Re: [Curdle] Group 15 needed in draft-baushke-ssh-dh-group-sha2

["Mark D. Baushke" <mdb%juniper.net@localhost>]

My goal with

  https://tools.ietf.org/html/draft-ietf-curdle-ssh-kex-sha2-03

is to deprecate the use of diffie-hellman groups that use sha1
and promote new key exchange algorithms.

The latest draft has

Key Exchange Method Name              Reference     Note
diffie-hellman-group-exchange-sha1    RFC4419       SHOULD NOT
diffie-hellman-group-exchange-sha256  RFC4419       MAY
diffie-hellman-group1-sha1            RFC4253       SHOULD NOT
diffie-hellman-group14-sha1           RFC4253       SHOULD
diffie-hellman-group14-sha256         This Draft    MAY
diffie-hellman-group16-sha512         This Draft    SHOULD
diffie-hellman-group18-sha512         This Draft    MAY

It seems reasonable to me to provide a replacement option of a DH MODP
group that is well known (already published in another RFC) with a
SHA2-256 or SHA2-512 associated hash.

(In my view, it is nice to have an upgraded alternative in the Finite
Field Cryptography (FFC) key exchanges for the values being deprecated.
So, it is desirable to come up with a group or groups that are
acceptable alternatives.)

MODP groups have been provided in a number of RFCs. In this case, I have
tried to choose a MODP group that would drop into the existing kex that
SSH uses with only a minor table change for the g,q,p and hash
algorithm. I did not try to play games with a MODP Group with 160-bit,
224-bit or 256-bit Prime Order Subgroups like Group22, Group23, or
Group24 specified in RFC 5114 because most implementation are probably
just calculating q rather than having it in a pre-calculated table.

For simplicity, I suggested the groups listed in RFC 3526 which also
provides a rough table of security strength estimates.

I originally thought that diffie-hellman-group14-sha256 might be
reasonable to provide a 2048-bit MODP Group which is already widely
deployed along with a hash algorithm (SHA2-256) that should be used to
replace SHA1.

However, there are those who seem to think that 128 bits or more of
security would be better (more than is provided by Group14) and many
folks are already trying to get rid of 3DES which has similar security
bits to the Group14 2048-bit MODP group.

So, either the Group15 3072-bit MODP Group (~128 bits of security) or
the Group16 4096-bit MODP group (slightly more than 128 bits of
security) using either SHA2-256 or SHA2-512.

I suggest that ONE of these MODP group should be provided as a 'SHOULD'
implementation as it is hoped that it is a very simple modification to
adjust to using a new MODP kex with a new hash in any SSH
implementation.

I am happy with either SHA2-256 or SHA2-512 as the hash, or even letting
the user choose which is desired by making diffie-hellman-<group>-<hash>
let the Group/hash tuple be provided in the negotiation. Where <hash> is
one of SHA256 or SHA512 in the SHA2 family.

I personally believe the following DH MODP list is too large:

  diffie-hellman-group14-sha256
  diffie-hellman-group14-sha512
  diffie-hellman-group15-sha256
  diffie-hellman-group15-sha512
  diffie-hellman-group16-sha256
  diffie-hellman-group16-sha512
  diffie-hellman-group17-sha256
  diffie-hellman-group17-sha512
  diffie-hellman-group18-sha256
  diffie-hellman-group18-sha512

I suspect just listing one of them as a SHOULD for now and possibly a
larger one as a MAY for use in the future is sufficient.

What is the correct DH MODP Group to promote to a SHOULD for
interoperability and what should be deprecated?

For myself, I am looking forward to curve25519-sha256 as a MUST
implementation and letting the NSA/Suite B folks live with whatever
ecdh-sha2-nisp{256,284,521} they feel they want to use.

Please advise if there is any consensus as to what changes to the
https://tools.ietf.org/html/draft-ietf-curdle-ssh-kex-sha2-03 are
needed to move the draft forward to a standard.

	Thank you,
	-- Mark