Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)

To: ietf-ssh%NetBSD.org@localhost, NielsMöller <nisse%lysator.liu.se@localhost>, Damien Miller <djm%mindrot.org@localhost>, Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>, Jeffrey Hutzelman <jhutz%cmu.edu@localhost>, Stephen Farrell <stephen.farrell%cs.tcd.ie@localhost>, Jon Bright <jon%siliconcircus.com@localhost>, Simon Tatham <anakin%pobox.com@localhost>, "Mark D. Baushke" <mdb%juniper.net@localhost>
Subject: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
From: denis bider <ietf-ssh3%denisbider.com@localhost>
Date: Wed, 27 Jan 2016 18:43:08 +0000

Hello Mark,

appreciated, and agreed.

Given these recommendations, we should consider what to do about hmac-sha2-384.

In RFC 6668, we mentioned it, but did not actually define it.

It seems that there is now a need to define hmac-sha2-384 formally. It has the advantage of 16 fewer bytes being used for MAC.

On the other hand, I'm not sure that there's a need for rsa-sha2-384. I don't see advantages compared to rsa-sha2-512, which the current draft defines.

I wonder what the implications are for AES-GCM. As generally used, the tag size is not more than 128 bits. Is this deemed sufficiently quantum resistant?

denis

----- Original Message -----
From: Mark D. Baushke
Sent: Wednesday, January 27, 2016 11:19
To: ietf-ssh%NetBSD.org@localhost ; NielsMöller ; Damien Miller ; Peter Gutmann ; denis bider ; Jeffrey Hutzelman ; Stephen Farrell ; Jon Bright ; Simon Tatham
Subject: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)

Hi Folks,

> URL: https://datatracker.ietf.org/doc/draft-baushke-ssh-dh-group-sha2

I just noticed that the Information Assurance Directorate at the NSA has
a new article on 'CNSA Suite and Quantum Computing FAQ' ... their URL is

https://www.iad.gov/iad/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/cnsa-suite-and-quantum-computing-faq.cfm

Reading the document, they are mandating that NSS no longer use
Diffie-Hellman with 2048-bit keys instead they are suggesting
IETF RFC 3526 (Groups 15-18).

They are also no longer interested in using SHA-256 wanting SHA-384.

For folks interested in compliance with the CNSA Suite, does it make
sense for the baushke-ssh-dh-gorup-sha2 ID to be updated to specify
either SHA-384 (or possibly SHA-512)?

That is change from this:

   Key Exchange Method Name          Note
   diffie-hellman-group1-sha1        NOT RECOMMENDED
   diffie-hellman-group14-sha256     RECOMMENDED
   diffie-hellman-group15-sha256     RECOMMENDED
   diffie-hellman-group16-sha256     OPTIONAL

to this:

   Key Exchange Method Name          Note
   diffie-hellman-group1-sha1        NOT RECOMMENDED
   diffie-hellman-group14-sha256     RECOMMENDED
   diffie-hellman-group15-sha384     RECOMMENDED
   diffie-hellman-group16-sha384     OPTIONAL
   diffie-hellman-group17-sha512     OPTIONAL
   diffie-hellman-group18-sha512     OPTIONAL

I am suggesting sha512 for group17 and group18 as a minor bit of
future-proffing and/or performance trade-off for sha512 hardware
acceleration that may exist.

Comments please?

-- Mark

Prev by Date: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
Next by Date: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
Previous by Thread: RE: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
Next by Thread: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
Indexes:

Home | Main Index | Thread Index | Old Index