Re: DH group exchange (Re: SSH key algorithm updates)
"Mark D. Baushke" <mdb@juniper.net> Wed, 11 November 2015 09:30 UTC
Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D88001B48C1 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Wed, 11 Nov 2015 01:30:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YZiaLBem4goj for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Wed, 11 Nov 2015 01:30:04 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E7D41B48C7 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Wed, 11 Nov 2015 01:30:04 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id 98FD814A28B; Wed, 11 Nov 2015 09:30:00 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: by mail.netbsd.org (Postfix, from userid 1347) id 0003114A28A; Wed, 11 Nov 2015 09:29:59 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id E611E14A203 for <ietf-ssh@NetBSD.org>; Wed, 11 Nov 2015 07:18:53 +0000 (UTC)
X-Virus-Scanned: amavisd-new at NetBSD.org
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id RlT6Hk8Oo0Ab for <ietf-ssh@NetBSD.org>; Wed, 11 Nov 2015 07:18:53 +0000 (UTC)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0776.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::776]) by mail.netbsd.org (Postfix) with ESMTP id B06B114A1A5 for <ietf-ssh@NetBSD.org>; Wed, 11 Nov 2015 07:18:52 +0000 (UTC)
Received: from BY2PR05CA040.namprd05.prod.outlook.com (10.141.250.30) by BLUPR05MB056.namprd05.prod.outlook.com (10.255.210.151) with Microsoft SMTP Server (TLS) id 15.1.312.18; Wed, 11 Nov 2015 07:18:48 +0000
Received: from BN1BFFO11FD011.protection.gbl (2a01:111:f400:7c10::1:179) by BY2PR05CA040.outlook.office365.com (2a01:111:e400:2c5f::30) with Microsoft SMTP Server (TLS) id 15.1.325.17 via Frontend Transport; Wed, 11 Nov 2015 07:18:48 +0000
Authentication-Results: spf=softfail (sender IP is 66.129.239.17) smtp.mailfrom=juniper.net; cs.tcd.ie; dkim=none (message not signed) header.d=none;cs.tcd.ie; dmarc=none action=none header.from=juniper.net;
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.17 as permitted sender)
Received: from p-emfe01a-sac.jnpr.net (66.129.239.17) by BN1BFFO11FD011.mail.protection.outlook.com (10.58.144.74) with Microsoft SMTP Server (TLS) id 15.1.325.5 via Frontend Transport; Wed, 11 Nov 2015 07:18:47 +0000
Received: from magenta.juniper.net (172.17.27.123) by p-emfe01a-sac.jnpr.net (172.24.192.21) with Microsoft SMTP Server (TLS) id 14.3.123.3; Tue, 10 Nov 2015 23:18:46 -0800
Received: from eng-mail01.juniper.net (eng-mail01.juniper.net [172.17.28.114]) by magenta.juniper.net (8.11.3/8.11.3) with ESMTP id tAB7IiD15814; Tue, 10 Nov 2015 23:18:44 -0800 (PST) (envelope-from mdb@juniper.net)
Received: from eng-mail01.juniper.net (localhost [127.0.0.1]) by eng-mail01.juniper.net (Postfix) with ESMTP id 8CFC711493; Tue, 10 Nov 2015 23:18:43 -0800 (PST)
To: Niels =?utf-8?Q?M=C3=B6ller?= <nisse@lysator.liu.se>
CC: Damien Miller <djm@mindrot.org>, Peter Gutmann <pgut001@cs.auckland.ac.nz>, denis bider <ietf-ssh3@denisbider.com>, Jeffrey Hutzelman <jhutz@cmu.edu>, "ietf-ssh@NetBSD.org" <ietf-ssh@NetBSD.org>, "stephen.farrell@cs.tcd.ie" <stephen.farrell@cs.tcd.ie>, "jon@siliconcircus.com" <jon@siliconcircus.com>
Subject: Re: DH group exchange (Re: SSH key algorithm updates)
In-Reply-To: <nnbnb11utb.fsf@armitage.lysator.liu.se>
References: <9A043F3CF02CD34C8E74AC1594475C73F4B5993D@uxcn10-5.UoA.auckland.ac.nz> <2096379125-720@skroderider.denisbider.com> <9A043F3CF02CD34C8E74AC1594475C73F4B599ED@uxcn10-5.UoA.auckland.ac.nz> <55190.1447001241@eng-mail01.juniper.net> <9A043F3CF02CD34C8E74AC1594475C73F4B5A9BC@uxcn10-5.UoA.auckland.ac.nz> <nnziyn2ft7.fsf@armitage.lysator.liu.se> <65113.1447107876@eng-mail01.juniper.net> <nn37we320r.fsf@armitage.lysator.liu.se> <alpine.BSO.2.20.1511101829460.8324@natsu.mindrot.org> <90378.1447145301@eng-mail01.juniper.net> <nnbnb11utb.fsf@armitage.lysator.liu.se>
Comments: In-reply-to: Niels =?utf-8?Q?M=C3=B6ller?= <nisse@lysator.liu.se> message dated "Tue, 10 Nov 2015 21:08:32 +0100."
From: "Mark D. Baushke" <mdb@juniper.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 10 Nov 2015 23:18:43 -0800
Message-ID: <41119.1447226323@eng-mail01.juniper.net>
X-EOPAttributedMessage: 0
X-Microsoft-Exchange-Diagnostics: 1; BN1BFFO11FD011; 1:a3M04x6kYVVAiWgZn44hMyoboHKtXqHQLyhKEAVbgySJ4+k9A+bgYK6v2qEdCMY8xmSDZAKCCgSULEjkcOTYuL+kRIg6ICP93PlA5W+kVAxkk2NBBCl5s4MiVMW/NJNSxJal8bKFICdZqFZjmtA/qt5aSdKE2OoCfimZnG3If16pmMelxA4GWKcey9AemBvVz7y5cgGRAOO1RfUQ5Fc5P9tLQ3jRbmlXZt7BvvSWSH/bVIB/BXnmbpfeeax3G9eYvqnRWnO0HFSMD6FNju7MUgd48qlikEFRCuDIxI/EGF0dVk8of3EsY1fzzw1nRwR9GPoy7bJQeKSBfvZ3bNDwFcj9bbd12wLXK+eq7abIwRxPXYcXUSakrt0nK0S4dF4QbZ3q97gNs+ktdvTIRjp/0Q==
X-Forefront-Antispam-Report: CIP:66.129.239.17; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(2980300002)(189002)(243025005)(199003)(11100500001)(92566002)(10710500006)(5007970100001)(105596002)(2950100001)(77096005)(2420400006)(81156007)(53416004)(76506005)(106466001)(69596002)(15975445007)(5003600100002)(110136002)(87936001)(19580395003)(19580405001)(23676002)(7110500001)(117636001)(93886004)(54356999)(189998001)(50466002)(5001960100002)(76176999)(97736004)(47776003)(6806005)(86362001)(50986999)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR05MB056; H:p-emfe01a-sac.jnpr.net; FPR:; SPF:SoftFail; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; BLUPR05MB056; 2:frn1lx8LOIQtwpSoT3XGnTqISxSdRKRD0cCh6czxSp4e0c5RyN1spNi63hTV8LqK9gViIuiww6Fjc7/RlSJnPNVep86rWqSfk+DbEsT65CSOZU8eq2u3yo9Sy2ye106wx6c39KIMoZPj78tBn6T8/iJ50pdBXURACz/2iWMsNKI=; 3:Y39grhjqqYhtpcPnYurN4Zu362XAH2YMeOX4OjopbgeskuMTUmWGhT9jXyw6c9wn8Naud9TXpYH5vkugzIl0gDZDgsvzom+hJHIDp7NbQNRMjBBFc1NzUhVHb9NPruUKwMAtlrvsjcBXFM+Q/5zWgICeiH+AOzocb1vvN2ktL/6LyZK1axUf8YtSWd+b2aJCfvn5QN5uELvqcii5A42iajHiRSf0AccrDuv+2u4hbgk=; 25:RsygT2cHu6Ht/vinIQ14zG5ppDepZYX2ffBiGTzJ7nbyhg3iMon20fOi73zf4CbuRHscTi/EF8VoQRx5/f2tPKwEA4lEgsnFDwY0dGAd79n5dnYBjGe3VjcDoIFGBWAz35GCglpFYzZ9EhMd9GTo6oS2vqjDjYJuAey5wOtPBAOPfb3DPz+J7tVuTTL3z+le7ATj1/oM9gmOTv/wx2L4t9464SNMojvMraZnLxOVbpJv2elH1D802+EP92clZCal
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR05MB056;
X-Microsoft-Exchange-Diagnostics: 1; BLUPR05MB056; 20:/UJ2ETy16DUdltm706L14+Z7STYGzcEm8X6qLNlVXZsgkxDStaqPbsYMep36v5yL3dXW47MyMAdZQSOtEfLn7pRe24CJ5rkDt28C0C3uJa0/zq8bOpu0G7ZXdcTO13hZEtVdLFFuiq4da/6NTr+VPw7az188vZTEQSf2QqVG/SbUQYBFc8CPDGL+z48eXUvIxkVWJflU+Vwrzox7rfBD8D1XOPf2W9ezSCHdtFcUQcOyVtm1ne1DRkb4DbfDSZh+wQBocSi6Yzv6ov3DB9L3iclUSsFM3iaucTzvUY80tx9Og6KE1jLb3UGUpi5928Hl9FEfoFh8y8Uo4gRob7IOh5QBYScQPI1T8+PXD/S4awXxOFcTWaDJ0CaELPo+RFAAqma1eBzsejMw3TpLkHGDW1GlaY6uWn/auW7xv5TcJL20SMOxgFJKfr38XppoiTpEQlyKi/PyQbz73R9jtWkrhHa1xDRyJOUWWrkueTw58qEvUoMpdz94v+ZuOg2DFqCm; 4:JAtq3ZYfj2WnRQ3sZiWK923Ot1drMXMPCO93rJaQdH/lZeMVQTgX/SCJwkz0Rp+/eVx2Rvr8aNRA9ee8Jh4+cLuRlNfBLfZVChA02vne57reiHIig06wt68YXmqZlW3h8aWoa7JMCyDSivYNFrE5ADfNJqUMueETsI6kQYYzsNU3UIufr2ypEHVwqFET++T5TLn0COv0J+4gD2oJ/+5HqCDQByvTi+TFvOdjuHnlY/v22m6q7gHDQjeKgzh6ijUZ9Fv1uVVTfePGOwoNfYkF7ngonrM7xGxbl4H7j/h/TM8Q+zICIROAxw05wuDHzezwKz69SAgF6YATHZqqLym6CZxg9Uk/16nsaIWC23+HcTj0ZPPZKyk5knL8ktO3yrgH
X-Microsoft-Antispam-PRVS: <BLUPR05MB056CD98EA23B756C8C0CFDCBF130@BLUPR05MB056.namprd05.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(138986009662008)(65766998875637);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(520078)(8121501046)(10201501046)(3002001); SRVR:BLUPR05MB056; BCL:0; PCL:0; RULEID:; SRVR:BLUPR05MB056;
X-Forefront-PRVS: 0757EEBDCA
X-Microsoft-Exchange-Diagnostics: 1;BLUPR05MB056;23:Q2u9FI8lf1yJvoA3jN9vOIayYpXUcMvkdvNLhYH2IMEsK16QMQGFwYcG1+NWYekG3fgsWDnFjBgAOehFRSTnRswK8MIeDAZDAVBIDyqjlVUJ9ELATW/ZOvqqttmjMJkbLKuo9gviqfVFXTnvKlSZrBba/CZitgxV92xL6fW/XI+VPCWFYsKJxz4KuUEYkZBnBOqcfURv0jCGHSX6RRQe8m8qRKGfQEKdCihnobLYtCwPh970X7H8Eehs8LgQCIPLHsNFDQLnLqJHJlPtUceHH0G1V4vFz/C+9TemUJi0emvRy6dEQ0VpMvbxraFllK9yCbvMddW4nPySn8KqKElwwqd/Q09kcLBHZG/mUXusOFuE46mRXqfZYqCAK3vzmXbHVwRERi7DaCWLUS6+vmI+qUgdptWuMFmtjcbiKkO8ScYc+UDtH6PYkz8zAle5LhId+nT27rNFKorU15w0rE7kcOXvcMZ8ond/I9UVJrvG8LVwaaAAG3S57It+Wv7twYSeaoOBSzwqBFPUS1cznId36dUhb7mI5VO8J3YRvqUKbEFOfCWPfYKEjFzhOCAIMjrt2yzvLVeh7G7g+bchaaX+mDzSi7No6Q7fZJaw53BWYAVjy3aV1Ax0GuyFXhfvOBGAxRWBasK8c45zDLwk1vG35qsbn9OOyRV/D85UBOylrOHe/puHdF3PzJQiDzX7TDwxayesdkT6sKeI6HSxzABrFj81ROYpIX53/WHYtzZsYfkPO2ZLoeLo/AYYrdi3qx4TOKn02dPT1EM0dpE1mO5Ma4XSZ2kTjQmee7M3DVOdIGDJVpyT2v4IW/Rdu/J0L0u8aw02xPw44SdHpbsRYzE438wRN/+veaRq1Gus3FEWntxI3a0ZGbixIN9S0FUkTyRTMKzRHD5qkZtQx0bf/+gATM2mh66zz3ighHQ8J/Q4+j7FxdZTxDqupD+Y5XU2wBrGfniJp3aIidPDmTUm2IScSE5qWYBV0AGLLFOUCtLdg8d4g4ptxwd8ShH5wUimob36k9bjYvSWBUZRdXRsP9jBRhOQnKcaLWvyBgUK30v86f/b7TJPbUTNziWsUr8qh+NU
X-Microsoft-Exchange-Diagnostics: 1; BLUPR05MB056; 5:Rx0Q55zKrmlmQupswNwqVdpMfAi++eS5me4iFLrPZK8RE1ph0MUzkmK47cTsEBFaeNSxDHzv23K7JamtUJcSxGVqbRsf58Hyzg04hDPhbrq5uiOPZlOF1Nx735aavDEePbpjc91nv+zjCa++XdF+Ug==; 24:k9kGBZJy88HF8tqRP+8kVF+n89IZmQz8rtgV7HTY1N0GvSw7S7FlLMO6CNQBXaPywab3dJ8Mk6NMNxxAlHLdryEFxdlheP090mQAdYPt1XI=; 20:Mznu5FGrj76X/q8zgSdywQxYZHLYQ4YuzLPR6yIfQdUHvitFlCCnYUIGcwVCLzjgxA1AFASmAFRTkn9BGn+gOQ==
SpamDiagnosticOutput: 1:23
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Nov 2015 07:18:47.7896 (UTC)
X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.17]; Helo=[p-emfe01a-sac.jnpr.net]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR05MB056
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list
Hi Niels, Niels Möller <nisse@lysator.liu.se> writes: > "Mark D. Baushke" <mdb@juniper.net> writes: > > > Given that OpenSSH is using group16 with sha2-256 preserves 128 bits of > > security, > > How do you reason about that halving, from 256 to 128? sha2-256 has 128 bits of security per NIST SP 800-107-rev1. > For the key expansion, I'd expect that you can count very close to 256 > bits of entropy in the generated keys (assuming the secret dh values > were generated randomly). Attacks on the signature hash will only need to brute force about half of the keyspace on average to recover the key. > Now, you will start to get some repeated session keys, i.e., collisions, > after about 2^128 sessions. But that has little to do with the hash > function: if we had a crypto system which for each session generated a > 256-bit session key from a truly random source, we'd also get collisions > after about 2^128 sessions. But I think the conventional way to assign a > security level to such a system is 2^256 (the difficuly of exhaustive > key search), not 2^128. > > Am I missing something? I have always been told that one should choose a signature mechanism which provides the same number of bits of security as the asymmetric or symmetric encryption keys. See also: http://csrc.nist.gov/publications/nistpubs/800-107-rev1/sp800-107-rev1.pdf Section 4.2 table 1. Or look at the tables in these documents: http://www.keylength.com/en/4/ https://wiki.mozilla.org/Security/Guidelines/Key_Management I suppose I may have been over conservative in my numbers... -- Mark
- Re: DH group exchange (Re: SSH key algorithm upda… Jeffrey Hutzelman
- DH group exchange (Re: SSH key algorithm updates) denis bider
- Re: DH group exchange (Re: SSH key algorithm upda… denis bider
- Re: DH group exchange (Re: SSH key algorithm upda… Mark D. Baushke
- Re: DH group exchange (Re: SSH key algorithm upda… denis bider
- RE: DH group exchange (Re: SSH key algorithm upda… Peter Gutmann
- Re: DH group exchange (Re: SSH key algorithm upda… Mark D. Baushke
- RE: DH group exchange (Re: SSH key algorithm upda… Peter Gutmann
- RE: DH group exchange (Re: SSH key algorithm upda… Peter Gutmann
- Re: DH group exchange (Re: SSH key algorithm upda… denis bider
- Re: DH group exchange (Re: SSH key algorithm upda… Mark D. Baushke
- RE: DH group exchange (Re: SSH key algorithm upda… Peter Gutmann
- Re: DH group exchange (Re: SSH key algorithm upda… Mark D. Baushke
- Re: DH group exchange (Re: SSH key algorithm upda… Mark D. Baushke
- Re: DH group exchange (Re: SSH key algorithm upda… Niels Möller
- Re: DH group exchange (Re: SSH key algorithm upda… Niels Möller
- RE: DH group exchange (Re: SSH key algorithm upda… Peter Gutmann
- Re: DH group exchange (Re: SSH key algorithm upda… Niels Möller
- Re: DH group exchange (Re: SSH key algorithm upda… Damien Miller
- Re: DH group exchange (Re: SSH key algorithm upda… Mark D. Baushke
- Re: DH group exchange (Re: SSH key algorithm upda… Niels Möller
- Re: DH group exchange (Re: SSH key algorithm upda… Mark D. Baushke
- Re: DH group exchange (Re: SSH key algorithm upda… Niels Möller
- Re: DH group exchange (Re: SSH key algorithm upda… Mark D. Baushke
- Re: DH group exchange (Re: SSH key algorithm upda… Mark D. Baushke
- Re: DH group exchange (Re: SSH key algorithm upda… denis bider
- Re: DH group exchange (Re: SSH key algorithm upda… Niels Möller
- Re: DH group exchange (Re: SSH key algorithm upda… Niels Möller
- Re: DH group exchange (Re: SSH key algorithm upda… Niels Möller
- Re: DH group exchange (Re: SSH key algorithm upda… Mark D. Baushke
- Re: DH group exchange (Re: SSH key algorithm upda… Mark D. Baushke
- Re: DH group exchange (Re: SSH key algorithm upda… Darren Tucker
- Re: DH group exchange (Re: SSH key algorithm upda… Matt Johnston
- Re: DH group exchange (Re: SSH key algorithm upda… Niels Möller
- RE: DH group exchange (Re: SSH key algorithm upda… Peter Gutmann
- Re: DH group exchange (Re: SSH key algorithm upda… Darren Tucker