GSS-API Key Exchange with SHA2

In new SSH key exchange algorithms based on Elliptic Curve Cryptography are introduced. We reuse much of section 4 to implement GSS-API-authenticated ECDH Key Exchanges. Additionally we utilize also the curves defined in to complement the 3 classic NIST defined curves required by .

This section reuses much of the scheme defined in Section 2.1 of and combines it with the scheme defined in Section 4 of ; in particular, all checks and verification steps prescribed in Section 4 of apply here as well. The symbols used in this description conform to the symbols used in Section 2.1 of . Additionally, the following symbols are defined: Q_C is the client ephemeral public key octet string Q_S is the server ephemeral public key octet string This section defers to as the source of information on GSS-API context establishment operations, Section 3 being the most relevant. All Security Considerations described in apply here too. The Client: 1. C generates an ephemeral key pair with public key Q_C. It does that by: For NIST curves: Selecting a value d_C uniformly at random from the interval [1, n-1] where n is the order of generator of the curve associated with the selected key exchange method. Performing point multiplication between the curve base point and selected integer d_C to get the public point q_C. Converts the point q_C to the Q_C octet string by concatenation of value 0x04 and big-endian representation of the x coordinate and then y coordinate. The coordinate coversion MUST preserve leading zero octets. Thus for nistp521 curve the encoded x coordinate will always have a length of 66 octets while the Q_C representation will be 133 octets long. This is the uncompressed representation specified in Section 4.3.6 of . For curve25519 and curve448: Selecting d_C as 32 uniformly distributed random octets for curve25519 and 56 octets for curve448. Preparing the generator g as the number 9 little-endian encoded in 32 octets for curve25519 and number 5 in 56 octets for curve448. This is the same as an octet of value 0x09 followed by 31 zero octets for curve255519 and as an octect of value 0x05 followed by 55 zero octets. Calculating Q_C as the result of the call to X25519 or X448 function, respectively for curve25519 and curve448 key exchange, with parameters d_C and g. 2. C calls GSS_Init_sec_context(), using the most recent reply token received from S during this exchange, if any. For this call, the client MUST set mutual_req_flag to "true" to request that mutual authentication be performed. It also MUST set integ_req_flag to "true" to request that per-message integrity protection be supported for this context. In addition, deleg_req_flag MAY be set to "true" to request access delegation, if requested by the user. Since the key exchange process authenticates only the host, the setting of anon_req_flag is immaterial to this process. If the client does not support the "gssapi-keyex" user authentication method described in Section 4 of , or does not intend to use that method in conjunction with the GSS-API context established during key exchange, then anon_req_flag SHOULD be set to "true". Otherwise, this flag MAY be set to true if the client wishes to hide its identity. Since the key exchange process will involve the exchange of only a single token once the context has been established, it is not necessary that the GSS-API context support detection of replayed or out-of-sequence tokens. Thus, replay_det_req_flag and sequence_req_flag need not be set for this process. These flags SHOULD be set to "false". If the resulting major_status code is GSS_S_COMPLETE and the mutual_state flag is not true, then mutual authentication has not been established, and the key exchange MUST fail. If the resulting major_status code is GSS_S_COMPLETE and the integ_avail flag is not true, then per-message integrity protection is not available, and the key exchange MUST fail. If the resulting major_status code is GSS_S_COMPLETE and both the mutual_state and integ_avail flags are true, the resulting output token is sent to S. If the resulting major_status code is GSS_S_CONTINUE_NEEDED, the output_token is sent to S, which will reply with a new token to be provided to GSS_Init_sec_context(). The client MUST also include Q_C with the first message it sends to the server during this process; if the server receives more than one Q_C or none at all, the key exchange MUST fail. It is an error if the call does not produce a token of non-zero length to be sent to the server. In this case, the key exchange MUST fail. 3. When a Q_C key is received, S verifies that the key is valid. If the key is not valid the key exchange MUST fail. The server first checks if the length of the Q_C matches the selected key exchange: 65 octets for nistp256, 97 octets for nistp384, 133 octets for nistp521, 32 octets for curve25519 or 56 octets for curve448. If the value does not have matching length the key exchange MUST fail. In case of key exchanges that use NIST curves, the server MUST check if the first octet of the Q_C is equal to 0x04. If the octet has different value the key exchange MUST fail. For NIST curves, the server converts the octet representation of the key to q_C point representation by interpreting the first half of remaining octets as the unsigned big-endian representation of the x coordinate of the point and the second half as the unsigned big-endian representation of the y coordinate. For NIST curves, the server verifies that the q_C is not a point at infinity, that both coordinates are in the interval [0, p - 1], where p is the prime associated with the curve of the selected key exchange and that the point lies on the curve (satisfies the curve equation). For curve25519, the server verifies that the the high-order bit of the last octet is not set - this prevents distinguishing attacks between implementations that use Montgomery ladder implementation of the curve and ones that use generic elliptic-curve libraries. If the bit is set, the key exchange SHOULD fail. For curve448 any bit can be set. For curve25519 and curve448, the point is not decoded but used as is. Q_C and q_C are considered equivalent. 4. S calls GSS_Accept_sec_context(), using the token received from C. If the resulting major_status code is GSS_S_COMPLETE and the mutual_state flag is not true, then mutual authentication has not been established, and the key exchange MUST fail. If the resulting major_status code is GSS_S_COMPLETE and the integ_avail flag is not true, then per-message integrity protection is not available, and the key exchange MUST fail. If the resulting major_status code is GSS_S_COMPLETE and both the mutual_state and integ_avail flags are true, then the security context has been established, and processing continues with step 5. If the resulting major_status code is GSS_S_CONTINUE_NEEDED, then the output token is sent to C, and processing continues with step 2. If the resulting major_status code is GSS_S_COMPLETE, but a non-zero-length reply token is returned, then that token is sent to the client. 5. S generates an ephemeral key pair with public key Q_S calculated the same way it is done in step 1 and peforms the following computations: K a shared secret obtained using ECDH key exchange: Both client and server perform the same calculation where d_U is the secret value, d_C for client and d_S for server and q_V is the received public value, q_S for client and q_C for server. For NIST curves, the peers perform point multiplication using d_U and q_V to get point P. For NIST curves, peers verify that P is not a point at infinity. If P is a point at infinity, the key exchange MUST fail. For NIST curves, the shared secret is the zero-padded big-endian representation of the x coordinate of P. For curve25519 and curve448, the peers apply the X25519 or X448 function, respectively for curve25519 and curve448, on the d_U and q_V. The result of the function is the shared secret. For curve25519 and curve448, if all the octets of the shared secret are zero octets, the key exchange MUST fail. H = hash(V_C || V_S || I_C || I_S || K_S || Q_C || Q_S || K). MIC is the GSS-API message integrity code for H computed by calling GSS_GetMIC(). S then sends Q_S and the message integrity code (MIC) to C. 6. This step is performed only if the server's final call to GSS_Accept_sec_context() produced a non-zero-length final reply token to be sent to the client and if no previous call by the client to GSS_Init_sec_context() has resulted in a major_status of GSS_S_COMPLETE. Under these conditions, the client makes an additional call to GSS_Init_sec_context() to process the final reply token. This call is made exactly as described above. However, if the resulting major_status is anything other than GSS_S_COMPLETE, or a non-zero-length token is returned, it is an error and the key exchange MUST fail. 7. C verifies that the key Q_S is valid the same way it is done in step 3. If the key is not valid the key exchange MUST fail. 8. C computes the shared secret K and H and verifies that it is valid the same way it is done in step 5. It then calls GSS_VerifyMIC() to check that the MIC sent by S verifies H's integrity. If the MIC is not successfully verified, the key exchange MUST fail. If any GSS_Init_sec_context() or GSS_Accept_sec_context() returns a major_status other than GSS_S_COMPLETE or GSS_S_CONTINUE_NEEDED, or any other GSS-API call returns a major_status other than GSS_S_COMPLETE, the key exchange MUST fail. The same recommendations expressed in Section 2.1 of are followed with regards to error reporting. This exchange is implemented with the following messages:

The client sends: byte SSH_MSG_KEXGSS_INIT string output_token (from GSS_Init_sec_context()) string Q_C, client's ephemeral public key octet string

The server may responds with: byte SSH_MSG_KEXGSS_HOSTKEY string server public host key and certificates (K_S) Since this key exchange method does not require the host key to be used for any encryption operations, this message is OPTIONAL. If the "null" host key algorithm described in Section 5 of is used, this message MUST NOT be sent. Each time the server's call to GSS_Accept_sec_context() returns a major_status code of GSS_S_CONTINUE_NEEDED

The server replies: byte SSH_MSG_KEXGSS_CONTINUE string output_token (from GSS_Accept_sec_context()) If the client receives this message after a call to GSS_Init_sec_context() has returned a major_status code of GSS_S_COMPLETE, a protocol error has occurred and the key exchange MUST fail. Each time the client receives the message described above, it makes another call to GSS_Init_sec_context().

The client sends: byte SSH_MSG_KEXGSS_CONTINUE string output_token (from GSS_Init_sec_context()) The server and client continue to trade these two messages as long as the server's calls to GSS_Accept_sec_context() result in major_status codes of GSS_S_CONTINUE_NEEDED. When a call results in a major_status code of GSS_S_COMPLETE, it sends one of two final messages. If the server's final call to GSS_Accept_sec_context() (resulting in a major_status code of GSS_S_COMPLETE) returns a non-zero-length token to be sent to the client, it sends the following:

byte SSH_MSG_KEXGSS_COMPLETE string Q_S, server's ephemeral public key octet string string mic_token (MIC of H) boolean TRUE string output_token (from GSS_Accept_sec_context()) If the client receives this message after a call to GSS_Init_sec_context() has returned a major_status code of GSS_S_COMPLETE, a protocol error has occurred and the key exchange MUST fail. If the server's final call to GSS_Accept_sec_context() (resulting in a major_status code of GSS_S_COMPLETE) returns a zero-length token or no token at all, it sends the following:

byte SSH_MSG_KEXGSS_COMPLETE string Q_S, server's ephemeral public key octet string string mic_token (MIC of H) boolean FALSE If the client receives this message when no call to GSS_Init_sec_context() has yet resulted in a major_status code of GSS_S_COMPLETE, a protocol error has occurred and the key exchange MUST fail. In case of errors the messages described in Section 2.1 of are used as well as the recommendation about the messages' order.

The hash H is computed as the HASH hash of the concatenation of the following: string V_C, the client's version string (CR, NL excluded) string V_S, server's version string (CR, NL excluded) string I_C, payload of the client's SSH_MSG_KEXINIT string I_S, payload of the server's SSH_MSG_KEXINIT string K_S, server's public host key string Q_C, client's ephemeral public key octet string string Q_S, server's ephemeral public key octet string mpint K, shared secret This value is called the exchange hash, and it is used to authenticate the key exchange. The exchange hash SHOULD be kept secret. If no SSH_MSG_KEXGSS_HOSTKEY message has been sent by the server or received by the client, then the empty string is used in place of K_S when computing the exchange hash. The GSS_GetMIC call MUST be applied over H, not the original data.

The following new key exchange methods are defined: Key Exchange Method Name Implementation Recommendations gss-nistp256-sha256-*SHOULD/RECOMMENDED gss-nistp384-sha384-*MAY/OPTIONAL gss-nistp521-sha512-*MAY/OPTIONAL gss-curve25519-sha256-*SHOULD/RECOMMENDED gss-curve448-sha512-*MAY/OPTIONAL Each key exchange method is implicitly registered by this document. The IESG is considered to be the owner of all these key exchange methods; this does NOT imply that the IESG is considered to be the owner of the underlying GSS-API mechanism.

Each of these methods specifies GSS-API-authenticated Elliptic Curve Diffie-Hellman key exchange as described in of this document with SHA-256 as HASH, and the curve and base point defined in section 2.4.2 of as secp256r1. The method name for each method is the concatenation of the string "gss-nistp256-sha256-" with the Base64 encoding of the MD5 hash of the ASN.1 DER encoding of the underlying GSS-API mechanism's OID. Base64 encoding is described in Section 6.8 of .

Each of these methods specifies GSS-API-authenticated Elliptic Curve Diffie-Hellman key exchange as described in of this document with SHA-384 as HASH, and the curve and base point defined in section 2.5.1 of as secp384r1. The method name for each method is the concatenation of the string "gss-nistp384-sha384-" with the Base64 encoding of the MD5 hash of the ASN.1 DER encoding of the underlying GSS-API mechanism's OID. Base64 encoding is described in Section 6.8 of .

Each of these methods specifies GSS-API-authenticated Elliptic Curve Diffie-Hellman key exchange as described in of this document with SHA-512 as HASH, and the curve and base point defined in section 2.6.1 of as secp521r1. The method name for each method is the concatenation of the string "gss-nistp521-sha512-" with the Base64 encoding of the MD5 hash of the ASN.1 DER encoding of the underlying GSS-API mechanism's OID. Base64 encoding is described in Section 6.8 of .

Each of these methods specifies GSS-API-authenticated Elliptic Curve Diffie-Hellman key exchange as described in of this document with SHA-256 as HASH, and the X25519 function defined in section 5 of . The method name for each method is the concatenation of the string "gss-curve25519-sha256-" with the Base64 encoding of the MD5 hash of the ASN.1 DER encoding of the underlying GSS-API mechanism's OID. Base64 encoding is described in Section 6.8 of .

Each of these methods specifies GSS-API-authenticated Elliptic Curve Diffie-Hellman key exchange as described in of this document with SHA-512 as HASH, and the X448 function defined in section 5 of . The method name for each method is the concatenation of the string "gss-curve448-sha512-" with the Base64 encoding of the MD5 hash of the ASN.1 DER encoding of the underlying GSS-API mechanism's OID. Base64 encoding is described in Section 6.8 of .