Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
denis bider <ietf-ssh3@denisbider.com> Sun, 14 February 2016 08:09 UTC
Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 963441B3A86 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sun, 14 Feb 2016 00:09:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.006] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hn7m5759wPu4 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sun, 14 Feb 2016 00:09:35 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 386831B3A7F for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Sun, 14 Feb 2016 00:09:35 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id 0233E85EA8; Sun, 14 Feb 2016 08:09:35 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: by mail.netbsd.org (Postfix, from userid 1347) id B1D0A85E1A; Sun, 14 Feb 2016 08:09:34 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id A891D85E70 for <ietf-ssh@NetBSD.org>; Fri, 12 Feb 2016 11:52:48 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id KRJoe3bCEL3Q for <ietf-ssh@netbsd.org>; Fri, 12 Feb 2016 11:52:47 +0000 (UTC)
Received: from skroderider.denisbider.com (skroderider.denisbider.com [50.18.172.175]) (using TLSv1.1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id C3A2384CFD for <ietf-ssh@NetBSD.org>; Fri, 12 Feb 2016 11:52:47 +0000 (UTC)
X-Footer: ZGVuaXNiaWRlci5jb20=
Received: from localhost ([127.0.0.1]) by skroderider.denisbider.com for mdb@juniper.net; Fri, 12 Feb 2016 11:52:46 +0000
Date: Fri, 12 Feb 2016 11:52:46 +0000
Subject: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
X-User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0
Message-ID: <114857654-3608@skroderider.denisbider.com>
X-Priority: 3
Importance: Normal
MIME-Version: 1.0
From: denis bider <ietf-ssh3@denisbider.com>
To: "Mark D. Baushke" <mdb@juniper.net>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: ietf-ssh@NetBSD.org
Content-Type: multipart/alternative; boundary="=-K6dV3/A7wbvdaFV/tfoE"
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list
Hey Mark - I can't say whether the draft "should" list all the key exchange method names. This might impose procedural complications on the draft's acceptance that I'm not aware of. However, if we are in a position to update the full table of key exchange methods, it would seem a useful service to do so. If we are in this position, it seems to me that the below table does mostly capture the desired state. Comments: - If "diffie-hellman-group14-sha1" is OPTIONAL; then it seems inconsistent that "gss-group14-sha1-*" is NOT RECOMMENDED. Both use group14 with SHA-1. I would specify gss-group14-sha1-* as OPTIONAL, given that there's currently no replacement. - Given recent NSA/NIST guidelines, "ecdh-sha2-nistp256" should be demoted from REQUIRED to either OPTIONAL, or RECOMMENDED. - Given these same guidelines, I'd prefer to use SHA-512 with group15. With regard to rsa1024-sha1 and rsa2048-sha256 key exchange methods ( RFC 4432) - according to this comparison, these are implemented by at least PuTTY and vSSH: http://ssh-comparison.quendi.de/comparison.html With regard to gss-* methods from RFC 4432 - our software implements this, both client side and server side. According to the above comparison, Paramiko and SecureCRT also have this. The current version of our SSH Server enables gss-gex-sha1-* and gss-group14-sha1-* by default. The SSH Client does not, but they can be enabled accessibly on the Login tab (by checking "SSPI/Kerberos 5 key exchange"). As far as actual usage - we had a recent report involving gss-gex-sha1-* with our client and another server, so it does seem to be useful occasionally. I am in favor of including groups 15 and 17; especially group 15. For group14-sha256, I think REQUIRED and RECOMMENDED may be poor choices because of its low-ish cryptographic strength, based on current understanding. I think OPTIONAL is a good choice here. I agree with group15 being either RECOMMENDED or REQUIRED - preferably with SHA-512 - so that we might have a strong, widely implemented key exchange method that fits the latest NSA/NIST recommendations, and is not EC-based (just in case). denis ----- Original Message ----- From: Mark D. Baushke Sent: Friday, February 12, 2016 01:49 To: denis bider Cc: Peter Gutmann ; ietf-ssh@NetBSD.org Subject: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange) Hi denis, Two questions: a) Should the draft list all of the Key Exchange Method Names in the https://www.ietf.org/assignments/ssh-parameters/ssh-parameters.xml table? If so, does the following capture the desired state? Key Exchange Method Name Reference Note diffie-hellman-group-exchange-sha1 RFC4419 NOT RECOMMENDED diffie-hellman-group-exchange-sha256 RFC4419 OPTIONAL diffie-hellman-group1-sha1 RFC4253 NOT RECOMMENDED diffie-hellman-group14-sha1 RFC4253 OPTIONAL ecdh-sha2-nistp256 RFC5656 REQUIRED ecdh-sha2-nistp384 RFC5656 REQUIRED ecdh-sha2-nistp521 RFC5656 REQUIRED ecdh-sha2-* RFC5656 OPTIONAL ecmqv-sha2 RFC5656 OPTIONAL gss-gex-sha1-* RFC4462 NOT RECOMMENDED gss-group1-sha1-* RFC4462 NOT RECOMMENDED gss-group14-sha1-* RFC4462 NOT RECOMMENDED gss-* RFC4462 OPTIONAL rsa1024-sha1 RFC4432 NOT RECOMMENDED rsa2048-sha256 RFC4432 OPTIONAL diffie-hellman-group14-sha256 This Draft OPTIONAL diffie-hellman-group15-sha256 This Draft REQUIRED diffie-hellman-group16-sha512 This Draft RECOMMENDED diffie-hellman-group17-sha512 This Draft OPTIONAL diffie-hellman-group18-sha512 This Draft OPTIONAL Note: I do not know of any rsa2048-sha256 implementations from RFC4432, I suspect at least someone is using it or it would not be in RFC4432, who is using it? A similar question for gss-* and RFC4462 comes to mind as well. b) Is it desirable to specify all of group 14, 15, 16, 17, and 18 as to the hashing algorithm to be used NOW? Or, is it better to drop 15 and 17 for now? If so, is it desirable for group14-sha256 to be REQUIRED, RECOMMENDED, or OPTIONAL ? diffie-hellman-group14-sha256 This Draft RECOMMENDED diffie-hellman-group16-sha512 This Draft RECOMMENDED diffie-hellman-group18-sha512 This Draft OPTIONAL Thank you for your consideration. -- Mark
- draft-baushke-ssh-dh-group-sha2-01 (was Re: DH gr… Mark D. Baushke
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Stephen Farrell
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… IWAMOTO Kouichi
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Mark D. Baushke
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Damien Miller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- RE: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Peter Gutmann
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Niels Möller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Peter Gutmann
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Mark D. Baushke
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Mark D. Baushke
- RE: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Peter Gutmann
- RE: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Peter Gutmann
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Mark D. Baushke
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Niels Möller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Mark D. Baushke
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- RE: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Peter Gutmann
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- RE: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Peter Gutmann
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Damien Miller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Damien Miller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Damien Miller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Mark D. Baushke
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Niels Möller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Mark D. Baushke
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Niels Möller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Damien Miller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Simon Josefsson