IETF Logo Mail Archive

Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)

denis bider <ietf-ssh3@denisbider.com> Sun, 14 February 2016 08:09 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 963441B3A86 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sun, 14 Feb 2016 00:09:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.006] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hn7m5759wPu4 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sun, 14 Feb 2016 00:09:35 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 386831B3A7F for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Sun, 14 Feb 2016 00:09:35 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id 0233E85EA8; Sun, 14 Feb 2016 08:09:35 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: by mail.netbsd.org (Postfix, from userid 1347) id B1D0A85E1A; Sun, 14 Feb 2016 08:09:34 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id A891D85E70 for <ietf-ssh@NetBSD.org>; Fri, 12 Feb 2016 11:52:48 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id KRJoe3bCEL3Q for <ietf-ssh@netbsd.org>; Fri, 12 Feb 2016 11:52:47 +0000 (UTC)
Received: from skroderider.denisbider.com (skroderider.denisbider.com [50.18.172.175]) (using TLSv1.1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id C3A2384CFD for <ietf-ssh@NetBSD.org>; Fri, 12 Feb 2016 11:52:47 +0000 (UTC)
X-Footer: ZGVuaXNiaWRlci5jb20=
Received: from localhost ([127.0.0.1]) by skroderider.denisbider.com for mdb@juniper.net; Fri, 12 Feb 2016 11:52:46 +0000
Date: Fri, 12 Feb 2016 11:52:46 +0000
Subject: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
X-User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0
Message-ID: <114857654-3608@skroderider.denisbider.com>
X-Priority: 3
Importance: Normal
MIME-Version: 1.0
From: denis bider <ietf-ssh3@denisbider.com>
To: "Mark D. Baushke" <mdb@juniper.net>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: ietf-ssh@NetBSD.org
Content-Type: multipart/alternative; boundary="=-K6dV3/A7wbvdaFV/tfoE"
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

Hey Mark -

I can't say whether the draft "should" list all the key exchange method names. This might impose procedural complications on the draft's acceptance that I'm not aware of. However, if we are in a position to update the full table of key exchange methods, it would seem a useful service to do so.

If we are in this position, it seems to me that the below table does mostly capture the desired state. Comments:

- If "diffie-hellman-group14-sha1" is OPTIONAL; then it seems inconsistent that "gss-group14-sha1-*" is NOT RECOMMENDED. Both use group14 with SHA-1. I would specify gss-group14-sha1-* as OPTIONAL, given that there's currently no replacement.

- Given recent NSA/NIST guidelines, "ecdh-sha2-nistp256" should be demoted from REQUIRED to either OPTIONAL, or RECOMMENDED.

- Given these same guidelines, I'd prefer to use SHA-512 with group15.

With regard to rsa1024-sha1 and rsa2048-sha256 key exchange methods ( RFC 4432) - according to this comparison, these are implemented by at least PuTTY and vSSH:

http://ssh-comparison.quendi.de/comparison.html

With regard to gss-* methods from RFC 4432 - our software implements this, both client side and server side. According to the above comparison, Paramiko and SecureCRT also have this.

The current version of our SSH Server enables gss-gex-sha1-* and gss-group14-sha1-* by default. The SSH Client does not, but they can be enabled accessibly on the Login tab (by checking "SSPI/Kerberos 5 key exchange").

As far as actual usage - we had a recent report involving gss-gex-sha1-* with our client and another server, so it does seem to be useful occasionally.

I am in favor of including groups 15 and 17; especially group 15.

For group14-sha256, I think REQUIRED and RECOMMENDED may be poor choices because of its low-ish cryptographic strength, based on current understanding. I think OPTIONAL is a good choice here.

I agree with group15 being either RECOMMENDED or REQUIRED - preferably with SHA-512 - so that we might have a strong, widely implemented key exchange method that fits the latest NSA/NIST recommendations, and is not EC-based (just in case).

denis


----- Original Message -----
From: Mark D. Baushke
Sent: Friday, February 12, 2016 01:49
To: denis bider
Cc: Peter Gutmann ; ietf-ssh@NetBSD.org
Subject: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)

Hi denis,

Two questions:

  a) Should the draft list all of the Key Exchange Method Names
     in the https://www.ietf.org/assignments/ssh-parameters/ssh-parameters.xml
     table?

     If so, does the following capture the desired state?
 
Key Exchange Method Name              Reference     Note
diffie-hellman-group-exchange-sha1    RFC4419       NOT RECOMMENDED
diffie-hellman-group-exchange-sha256  RFC4419       OPTIONAL
diffie-hellman-group1-sha1            RFC4253       NOT RECOMMENDED
diffie-hellman-group14-sha1           RFC4253       OPTIONAL
ecdh-sha2-nistp256                    RFC5656       REQUIRED
ecdh-sha2-nistp384                    RFC5656       REQUIRED
ecdh-sha2-nistp521                    RFC5656       REQUIRED
ecdh-sha2-*                           RFC5656       OPTIONAL
ecmqv-sha2                            RFC5656       OPTIONAL
gss-gex-sha1-*                        RFC4462       NOT RECOMMENDED
gss-group1-sha1-*                     RFC4462       NOT RECOMMENDED
gss-group14-sha1-*                    RFC4462       NOT RECOMMENDED
gss-*                                 RFC4462       OPTIONAL
rsa1024-sha1                          RFC4432       NOT RECOMMENDED
rsa2048-sha256                        RFC4432       OPTIONAL
diffie-hellman-group14-sha256         This Draft    OPTIONAL
diffie-hellman-group15-sha256         This Draft    REQUIRED
diffie-hellman-group16-sha512         This Draft    RECOMMENDED
diffie-hellman-group17-sha512         This Draft    OPTIONAL
diffie-hellman-group18-sha512         This Draft    OPTIONAL

Note: I do not know of any rsa2048-sha256 implementations from RFC4432,
I suspect at least someone is using it or it would not be in RFC4432,
who is using it? A similar question for gss-* and RFC4462 comes to mind
as well.

  b) Is it desirable to specify all of group 14, 15, 16, 17, and 18 as
     to the hashing algorithm to be used NOW? Or, is it better to drop
     15 and 17 for now? If so, is it desirable for group14-sha256 to be
     REQUIRED, RECOMMENDED, or OPTIONAL ?

diffie-hellman-group14-sha256         This Draft    RECOMMENDED
diffie-hellman-group16-sha512         This Draft    RECOMMENDED
diffie-hellman-group18-sha512         This Draft    OPTIONAL

Thank you for your consideration.

-- Mark

v2.23.0 | Report a Bug | By Email