idnits 2.17.1 draft-dbider-sha2-mac-for-ssh-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC4253, updated by this document, for RFC5378 checks: 1997-03-26) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (May 3, 2012) is 4368 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'FIPS-180-3' ** Downref: Normative reference to an Informational RFC: RFC 2104 Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group d. bider 3 Internet-Draft Bitvise Limited 4 Updates: 4253 (if approved) M. Baushke 5 Intended status: Standards Track Juniper Networks, Inc. 6 Expires: November 4, 2012 May 3, 2012 8 SHA-2 Data Integrity Verification for the Secure Shell (SSH) Transport 9 Layer Protocol 10 draft-dbider-sha2-mac-for-ssh-06 12 Abstract 14 This memo defines algorithm names and parameters for use of some of 15 the SHA-2 family of secure hash algorithms for data integrity 16 verification in the Secure Shell (SSH) protocol. It also updates 17 RFC4253 by specifying a new RECOMMENDED data integrity algorithm. 19 Status of this Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at http://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on November 4, 2012. 36 Copyright Notice 38 Copyright (c) 2012 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 1. Overview and Rationale 53 Secure Shell (SSH) [RFC4251] is a very common protocol for secure 54 remote login on the Internet. Currently, SSH defines data integrity 55 verification using SHA-1 and MD5 algorithms [RFC4253]. Due to recent 56 security concerns with these two algorithms [RFC6151][RFC6194], 57 implementors and users request support for data integrity 58 verification using some of the SHA-2 family of of secure hash 59 algorithms. 61 Please send comments on this draft to ietf-ssh@NetBSD.org. 63 1.1. Requirements Terminology 65 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 66 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 67 document are to be interpreted as described in [RFC2119]. 69 2. Data Integrity Algorithms 71 This memo adopts the style and conventions of [RFC4253] in specifying 72 how the use of new data integrity algorithms is indicated in SSH. 74 The following new data integrity algorithms are defined: 76 hmac-sha2-256 RECOMMENDED HMAC-SHA2-256 77 (digest length = 32 bytes, 78 key length = 32 bytes) 80 hmac-sha2-512 OPTIONAL HMAC-SHA2-512 81 (digest length = 64 bytes, 82 key length = 64 bytes) 84 Figure 1 86 The HMAC mechanism was originally defined in [RFC2104] and has been 87 updated in [RFC6151]. 89 The SHA-2 family of secure hash algorithms are defined in 90 [FIPS-180-3]. 92 Sample code for the SHA-based HMAC algorithms are available in 93 [RFC6234]. The variants HMAC-SHA2-224 and HMAC-SHA2-384 algorithms 94 were considered, but not added to this list as they have the same 95 computational requirements of HMAC-SHA2-256 and HMAC-SHA2-512 96 respectively and do not seem to be much used in practice. 98 Test vectors for use of HMAC with SHA-2 are provided in [RFC4231]. 100 Users, implementors, and administrators may choose to put these new 101 Macs into the proposal ahead of the REQUIRED hmac-sha1 algorithm 102 defined in [RFC4253] so that they would be negotiated first. 104 3. IANA Considerations 106 This document augments the MAC Algorithm Names in [RFC4253] and 107 [RFC4250]. 109 IANA is requested to update the SSH algorithm registry with the 110 following entries: 112 MAC Algorithm Name Reference Note 113 hmac-sha2-256 This draft Section 2 114 hmac-sha2-512 This draft Section 2 116 Figure 2 118 4. Security Considerations 120 The security considerations of RFC 4253 [RFC4253] apply to this 121 document. 123 The National Institute of Standards and Technology (NIST) 124 publications: NIST Special Publication (SP) 800-107 [800-107] and 125 NIST SP 800-131A [800-131A] suggest that HMAC-SHA1 and HMAC-SHA2-256 126 have a security strength of 128 bits and 256 bits respectively which 127 are considered acceptable key lengths. 129 Many users seem to be interested in the perceived safety of using the 130 SHA2-based algorithms for hashing. 132 5. References 134 5.1. Normative References 136 [FIPS-180-3] 137 National Institute of Standards and Technology (NIST), 138 United States of America, "Secure Hash Standard (SHS)", 139 FIPS PUB 180-3, October 2008, . 142 [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- 143 Hashing for Message Authentication", RFC 2104, 144 February 1997. 146 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 147 Requirement Levels", BCP 14, RFC 2119, March 1997. 149 [RFC4231] Nystrom, M., "Identifiers and Test Vectors for HMAC-SHA- 150 224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512", 151 RFC 4231, December 2005. 153 [RFC4253] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) 154 Transport Layer Protocol", RFC 4253, January 2006. 156 5.2. Informative References 158 [800-107] National Institute of Standards and Technology (NIST), 159 "Recommendation for Applications Using Approved Hash 160 Algorithms", NIST Special Publication 800-107, 161 February 2009, . 164 [800-131A] 165 National Institute of Standards and Technology (NIST), 166 "Transitions: Recommendation for the Transitioning of the 167 Use of Cryptographic Algorithms and Key Lengths", DRAFT 168 NIST Special Publication 800-131A, January 2011, . 172 [RFC4250] Lehtinen, S. and C. Lonvick, "SSH Protocol Assigned 173 Numbers", RFC 4250, January 2006. 175 [RFC4251] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) 176 Protocol Architecture", RFC 4251, January 2006. 178 [RFC6151] Turner, S. and L. Chen, "Updated Security Considerations 179 for the MD5 Message-Digest and the HMAC-MD5 Algorithms", 180 RFC 6151, March 2011. 182 [RFC6194] Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security 183 Considerations for the SHA-0 and SHA-1 Message-Digest 184 Algorithms", RFC 6194, March 2011. 186 [RFC6234] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms 187 (SHA and SHA-based HMAC and HKDF)", RFC 6234, May 2011. 189 Authors' Addresses 191 denis bider 192 Bitvise Limited 193 Suites 41/42, Victoria House 194 26 Main Street 195 Gibraltar 196 GI 198 Phone: +1 869 762 1410 199 Email: ietf-ssh2@denisbider.com 200 URI: http://www.bitvise.com/ 202 Mark D. Baushke 203 Juniper Networks, Inc. 204 1194 N Mathilda Av 205 Sunnyvale, CA 94089-1206 206 US 208 Phone: +1 408 745 2952 209 Email: mdb@juniper.net 210 URI: http://www.juniper.net/