IETF Logo Mail Archive

Re: [Cfrg] Using ED25519 in SSHFP Resource Records - draft-moonesamy-sshfp-ed25519-01

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 03 April 2014 15:45 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA99C1A0215 for <cfrg@ietfa.amsl.com>; Thu, 3 Apr 2014 08:45:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.56
X-Spam-Level:
X-Spam-Status: No, score=-0.56 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_24_48=1.34] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gHRPrqRQrHMB for <cfrg@ietfa.amsl.com>; Thu, 3 Apr 2014 08:45:55 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 78B601A01FA for <cfrg@irtf.org>; Thu, 3 Apr 2014 08:45:55 -0700 (PDT)
Received: from [10.255.96.244] (unknown [24.139.127.47]) by che.mayfirst.org (Postfix) with ESMTPSA id C4804F985; Thu, 3 Apr 2014 11:45:48 -0400 (EDT)
Message-ID: <533C1190.2070901@fifthhorseman.net>
Date: Wed, 02 Apr 2014 09:33:04 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.3.0
MIME-Version: 1.0
To: Alyssa Rowan <akr@akr.io>, cfrg@irtf.org
References: <533AFA44.3070208@akr.io> <533AFF0F.6070705@akr.io>
In-Reply-To: <533AFF0F.6070705@akr.io>
X-Enigmail-Version: 1.6+git0.20140323
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="N4U92SRXJQ9ktqo1G659bh8fQlaqAhmgB"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/HvGvqd8VOh-qGpGHxVFOebhfRa4
Subject: Re: [Cfrg] Using ED25519 in SSHFP Resource Records - draft-moonesamy-sshfp-ed25519-01
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Apr 2014 15:46:00 -0000

On 04/01/2014 02:01 PM, Alyssa Rowan wrote:
> There's no real need to get a 256-bit fingerprint from a 256-bit
> public blob: you could just as well include the public key verbatim.
> But given an SHA-256 hash has about the same strength as Ed25519, and
> it's a fingerprint so matches existing practice with other SSHFP
> records, it does no harm.

SHA-256 is probably fine, but is it optimal?  would it be better to just
represent the full 256-bit key directly?  As a user, i'd be happy to be
able to know the full key without the digest, particularly if there is
no additional cost in network traffic.

What is the goal of using a digest for SSHFP records?  one rationale
could be for traffic reduction.

another could be avoiding direct public key exposure (on the grounds
that an attacker who doesn't know your key can't start a cracking
process) but given that ssh servers' public keys are hardly secret, i'm
not convinced this is a meaningful rationale.

Are there other reasons for using a digest algorithm here?  it seems to
introduce an additional possible point of cryptographic failure in the
key verification scheme (e.g. when used with DNSSEC, an attack can be
made against the digest mechanism used to sign the DNS records *or*
against the digest mechanism used in the SSHFP record itself).

I'm not up on the history or the spec of SSHFP, but if it doesn't
already exist, perhaps SSHFP needs a new hash type NONE for keys that
would fit in a DNS UDP response packet?

While the network-engineering aspect of this suggestion is probably
out-of-scope of the CFRG, i think questions about the cryptographic
merit or risk of an SSHFP "hash type NONE" record are probably in-scope.

	--dkg

v2.23.0 | Report a Bug | By Email