Re: Algorithms: who's at fault here?

To: Mouse <mouse%Rodents-Montreal.ORG@localhost>
Subject: Re: Algorithms: who's at fault here?
From: nisse%lysator.liu.se@localhost (Niels Möller)
Date: Fri, 26 Aug 2022 10:28:21 +0200

Mouse <mouse%Rodents-Montreal.ORG@localhost> writes:

> I recently tried to ssh to a recently-installed Linux machine at work.
> Algorithm negotiation failed.

I have had similar experience.

> ssh: my algorithms:
> ...
> 	hk: ssh-rsa ssh-dss
> ...
> ssh: peer's algorithms (%=unrecognized, *=disabled):
> ...
> 	hk: %rsa-sha2-512 %rsa-sha2-256 %ecdsa-sha2-nistp256 %ssh-ed25519

[...]

> It sure looks to me like either OpenSSH or Ubuntu (whichever one
> decided to do this) gratuitously breaking interop by desupporting a
> REQUIRED algorithm.

In this context the meaning of "REQUIRED" is a bit fuzzy, since it's not
clear of *whom* it is required. It's pretty clear it is required of a
standards-compliant implementation, but not necessarily of any deployed
configuration (and then implementation's default configuration is
kind-of a borderline case).

Sam Hartman <hartmans-ietf%mit.edu@localhost> writes:

>>>>>> "Mouse" == Mouse  <mouse%Rodents-Montreal.ORG@localhost> writes:
>     Mouse> Am I missing something?  It sure looks to me like either
>     Mouse> OpenSSH or Ubuntu (whichever one decided to do this)
>     Mouse> gratuitously breaking interop by desupporting a REQUIRED
>     Mouse> algorithm.
>
> I don't know about gratuitously; I'd argue that the key length of
> ssh-dss is such that it ought to be disabled.
> And if the IETF didn't get around to doing that, people will make
> security policy decisions on their own.

I agree it does make sense from security view point to disable anything
based on DSA (with maximum key size of 1024/160 bits) or SHA1. But it
would help interop if we could agree on a single new conservative
baseline algorithm. To me, it would make sense to promote "rsa-sha2-256"
to REQUIRED (I think current status is RECOMMENDED, by RFC 8332). 

I'm not following cfrg work on post-quantum algorithms for signatures
and key exchange, but whatever they decide to recommend would also be a
strong candidate for (one) additional required algorithm, for a total of
two required algorihms.

Regards,
/Niels

-- 
Niels Möller. PGP key CB4962D070D77D7FCB8BA36271D8F1FF368C6677.
Internet email is subject to wholesale government surveillance.

References:
- Algorithms: who's at fault here?
  - From: Mouse

Prev by Date: Re: Algorithms: who's at fault here?
Next by Date: Re: Algorithms: who's at fault here?
Previous by Thread: Re: Algorithms: who's at fault here?
Next by Thread: Re: Algorithms: who's at fault here?
Indexes:

Home | Main Index | Thread Index | Old Index