned: amavisd-new at NetBSD.org
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id s82DMtDsxKgD for <ietf-ssh@NetBSD.org>; Sat, 7 Nov 2015 03:33:16 +0000 (UTC)
Received: from skroderider.denisbider.com (skroderider.denisbider.com [50.18.172.175]) (using TLSv1.1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 391C714A1EB for <ietf-ssh@NetBSD.org>; Sat, 7 Nov 2015 03:33:16 +0000 (UTC)
X-Footer: ZGVuaXNiaWRlci5jb20=
Received: from localhost ([127.0.0.1]) by skroderider.denisbider.com for nisse@lysator.liu.se; Sat, 7 Nov 2015 03:33:14 +0000
Date: Sat, 07 Nov 2015 03:33:14 +0000
Subject: DH group exchange (Re: SSH key algorithm updates)
X-User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Message-ID: <1990286542-756@skroderider.denisbider.com>
X-Priority: 3
Importance: Normal
MIME-Version: 1.0
From: denis bider <ietf-ssh3@denisbider.com>
To: Niels Möller <nisse@lysator.liu.se>, Jeffrey Hutzelman <jhutz@cmu.edu>
Cc: "Mark D. Baushke" <mdb@juniper.net>, ietf-ssh@NetBSD.org, stephen.farrell@cs.tcd.ie, jon@siliconcircus.com
Content-Type: multipart/alternative; boundary="=-1IF1pMIhT2ifq7HRhxTs"
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

Some info on DH group exchange that one might find useful:

- Our SSH Server does not generate groups. It just gives the client group14, or else group1 if client’s max size is below group14.

- Our SSH Client cannot reliably digest broken groups generated by most implementations that actually generate groups on the fly.

The Client (and Server, but this is not a problem in the Server) uses a FIPS-compliant crypto provider (Crypto++ 5.3.0) which performs DH parameter validation that cannot be disabled. This validation fails on DH parameters with groups generated by most server implementations (including but not limited to OpenSSH). It is possible to connect, but with something like 50% chance of failure.

Since we cannot disable the DH parameter validation without compromising the FIPS module, the Client de-prioritizes DH-gex methods in favor of any other enabled key exchange method (by default ecdh, dh-group14).

So, yes. From our point of view:

>  I was thinking of the receiver of the group list,
> it has to be prepared to handle any group,
> and make an intelligent choice. My gut
> feeling is that there may be some subtleties there.

... there are indeed such "subtleties". :)

It is a fairly substantial problem that most dynamically generated groups aren't usable with our FIPS module.


----- Original Message -----
From: Niels "Möller" 
Sent: Friday, November 6, 2015 00:50
To: Jeffrey Hutzelman 
Cc: Mark D. Baushke ; denis bider ; ietf-ssh@NetBSD.org ; stephen.farrell@cs.tcd.ie ; jon@siliconcircus.com 
Subject: Re: SSH key algorithm updates

Jeffrey Hutzelman <jhutz@cmu.edu> writes:

> On Fri, 2015-11-06 at 06:16 +0100, Niels Möller wrote:

[about hmac-sha1]

> Your understanding matches mine.  However, it's still only a 160-bit
> hash, and eventually that just stops being strong enough.  I'd like to
> have something stronger implemented and reasonably widely deployed
> before then.

Reasonable. We need to specify a new REQUIRED algorithm. Demoting
HMAC-SHA1 to recommended lets implementations drop support in due time
without formally departing from the standard. It would kind-of make
sense to specify a flag day "algothithm X is REQUIRED until date Y,
after which is is only RECOMMENDED", but not worth the effort to
formalize.

> SSH's 3des-cbc is three-key EDE 3DES.  It has an effective key length of
> 112 bits, and so is weaker than AES128.

But the "effective key bits" attack is a time/memory-tradeoff which
requires a huge table, right? So in practice I'm not sure a brute force
attack on 3DES really can be expected to be 16 times faster than a brute
force attack on aes128.

> It's also a CBC mode and AFAIK has the same problems as all of SSH's
> other CBC-mode ciphers.

Right, reprecating CBC makes sense. What's the status of 3des-ctr mode?
Not at all as widely deployed as 3des-cbc, I imagine.

> Group exchange doesn't have to mean live, dynamic group generation.  It
> can work fine with a set of fixed groups, either manually configured or
> compiled in.  

Hmm. I was thinking of the receiver of the group list, it has to be
prepared to handle any group, and make an intelligent choice. My gut
feeling is that there may be some subtleties there. But maybe there's no
issue to trust the server and just choose the largest group you think
you can afford to compute with.

> I'd have to go back and look, but I think the sense of the
> group at the time was that there was no reason to define more variations
> with the group baked into the algorithm names.

I can see that argument. Perhaps we shouldn't get into that now, but I
could see scenarious where client might have a preference like

  1. Large Z_p group (preferred option)
  2. curve25519      (acceptable)
  3. Small Z_p group (not acceptable)

Then negotiation fails in the case that they agree on group exchange,
but the server offers only small Z_p groups. While with named groups,
they might have agreed to use curve25519.

Feel free to ignore this discussion if you find in untimely or
distracting. There's a spec for it and noone on the list have raised any
serious security concerns.

>> Is that related to the (now expireed, I think) draft I and Simon wrote
>> some time ago? I'm not following the cfrg work.
>
> I'm not sure.  It's only a month old, and does have Simon's name on it.

Hmm. It looks like like it's based on our earlier version. I think the python
reference implementation of ed25519 is the same. Nice.

Regards,
/Niels


-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.

v2.23.0 | Report a Bug | By Email