Re: Certificate authentication

To: Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>
Subject: Re: Certificate authentication
From: Roumen Petrov <openssh%roumenpetrov.info@localhost>
Date: Tue, 27 Jan 2004 08:11:50 +0200

Peter Gutmann wrote:

"Glen Matthews" <glen%montreal.hcl.com@localhost writes:
[SNIP]
>   moreover, implementations supporting x509 (e.g. ssh.com) currently send

        string  "DER-encoded cert"


In [SSH-USERAUTH] section 3.3 definition is public key blob. X.509 equivalent is exactly "DER-encoded cert".
Wenn a packet contain X.509 certificates and we would like to compute signature we MUST use ASN.1 DER encoding.


  without even sending the key type.

   Certificates and public keys are encoded as follows:

     string   certificate or public key format identifier
     byte[n]  key/certificate data


Might definition in [SSH-TRANS] is confusing. Where is public key blob ?

Is "public key blob" == string(format identifier)+byte[n](key data)
or might "public key blob" == byte[n](key data) ?

Of course we know that "public key blob"[SSH-USERAUTH] == "key format"[SSH-TRANS]

  so, i'm confused by the draft and the implementations.


In case of X.509 certificates "key format" should be ASN.1 DER encoded only,
i.e. without format identifier since X.509 cert. contain all necessary information.


[SNIP]


About signatures: this is the true/real question.
In case of x509v3-sign-rsa we can use MD5 or SHA-1 hash.
In my implementation we can select preffered rsa hash. Client and server accept authentication packets with both hashes.
Since SHA-1 is preferred in [PKIXPROF] might is good [SSH-TRANS] document to contain lines:
  After 31 December 2004 all SSH implementation MUST use SHA-1 hash to compute x509v3-sign-rsa resulting signature.
  Until that date, conforming SSH may be assumed MD5 and SHA-1 hash based resulting signature as different.

What sort of signature to use in case of x509v3-sign-dss: same as described in [SSH-TRANS] for "ssh-dss" or to
use ASN.1 encoding for dsa-sig(r,s) as is defined in [PKIXALGS] and as is in some SecSH implementations ?


References:
[SSH-TRANS]     Ylonen, T., "SSH Transport Layer Protocol", I-D
                draft-ietf-transport-17.txt, Oct 2003.

[SSH-USERAUTH]  Ylonen, T., "SSH Authentication Protocol", I-D
                draft-ietf-userauth-18.txt, Oct 2003.

[PKIXPROF]      Housley, R., Polk, T, Ford, W. and Solo, D., "Internet
                X.509 Public Key Infrastructure Certificate and
                Certificate Revocation List (CRL) Profile", RFC 3280,
                April 2002.

[PKIXALGS]      Bassham, L., Polk, W. and R. Housley, "Algorithms and
                Identifiers for the Internet X.509 Public Key
                Infrastructure Certificate and Certificate Revocation
                Lists (CRL) Profile", RFC 3279, April 2002.

Roumen

References:
- Re: Certificate authentication
  - From: Peter Gutmann

Prev by Date: Connectathon 2004
Next by Date: Re: Certificate authentication
Previous by Thread: clarification of "compulsory" attributes in publickey subsystem
Next by Thread: Re: Certificate authentication
Indexes:

Home | Main Index | Thread Index | Old Index