Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)

To: "Mark D. Baushke" <mdb%juniper.net@localhost>, Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>
Subject: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
From: denis bider <ietf-ssh3%denisbider.com@localhost>
Date: Fri, 12 Feb 2016 11:52:46 +0000

Hey Mark -

I can't say whether the draft "should" list all the key exchange method names. This might impose procedural complications on the draft's acceptance that I'm not aware of. However, if we are in a position to update the full table of key exchange methods, it would seem a useful service to do so.

If we are in this position, it seems to me that the below table does mostly capture the desired state. Comments:

- If "diffie-hellman-group14-sha1" is OPTIONAL; then it seems inconsistent that "gss-group14-sha1-*" is NOT RECOMMENDED. Both use group14 with SHA-1. I would specify gss-group14-sha1-* as OPTIONAL, given that there's currently no replacement.

- Given recent NSA/NIST guidelines, "ecdh-sha2-nistp256" should be demoted from REQUIRED to either OPTIONAL, or RECOMMENDED.

- Given these same guidelines, I'd prefer to use SHA-512 with group15.

With regard to rsa1024-sha1 and rsa2048-sha256 key exchange methods ( RFC 4432) - according to this comparison, these are implemented by at least PuTTY and vSSH:

http://ssh-comparison.quendi.de/comparison.html

With regard to gss-* methods from RFC 4432 - our software implements this, both client side and server side. According to the above comparison, Paramiko and SecureCRT also have this.

The current version of our SSH Server enables gss-gex-sha1-* and gss-group14-sha1-* by default. The SSH Client does not, but they can be enabled accessibly on the Login tab (by checking "SSPI/Kerberos 5 key exchange").

As far as actual usage - we had a recent report involving gss-gex-sha1-* with our client and another server, so it does seem to be useful occasionally.

I am in favor of including groups 15 and 17; especially group 15.

For group14-sha256, I think REQUIRED and RECOMMENDED may be poor choices because of its low-ish cryptographic strength, based on current understanding. I think OPTIONAL is a good choice here.

I agree with group15 being either RECOMMENDED or REQUIRED - preferably with SHA-512 - so that we might have a strong, widely implemented key exchange method that fits the latest NSA/NIST recommendations, and is not EC-based (just in case).

denis

----- Original Message -----
From: Mark D. Baushke
Sent: Friday, February 12, 2016 01:49
To: denis bider
Cc: Peter Gutmann ; ietf-ssh%NetBSD.org@localhost
Subject: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)

Hi denis,

Two questions:

a) Should the draft list all of the Key Exchange Method Names
     in the https://www.ietf.org/assignments/ssh-parameters/ssh-parameters.xml
     table?

     If so, does the following capture the desired state?

Key Exchange Method Name              Reference     Note
diffie-hellman-group-exchange-sha1    RFC4419       NOT RECOMMENDED
diffie-hellman-group-exchange-sha256 RFC4419       OPTIONAL
diffie-hellman-group1-sha1            RFC4253       NOT RECOMMENDED
diffie-hellman-group14-sha1           RFC4253       OPTIONAL
ecdh-sha2-nistp256                    RFC5656       REQUIRED
ecdh-sha2-nistp384                    RFC5656       REQUIRED
ecdh-sha2-nistp521                    RFC5656       REQUIRED
ecdh-sha2-*                           RFC5656       OPTIONAL
ecmqv-sha2                            RFC5656       OPTIONAL
gss-gex-sha1-*                        RFC4462       NOT RECOMMENDED
gss-group1-sha1-*                     RFC4462       NOT RECOMMENDED
gss-group14-sha1-*                    RFC4462       NOT RECOMMENDED
gss-*                                 RFC4462       OPTIONAL
rsa1024-sha1                          RFC4432       NOT RECOMMENDED
rsa2048-sha256                        RFC4432       OPTIONAL
diffie-hellman-group14-sha256         This Draft    OPTIONAL
diffie-hellman-group15-sha256         This Draft    REQUIRED
diffie-hellman-group16-sha512         This Draft    RECOMMENDED
diffie-hellman-group17-sha512         This Draft    OPTIONAL
diffie-hellman-group18-sha512         This Draft    OPTIONAL

Note: I do not know of any rsa2048-sha256 implementations from RFC4432,
I suspect at least someone is using it or it would not be in RFC4432,
who is using it? A similar question for gss-* and RFC4462 comes to mind
as well.

b) Is it desirable to specify all of group 14, 15, 16, 17, and 18 as
     to the hashing algorithm to be used NOW? Or, is it better to drop
     15 and 17 for now? If so, is it desirable for group14-sha256 to be
     REQUIRED, RECOMMENDED, or OPTIONAL ?

diffie-hellman-group14-sha256         This Draft    RECOMMENDED
diffie-hellman-group16-sha512         This Draft    RECOMMENDED
diffie-hellman-group18-sha512         This Draft    OPTIONAL

Thank you for your consideration.

-- Mark

Follow-Ups:
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
  - From: Mark D. Baushke

Prev by Date: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
Next by Date: RE: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
Previous by Thread: RE: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
Next by Thread: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
Indexes:

Home | Main Index | Thread Index | Old Index