Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
Damien Miller <djm@mindrot.org> Wed, 17 February 2016 06:46 UTC
Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C07A1ACCE3 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Tue, 16 Feb 2016 22:46:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.006] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XAiPKgWEGhkD for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Tue, 16 Feb 2016 22:46:41 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 278391A8A46 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Tue, 16 Feb 2016 22:46:41 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id 5DB8C86129; Wed, 17 Feb 2016 06:46:39 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: by mail.netbsd.org (Postfix, from userid 1347) id 0C26B8611B; Wed, 17 Feb 2016 06:46:39 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 1CC2D85E70 for <ietf-ssh@netbsd.org>; Mon, 15 Feb 2016 09:13:48 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id x-qdB9Rs6TWd for <ietf-ssh@netbsd.org>; Mon, 15 Feb 2016 09:13:47 +0000 (UTC)
Received: from newmailhub.uq.edu.au (mailhub1.soe.uq.edu.au [130.102.132.208]) by mail.netbsd.org (Postfix) with ESMTP id 2BAE284C6C for <ietf-ssh@netbsd.org>; Mon, 15 Feb 2016 09:13:46 +0000 (UTC)
Received: from smtp2.soe.uq.edu.au (smtp2.soe.uq.edu.au [10.138.113.41]) by newmailhub.uq.edu.au (8.14.5/8.14.5) with ESMTP id u1F8Xgl8004335; Mon, 15 Feb 2016 18:33:42 +1000
Received: from mailhub.eait.uq.edu.au (holly.eait.uq.edu.au [130.102.79.58]) by smtp2.soe.uq.edu.au (8.14.5/8.14.5) with ESMTP id u1F8Xgrq003274 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 15 Feb 2016 18:33:42 +1000
Received: from natsu.mindrot.org (natsu.mindrot.org [130.102.96.2]) by mailhub.eait.uq.edu.au (8.15.1/8.15.1) with ESMTP id u1F8XeB4006068; Mon, 15 Feb 2016 18:33:41 +1000 (AEST)
Received: by natsu.mindrot.org (Postfix, from userid 1000) id A3A4AA4F34; Mon, 15 Feb 2016 19:33:40 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1]) by natsu.mindrot.org (Postfix) with ESMTP id 9EF42A4F33; Mon, 15 Feb 2016 19:33:40 +1100 (AEDT)
Date: Mon, 15 Feb 2016 19:33:40 +1100
From: Damien Miller <djm@mindrot.org>
To: denis bider <ietf-ssh3@denisbider.com>
cc: "Mark D. Baushke" <mdb@juniper.net>, Peter Gutmann <pgut001@cs.auckland.ac.nz>, Niels Möller <nisse@lysator.liu.se>, Simon Josefsson <simon@josefsson.org>, ietf-ssh@netbsd.org
Subject: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
In-Reply-To: <219217362-2196@skroderider.denisbider.com>
Message-ID: <alpine.BSO.2.20.1602151914390.4613@natsu.mindrot.org>
References: <219217362-2196@skroderider.denisbider.com>
User-Agent: Alpine 2.20 (BSO 67 2015-01-07)
MIME-Version: 1.0
Content-Type: multipart/mixed; BOUNDARY="0-721202717-1455525220=:4613"
X-Scanned-By: MIMEDefang 2.73 on UQ Mailhub
X-Scanned-By: MIMEDefang 2.75 on 130.102.79.58
X-UQ-FilterTime: 1455525223
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list
On Sat, 13 Feb 2016, denis bider wrote: > Comments: > > - If we're being comprehensive, we should include a position with regard to > Curve25519 and Curve448: > > https://tools.ietf.org/html/draft-josefsson-ssh-curves-03 > > I suggest we take the following positions: > > curve25519-sha256 SHOULD > curve448-sha256 SHOULD, or MAY? > > That being said: > > - Given the recent NSA recommendations, it seems to me it would be prudent > to update the Curve25519/Curve448 draft, and to replace the SHA-256 > algorithm with SHA-512 for Curve448. This would create the method > "curve448-sha512" instead of "curve448-sha256". > > Simon, what do you think? Could your draft be updated to do that? > > It seems to me that this would meet the NSA's long-term guidelines, whereas > curve448-sha256 doesn't. I agree that curve448-sha512 is preferable to curve448-sha256, but not for this reason. The NSA's guidance is IMO confused, betting that quantum computers hit some goldilocks zone of "big/fast enough to break DLP for ~256 bit EC groups" but "too small/slow for 384 bit groups" because they've been caught flatfooted by QC developments and don't have real QC-resistant replacements ready yet (not that anyone would trust them if they came from the NSA anwyay). IMO a better justification is: curve448 is a backup against as-yet-unknown attacks on curve25519. Since we're not likely to need it, we might as well pair it with SHA512 as a backup against as-yet-unknown attacks on SHA256. Implementors who support ssh-ed25519 will need to carry SHA512 code around anyway, so the incremental code cost is trivial. The speed cost of a SHA512 hash instead of a SHA256 hash is minuscule. > - If we're going to have text saying SHA-1 is begrudgingly acceptable for > backwards compatibility, we can't simultaneously say that it is "NOT SECURE" > in all caps. Conversely - if we do say it is "NOT SECURE", we can't have a > graceful transition away from SHA-1. We must in that case pursue an > aggressive transition, including condemnation of existing products that use > it. I agree: saying SHA1 is "NOT SECURE" here is overdoing it a little. The justification for abandoning SHA-1 on signatures is that these have a relatively long lifetime during which they can be attacked - O(year). Key exchange hashes have a much smaller temporal window for attack - only as long as an implementation is willing to accept a client that doesn't reply before NEWKEYS - O(minutes). > - Niels has suggested that it's onerous to have so many "MUST" curves. We've > already reduced the number of MUST curves from three (in RFC 5656) to two > (in this draft). I'm not sure that either nistp384 or nistp521 are suitable > candidates for demotion. However, if we make changes here, it seems we > should keep nistp384 as MUST, and demote nistp521 to SHOULD. This is due to > that nistp384 meets current longest-term guidelines; whereas nistp521 seems > to be overkill, and slower. AFAIK nistp521 is quite a bit faster than nistp384 in practice (OpenSSL) because it's been optimised. ~nobody uses nistp384, so it hasn't. $ openssl speed ecdh [...] Doing 256 bit ecdh's for 10s: 45769 256-bit ECDH ops in 9.98s Doing 384 bit ecdh's for 10s: 10505 384-bit ECDH ops in 9.98s Doing 521 bit ecdh's for 10s: 13095 521-bit ECDH ops in 9.98 -d
- draft-baushke-ssh-dh-group-sha2-01 (was Re: DH gr… Mark D. Baushke
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Stephen Farrell
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… IWAMOTO Kouichi
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Mark D. Baushke
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Damien Miller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- RE: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Peter Gutmann
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Niels Möller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Peter Gutmann
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Mark D. Baushke
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Mark D. Baushke
- RE: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Peter Gutmann
- RE: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Peter Gutmann
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Mark D. Baushke
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Niels Möller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Mark D. Baushke
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- RE: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Peter Gutmann
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- RE: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Peter Gutmann
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Damien Miller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Damien Miller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Damien Miller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Mark D. Baushke
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Niels Möller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Mark D. Baushke
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Niels Möller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Damien Miller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… denis bider
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: D… Simon Josefsson