SSH crypto updates / Re: Call for Adoption

[denis bider <ietf-ssh3%denisbider.com@localhost>]

Hello,

> I'd prefer to prioritize the already deployed Curve25519 and
> Ed25519 work over crypto recommendations which other
> groups can develop.

the current practical issue is, for SSH, there aren't such other working groups.

Currently, SSH needs a significant amount of maintenance just to keep up with the cryptography landscape alone. Part of this maintenance belongs under the Curdle WG, but other parts currently have no home (unless Curdle adopts them).

Parts currently falling under Curdle:

  Ed25519 for SSH:
  https://datatracker.ietf.org/doc/draft-bjh21-ssh-ed25519

  Curve25519 for SSH:
  https://tools.ietf.org/html/draft-josefsson-ssh-curves-00

Crypto updates to SSH that currently have no home unless Curdle adopts them:

  Stronger DH groups for SSH:
  https://datatracker.ietf.org/doc/draft-baushke-ssh-dh-group-sha2

  RSA signatures with SHA-2 for SSH:
  https://datatracker.ietf.org/doc/draft-rsa-dsa-sha2-256

This is an extension to SSH that's not directly crypto related, but comes hand in hand with the new RSA signature algorithms - it's infrastructure that allows for their efficient discovery without incurring authentication penalties:

  Extension negotiation for SSH:
  https://datatracker.ietf.org/doc/draft-ssh-ext-info

In addition to the above, I very much agree that aes-gcm%openssh.com@localhost needs standardization.

I would welcome either all of the above being adopted by the Curdle group; or else, a new WG being created specifically to perform maintenance on SSH.

Among other things, the erstwhile SSH working group never finalized the SFTP spec due to lack of consensus. We now have two SFTP specs, version 3 implemented by OpenSSH, and version 6 implemented by most everyone else.

It seems to me there's plenty of work that could be done by a new SSH working group, if it were founded. If Curdle doesn't want to adopt some of the above things, then these things would properly belong into a new SSH working group.

However, there isn't one, currently.

denis


----- Original Message -----
From: Watson Ladd 
Sent: Wednesday, January 13, 2016 10:40
To: Daniel Migault 
Cc: mdb%juniper.net@localhost ; Curdle Chairs ; Curdle ; ietf-ssh%NetBSD.org@localhost 
Subject: Re: [Curdle] Call for Adoption

On Wed, Jan 13, 2016 at 8:31 AM, Daniel Migault
<daniel.migault%ericsson.com@localhost> wrote:
>  Hi,
>
>  Thanks for the suggestion. I think it falls into the scope of the WG.
>
>  The question I would have is whether it would make sense to extend the
>  document to the crypto suites others than DH - i.e. encryption mac.
>  This would result in a document providing cryptographic
>  recommendations for SSH and have this document regularly updated as
>  crypto evolves. Any opinion ?

I'd prefer to prioritize the already deployed Curve25519 and Ed25519
work over crypto recommendations which other groups can develop. We
also should consider aes-gcm%openssh.com@localhost to be added as this addresses
a corner case in the spec which makes AEAD complex.

>
>  BR,
>  Daniel
>
> -----Original Message-----
> From: mdb%juniper.net@localhost [mailto:mdb%juniper.net@localhost]
> Sent: Wednesday, January 13, 2016 10:40 AM
> To: Curdle Chairs
> Cc: Curdle; ietf-ssh%NetBSD.org@localhost
> Subject: Re: [Curdle] Call for Adoption
>
> Hi,
>
> Over on the ietf-ssh%NetBSD.org@localhost list, Stephen Farrell suggested that I see if I could add
>
>   https://datatracker.ietf.org/doc/draft-baushke-ssh-dh-group-sha2
>
> under the curdle charter.
>
> The draft deprecates a Secure Shell (SSH) key exchange algorithm (Diffie-Hellman group1 - a 768-bit MODP group) and recommends replacement with stronger Diffie-Hellman MODP groups (groups 14, 15, 16).
>
> The draft does have two interoperable implementations that have implemented it.
>
> Does it fit well enough into the curdle charter to be added here?
>
>         Thank you,
>         -- Mark
>
>  ------- forwarded message -------
> From: Stephen Farrell <stephen.farrell%cs.tcd.ie@localhost>
> Date: Wed, 13 Jan 2016 10:34:05 +0000
> Subject: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
>
> Hiya,
>
> On 13/01/16 09:21, Mark D. Baushke wrote:
>> Hi,
>>
>> URL: https://datatracker.ietf.org/doc/draft-baushke-ssh-dh-group-sha2
>>
>> I believe that OpenSSH and Dropbear SSH have both implemented
>> interoperable versions using the current 01 version at this point in time.
>>
>> I would be interested in hearing if any other implementations have
>> adopted these new DH groups.
>>
>> Are there any additional comments or changes needed for the draft
>> before we can move to the next step in the process?
>>
>> Hmmm... What is next? Getting 'AD is watching' or is it getting a
>> document shepherd?
>
> There's no active SSH WG, but there is the curdle WG. Its charter [1] however is limited in terms of what it's allowed to add to protocols. OTOH, this is not defining any new groups, just updating codepoints, including deprecating one (to NOT RECOMMENDED). So the draft could fit there on that basis I guess. So I'd say send a mail to the curdle list and suggest this be adopted there.
>
> If that doesn't work I can look at AD sponsoring it, but since one of the reasons to setup curdle was to avoid too many of these being AD sponsored, please try there first.
>
> Cheers,
> S.
>
> [1] https://tools.ietf.org/wg/curdle
>
>>
>>       Thank you,
>>       -- Mark
>
> _______________________________________________
> Curdle mailing list
> Curdle%ietf.org@localhost
> https://www.ietf.org/mailman/listinfo/curdle



-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.