Problems with draft

To: ietf-ssh%NetBSD.org@localhost
Subject: Problems with draft
From: der Mouse <mouse%Rodents.Montreal.QC.CA@localhost>
Date: Sat, 29 Nov 2003 05:40:25 -0500 (EST)

I find a few minor problems with the drafts.  As far as I know I'm
using the latest drafts (transport-17, dh-group-exchange-04,
architecture-15).

I've been digging into ssh, trying to actually understand it rather
than just using it.  To this end, I've been experimenting against a
machine I set up for the purpose, writing bits of code and seeing how
they work (or don't).  One of the things this has involved is trying to
code based on nothing but the drafts; I've used existing code only to
figure out where the problem lies when my code turns out to not
interoperate.

In transport-17, section 6.2 writes of a "shared secret K", treating it
as an opaque blob which is passed as part of a HASH argument.  But
section 7 writes of K as a large integer.  It's not entirely clear how
the one is converted into the other; looking at existing code, I find
that the kex code treates it as a large integer (which will need fixing
if-and-when key exchange methods that produce a K that's not
conceptually a large integer, though that's an implementation matter
rather than a spec matter), but when serializing it for hashing it uses
the same code it uses for "mpint" serialization.  I would like to see
the draft clearly state exactly how the large integer K of section 7 is
converted into the opaque blob K of section 6.2.  The description of
H's computation seems to imply that this should be done as the code
does it, but it's not clearly stated.

Also, section 7 writes

   The hash H is computed as the HASH hash of the concatenation of the
   following:
[...]
     string    I_C, the payload of the client's SSH_MSG_KEXINIT
     string    I_S, the payload of the server's SSH_MSG_KEXINIT
[...]

It is not clear whether these are compressed or uncompressed; while
this doesn't matter for the first key exchange, it matters for
re-exchange, and I'd like to see the draft state it clearly.

transport-17 section 5.6 says

   The "ssh-rsa" key format has the following specific encoding:
[...]
   Signing and verifying using this key format is done according to
   [SCHNEIER] and [PKCS1] using the SHA-1 hash.

I have been unable to find any description of a signature algorithm for
RSA in Schneier, and I have found no reference anywhere to explain what
[PKCS1] is supposed to refer to - I assume this is as described in
RFC2437?

In dh-group-exchange-04, there's a typo: SSH_MSG_KEY_DH_GEX_REQUEST is
used once where SSH_MSG_KEX_DH_GEX_REQUEST is (from the rest of the
draft) clearly intended.  (I wouldn't even have noticed this except
that I cut-and-pasted fragments of the draft into my code.)

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse%rodents.montreal.qc.ca@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

Follow-Ups:
- Re: Problems with draft
  - From: Markus Friedl

Prev by Date: Re: Implicit server authentication: Proposed clarification
Next by Date: Re: Problems with draft
Previous by Thread: Re: Implicit server authentication: Proposed clarification
Next by Thread: Re: Problems with draft
Indexes:

Home | Main Index | Thread Index | Old Index