IETF Logo Mail Archive

Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 & draft-ietf-curdle-ssh-kex-sha2

"Mark D. Baushke" <mdb@juniper.net> Mon, 12 September 2016 18:42 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96C3412B058 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Mon, 12 Sep 2016 11:42:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.708
X-Spam-Level:
X-Spam-Status: No, score=-5.708 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.508, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=junipernetworks.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3vOCLeaDTlVs for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Mon, 12 Sep 2016 11:42:38 -0700 (PDT)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6AD812B067 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Mon, 12 Sep 2016 11:42:37 -0700 (PDT)
Received: by mail.netbsd.org (Postfix, from userid 605) id E37FA85ECB; Mon, 12 Sep 2016 18:42:36 +0000 (UTC)
Delivered-To: ietf-ssh@NetBSD.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id EE71685EBF for <ietf-ssh@NetBSD.org>; Mon, 12 Sep 2016 18:42:29 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Authentication-Results: mail.netbsd.org (amavisd-new); dkim=pass (1024-bit key) header.d=junipernetworks.onmicrosoft.com
Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id SUha1j8KM-bc for <ietf-ssh@netbsd.org>; Mon, 12 Sep 2016 18:42:29 +0000 (UTC)
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-bl2nam02on0090.outbound.protection.outlook.com [104.47.38.90]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 9B36785F18 for <ietf-ssh@NetBSD.org>; Mon, 12 Sep 2016 18:42:26 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=junipernetworks.onmicrosoft.com; s=selector1-juniper-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=D3aNnzl6Y2O3T6obOwwZsYX7hxdcWjmIWTFjXJ9mbpI=; b=a3StKqObRNzsalWeAxu2WOcr8vN1hm7pvqlUadMLoh0JCZIfBdOAgb+761HRt8VN5FcyvAt8LK2fbyHKwctONT4vmtxPgP/C/O/94n6Mv5p1jInBJLjBVPHCBJC9rVAtbhdyTjzNDwPTdgGscLq9hu3++w/1N4hj7K+qKOzuiQQ=
Received: from BY2PR05CA041.namprd05.prod.outlook.com (10.141.250.31) by BN3PR0501MB1186.namprd05.prod.outlook.com (10.160.113.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.629.6; Mon, 12 Sep 2016 18:26:35 +0000
Received: from BY2FFO11OLC001.protection.gbl (2a01:111:f400:7c0c::104) by BY2PR05CA041.outlook.office365.com (2a01:111:e400:2c5f::31) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.629.6 via Frontend Transport; Mon, 12 Sep 2016 18:26:35 +0000
Authentication-Results: spf=softfail (sender IP is 66.129.239.18) smtp.mailfrom=juniper.net; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=juniper.net;
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.18 as permitted sender)
Received: from p-emfe01a-sac.jnpr.net (66.129.239.18) by BY2FFO11OLC001.mail.protection.outlook.com (10.1.15.185) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.619.6 via Frontend Transport; Mon, 12 Sep 2016 18:26:34 +0000
Received: from p-mailhub01.juniper.net (10.160.2.17) by p-emfe01a-sac.jnpr.net (172.24.192.21) with Microsoft SMTP Server (TLS) id 14.3.123.3; Mon, 12 Sep 2016 11:26:30 -0700
Received: from eng-mail01.juniper.net (eng-mail01.juniper.net [172.17.28.114]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id u8CIQSi6007808; Mon, 12 Sep 2016 11:26:28 -0700 (envelope-from mdb@juniper.net)
Received: from eng-mail01.juniper.net (localhost [127.0.0.1]) by eng-mail01.juniper.net (Postfix) with ESMTP id 520091144E; Mon, 12 Sep 2016 11:26:28 -0700 (PDT)
To: Tero Kivinen <kivinen@iki.fi>
CC: Curdle <curdle@ietf.org>, IETF SSH <ietf-ssh@NetBSD.org>
Subject: Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 & draft-ietf-curdle-ssh-kex-sha2
In-Reply-To: <22486.43242.802279.610275@fireball.acr.fi>
References: <41049.1473653352@eng-mail01.juniper.net> <22486.43242.802279.610275@fireball.acr.fi>
Comments: In-reply-to: Tero Kivinen <kivinen@iki.fi> message dated "Mon, 12 Sep 2016 16:08:58 +0300."
From: "Mark D. Baushke" <mdb@juniper.net>
Date: Mon, 12 Sep 2016 11:26:28 -0700
Message-ID: <54981.1473704788@eng-mail01.juniper.net>
MIME-Version: 1.0
Content-Type: text/plain
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-HT: Tenant
X-Forefront-Antispam-Report: CIP:66.129.239.18; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(7916002)(2980300002)(189002)(199003)(9170700003)(2950100001)(15975445007)(86362001)(50466002)(356003)(2906002)(47776003)(4326007)(2810700001)(87936001)(305945005)(77096005)(48376002)(5004840100003)(19580395003)(189998001)(11100500001)(586003)(19580405001)(4001520100001)(76506005)(5003940100001)(76176999)(7696004)(92566002)(626004)(5660300001)(7126002)(50986999)(106466001)(53416004)(230783001)(8936002)(81166006)(8676002)(117636001)(105596002)(110136003)(54356999)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0501MB1186; H:p-emfe01a-sac.jnpr.net; FPR:; SPF:SoftFail; MX:1; A:1; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; BY2FFO11OLC001; 1:nPKnlLuv/BlNUf/81tLUThPeZUVl1PGMW4P8WoCYNiFyK6OS3NG1UCqzKMkApkb68fC5DI+q2IGayplItp1KKIHcf5RcAodBj9GRGLgzSvkDC/ANO6y41v2Jj3lSmYZGDo3DnHzyouy65ggLaFs6h/q2rD0pNA8yG0T5nQfr9aeckvR/0lRb3Tv8Vkzc3KfdeJAJgpPi4jnoejUCA7Hdz5oUov+8t3nQ8yLpeb4s+eGd27vkFvlXo6DOL8AePPszgV0h1jepEKI43FAb+2Y6DZsEn7z71qmztbZRC53VND0OzLlAhOkycKOSCSaIgv+PyHlGfOy/xOeK6H7jFaL9eatosO/pEeUiR8DugmsA27629HE86JCdvx6TwG1FpHdAgFFsoCCGjmeU4M4UyMck4wusG5Ln/sRl8yq68SReUzijejb0v0bMTJGZU5EyJTT86YkLIeae32DJJKH2kcg3ttWNwLEF95EXKVNhr5EaWVgvxU9Xtskgan6s81Au+6+jzh8PjeZ6uG2RpcGWh3p1sKkkClfqIaEYSshF5dP+JFfPsp83ZxAuRmoZsTsaP5tz
X-MS-Office365-Filtering-Correlation-Id: bbb29133-5377-4df0-77a5-08d3db3a538b
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN3PR0501MB1186;
X-Microsoft-Antispam-PRVS: <BN3PR0501MB11861C2874F3BC467FC4C9E1BFFF0@BN3PR0501MB1186.namprd05.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(120809045254105)(1591387915157);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040176)(601004)(2401047)(5005006)(8121501046)(13015025)(13017025)(13023025)(13024025)(13018025)(10201501046)(3002001)(6055026); SRVR:BN3PR0501MB1186; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0501MB1186;
X-Forefront-PRVS: 006339698F
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Sep 2016 18:26:34.3267 (UTC)
X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.18]; Helo=[p-emfe01a-sac.jnpr.net]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0501MB1186
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

[Regretfully an incomplete draft of this escaped prematurely, pardon
the repetition. -- Mark]

Tero Kivinen <kivinen@iki.fi> writes:

> That looks mostly ok. Most of the sha1 -> SHOULD NOT, with exception
> to the diffie-hellman-group14-sha1 and gss-group-14-sha1-*, which are
> still kept as SHOULD for backwards compatible reasons.

Yes.

> The MUSTs are good, but there seems to be quite a lot of SHOULD
> versions. Is there really need for that many SHOULD algoritms. For
> example is there reason to keep ecdh-sha2-* as SHOULD when
> curve25519-sha256 will be MUST?

I will move ecdh-sha2-* to MAY. The RFC5656 Section 4 said that every
SSH ECC implementation MUST implement ECDH key exchange. So, I was
moving all of those MUST to SHOULD requirements.

It is not clear to me if the curve25519 and curve448 KEX method
would fall into the RFC 5656 MUST requirements or not.

> Also, is there need to update other algorithms, i.e. encryption
> algorithms, MAC algorithms, Public key names, comperssion algorithms
> etc? Are the implementation requirements for them up to date (I do not
> know, as I have no idea which of them are now mandatory to implement,
> and which are not).

Good question. I am not sure if they are all being managed by the Curdle
Group or not.... I am not sure that they all belong in one document or
not. It seems like it might be better for each section to have its own
document specifying the MUST/SHOULD/MAY/SHOULD NOT advise...

The current IANA SSH Parameters are provided in:
  http://www.iana.org/assignments/ssh-parameters/ssh-parameters.xhtml

1) Encryption algorithms

We have a new one algorithm in Curdle:
  https://datatracker.ietf.org/doc/draft-ietf-curdle-cms-chacha20-poly1305/
but I do not see any drafts for SSH yet to use it yet. I would favor
seeing chacha20-poly1305@openssh.com become chacha20-poly1305 if
someone wants to write a draft for it.

I suspect that one or more of these encryption ciphers should be avoided
(des-cbc and the arcfour* algorithms). I am not sure of the state of all
of them.

The SSH Encryption Algorithm Name list has the following IANA table:

Encryption Algorithm Name       Reference       Note
3des-cbc                        [RFC4253]       Section 6.3
blowfish-cbc                    [RFC4253]       Section 6.3
twofish256-cbc                  [RFC4253]       Section 6.3
twofish-cbc                     [RFC4253]       Section 6.3
twofish192-cbc                  [RFC4253]       Section 6.3
twofish128-cbc                  [RFC4253]       Section 6.3
aes256-cbc                      [RFC4253]       Section 6.3
aes192-cbc                      [RFC4253]       Section 6.3
aes128-cbc                      [RFC4253]       Section 6.3
serpent256-cbc                  [RFC4253]       Section 6.3
serpent192-cbc                  [RFC4253]       Section 6.3
serpent128-cbc                  [RFC4253]       Section 6.3
arcfour                         [RFC4253]       Section 6.3
idea-cbc                        [RFC4253]       Section 6.3
cast128-cbc                     [RFC4253]       Section 6.3
none                            [RFC4253]       Section 6.3
des-cbc                         [FIPS-46-3]     HISTORIC, See page 4
arcfour128                      [RFC4345]
arcfour256                      [RFC4345]
aes128-ctr                      [RFC4344]
aes192-ctr                      [RFC4344]
aes256-ctr                      [RFC4344]
3des-ctr                        [RFC4344]
blowfish-ctr                    [RFC4344]
twofish128-ctr                  [RFC4344]
twofish192-ctr                  [RFC4344]
twofish256-ctr                  [RFC4344]
serpent128-ctr                  [RFC4344]
serpent192-ctr                  [RFC4344]
serpent256-ctr                  [RFC4344]
idea-ctr                        [RFC4344]
cast128-ctr                     [RFC4344]
AEAD_AES_128_GCM                [RFC5647]       Section 6.1
AEAD_AES_256_GCM                [RFC5647]       Section 6.2


2) MAC Algorithm Names has the following IANA table:

MAC Algorithm Name      Reference       Note
hmac-sha1               [RFC4253]       Section 6.4
hmac-sha1-96            [RFC4253]       Section 6.4
hmac-md5                [RFC4253]       Section 6.4
hmac-md5-96             [RFC4253]       Section 6.4
none                    [RFC4253]       Section 6.4
AEAD_AES_128_GCM        [RFC5647]       Section 6.1
AEAD_AES_256_GCM        [RFC5647]       Section 6.2
hmac-sha2-256           [RFC6668]       Section 2
hmac-sha2-512           [RFC6668]       Section 2

Of the above, I believe that hmac-sha1-96, hmac-md5-96, and hmac-md5 are
considered insecure by some parties. As RFC 5647 was informational
rather than standard track and does not play well with SSH negotiation
of Cipher+MAC, I am not sure how to count it. Unless someone wants to
play with SHA-3 (FIPS PUB 202), or revise RFC 5647, I do not see any
real changes needed.

3) Public Key Algorithm Names

Changes in flight are:
https://datatracker.ietf.org/doc/draft-ietf-curdle-rsa-sha2/

Public Key Algorithm Name       Reference       Note
ssh-dss                         [RFC4253]       Section 6.6
ssh-rsa                         [RFC4253]       Section 6.6
spki-sign-rsa                   [RFC4253]       Section 6.6
spki-sign-dss                   [RFC4253]       Section 6.6
pgp-sign-rsa                    [RFC4253]       Section 6.6
pgp-sign-dss                    [RFC4253]       Section 6.6
null                            [RFC4462]       Section 5
ecdsa-sha2-*                    [RFC5656]
x509v3-ssh-dss                  [RFC6187]
x509v3-ssh-rsa                  [RFC6187]
x509v3-rsa2048-sha256           [RFC6187]
x509v3-ecdsa-sha2-*             [RFC6187]

The ssh-dss and ssh-rsa algorithms use SHA-1 and the ssh-dss for
values less than 2048-bits seems unlikely to be very secure today.

4) Compression Algorithms

I don't see a need to update these...

Compression Algorithm Name      Reference       Note
none                            [RFC4253]       Section 6.2
zlib                            [RFC4253]       Section 6.2

There are other SSH Parameters, I am not sure if any others need to be
deprecated at this time.

	-- Mark

v2.8.7 | Report a Bug | By Email