Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)

To: "Mark D. Baushke" <mdb%juniper.net@localhost>
Subject: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
From: nisse%lysator.liu.se@localhost (Niels Möller)
Date: Mon, 15 Feb 2016 16:40:48 +0100

"Mark D. Baushke" <mdb%juniper.net@localhost> writes:

> You have both made good points. I have adopted the updated text from
> denis and tried provide a meaning for the Note column. I have also added
> a pointer to the Simon's ssh-curves draft and included both of the
> currently published curve names in the table in this draft.

Thanks.

> https://datatracker.ietf.org/doc/draft-baushke-ssh-dh-group-sha2/

I'm looking at the -04 version where curve25519 is upgraded to MUST. I
think it looks quite good.

If at all possible, I think it would be desirable to

1. Limit the number of REQUIRED/MUST key exchange algorithms to one (1).
   I think curve25519 (if people agree it's mature enough) or group16
   are reasonable choices. I.e., demote ecdh-sha2-nistp384 to SHOULD or
   MAY.

2. Make it possible for a conforming implementation to support only one
   of sha256 and sha512. If we make anything using sha512 REQUIRED, I
   think we should avoid to make sha256 REQUIRED too. And vice versa.

   I don't think I follow the argument in favor of sha512, but using
   sha512 for all REQUIRED methods is nevertheless better than a mix.

   According to the table, group 16 has an estimated security strength
   of 240 bits. As argued before, I don't think birthday-paradox is
   relevant as the hash function is used. Hence, if sha256 is used
   together with group16, sha256 seems good enough for the foreseeable
   future, and in addition, unlikely to be the weakest link.

Finally, about the motivation in Sec 1, "[MFQ-U-OO-815099-15] suggesting
that the use of ECDH using the nistp256 curve and SHA-2 based hashes
less than SHA2-384 are no longer sufficient for transport of Top Secret
information."

On one hand, I don't think government requirements are that relevant for
selecting the REQUIRED algorithm(s). It's motivated to have at least one
SHOULD algorithm approved for US government use. But any organization
handling "Top Secret information" is free to configure its ssh software
any way it pleases, including disabling use of some REQUIRED algorithms.

And "if you don't implement this algorithm, you may not interoperate
with certain US government computer systems" is the kind of warning that
I think is perfectly appropriate if an implementation decides to omit
support for some algorithm with status SHOULD.

But on the other hand, if you interpret the NSA statement as saying "we
know a *lot* more about breaking sha256 than you do", than that could be
a very good reason to avoid sha256. I can't say how credible that
interpretation is.

> Please let me know of additional comments.

In short, no strong objections, but I'd prefer if the selection of
REQUIRED algorithm(s) were even more restrictive.

Regards,
/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.

Follow-Ups:
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
  - From: Mark D. Baushke

References:
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
  - From: denis bider
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
  - From: Mark D. Baushke

Prev by Date: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
Next by Date: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
Previous by Thread: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
Next by Thread: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
Indexes:

Home | Main Index | Thread Index | Old Index