RE: DH group exchange (Re: SSH key algorithm updates)

Peter Gutmann <pgut001@cs.auckland.ac.nz> Sun, 08 November 2015 09:42 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B36F1AD0A0 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sun, 8 Nov 2015 01:42:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yp9pfHGbUIfU for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sun, 8 Nov 2015 01:42:41 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4212B1AD09D for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Sun, 8 Nov 2015 01:42:41 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id 7F8FD14A4A9; Sun, 8 Nov 2015 09:42:38 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id F2B3D14A49A for <ietf-ssh@netbsd.org>; Sun, 8 Nov 2015 09:42:33 +0000 (UTC)
X-Virus-Scanned: amavisd-new at NetBSD.org
Authentication-Results: mail.NetBSD.org (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id vPJPGlwX3ypL for <ietf-ssh@netbsd.org>; Sun, 8 Nov 2015 09:42:33 +0000 (UTC)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id C3A7114A497 for <ietf-ssh@netbsd.org>; Sun, 8 Nov 2015 09:42:32 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1446975752; x=1478511752; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=6GfB2KeXanMmOgp1Or6BY5bq7NDK7cuM7djBtPKtYP0=; b=HizTCnDxiqRFq/RZS6uDsfUdbX51iKgzlfMx2nf/xxoHbG/7Njj4gAVz cmw0XXRfsoU6UI/77Y/7fQV3lbyB3wszOmBGAngJPZchcUT5sqtGEsGgz wmKaR8pvXG+dF6lkhLesmGyf8q+lMzKwhcoodPhn89PPcm/P9Zd6lapP4 FafP+7PSismhFEeK/fDihxrC48MhkwlqTVjG+/Y62n/uscVIPD5XyQgXe qIr5cSBVpe86NV+twB4ZAErw28s/bUWYcesfjcovPn2rsh6ouLLJH8/G1 gF5f8lETuULCIzGIbjCRvnaxAoVP2LitlmX7vOD5aLyNDB9/BxYau9VBw A==;
X-IronPort-AV: E=Sophos;i="5.20,261,1444647600"; d="scan'208";a="53097850"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.106 - Outgoing - Outgoing
Received: from exchangemx.uoa.auckland.ac.nz (HELO uxchange10-fe2.UoA.auckland.ac.nz) ([130.216.4.106]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 08 Nov 2015 22:42:30 +1300
Received: from UXCN10-5.UoA.auckland.ac.nz ([169.254.5.51]) by uxchange10-fe2.UoA.auckland.ac.nz ([130.216.4.106]) with mapi id 14.03.0174.001; Sun, 8 Nov 2015 22:42:30 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: denis bider <ietf-ssh3@denisbider.com>, "Mark D. Baushke" <mdb@juniper.net>
CC: Jeffrey Hutzelman <jhutz@cmu.edu>, Niels Möller <nisse@lysator.liu.se>, "ietf-ssh@NetBSD.org" <ietf-ssh@NetBSD.org>, "stephen.farrell@cs.tcd.ie" <stephen.farrell@cs.tcd.ie>, "jon@siliconcircus.com" <jon@siliconcircus.com>
Subject: RE: DH group exchange (Re: SSH key algorithm updates)
Thread-Topic: DH group exchange (Re: SSH key algorithm updates)
Thread-Index: AQHRGgOcq51zpHEwR0KblpfSUHdPHJ6R3h7L
Date: Sun, 08 Nov 2015 09:42:29 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73F4B599ED@uxcn10-5.UoA.auckland.ac.nz>
References: <9A043F3CF02CD34C8E74AC1594475C73F4B5993D@uxcn10-5.UoA.auckland.ac.nz>, <2096379125-720@skroderider.denisbider.com>
In-Reply-To: <2096379125-720@skroderider.denisbider.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

denis bider <ietf-ssh3@denisbider.com> writes:

>If this new draft could specify group generation such that:
>
>- Windows built-in crypto (CNG) running under FIPS mode
>
>- and possibly, but not as critically, the Crypto++ 5.3.0 FIPS-certified module
>
>could reliably use parameters sent by servers that implement the new spec -
>that would be quite awesome.

I don't know if you need to specify the exact generation method, only the
verification checks to perform, which are given in FIPS 186.  The intent is to
create verifiable DH parameters, so the important thing is the verification
mechanism, not the generation one (both safe primes and Lim-Lee primes, for
example, will produce verifiable values).  It would certainly make sense, if
you're using { p, q, g } primes, to require that they be verified as per the
FIPS 186 checks, since that's the point to using them.

The annoying thing about this change is that it's going to take me about 20x
as long to do the spec describing it as it will to make the code changes,
sigh.

One other thing that'd be good to have, based on the Logjam paper, is to
specify some means of distinguishing g from q, since Logjam mentions that
there are implementations that confuse the two.  Does anyone have problems
with requiring that g = <small integer>?  This both makes the DH op much more
efficient, and makes it easy to quickly distinguish g from q without requiring
complex bignum ops.

Peter.