| < draft-ietf-curdle-ssh-modp-dh-sha2-07.txt | draft-ietf-curdle-ssh-modp-dh-sha2-09.txt > | |||
|---|---|---|---|---|
| Internet Engineering Task Force M. Baushke | Internet Engineering Task Force M. Baushke | |||
| Internet-Draft Juniper Networks, Inc. | Internet-Draft Juniper Networks, Inc. | |||
| Updates: 4250, 4253 (if approved) June 22, 2017 | Updates: 4250, 4253 (if approved) September 15, 2017 | |||
| Intended status: Standards Track | Intended status: Standards Track | |||
| Expires: December 24, 2017 | Expires: March 19, 2018 | |||
| More Modular Exponential (MODP) Diffie-Hellman (DH) Key Exchange (KEX) | More Modular Exponential (MODP) Diffie-Hellman (DH) Key Exchange (KEX) | |||
| Groups for Secure Shell (SSH) | Groups for Secure Shell (SSH) | |||
| draft-ietf-curdle-ssh-modp-dh-sha2-07 | draft-ietf-curdle-ssh-modp-dh-sha2-09 | |||
| Abstract | Abstract | |||
| This document defines added Modular Exponential (MODP) Groups for the | This document defines added Modular Exponential (MODP) Groups for the | |||
| Secure Shell (SSH) protocol using SHA-2 hashes. This document | Secure Shell (SSH) protocol using SHA-2 hashes. This document | |||
| updates RFC 4250. This document updates RFC 4253. | updates RFC 4250. This document updates RFC 4253 including an errata | |||
| fix for checking the Peer's DH Public Key. | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on December 24, 2017. | This Internet-Draft will expire on March 19, 2018. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2017 IETF Trust and the persons identified as the | Copyright (c) 2017 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| This document may contain material from IETF Documents or IETF | ||||
| Contributions published or made publicly available before November | ||||
| 10, 2008. The person(s) controlling the copyright in some of this | ||||
| material may not have granted the IETF Trust the right to allow | ||||
| modifications of such material outside the IETF Standards Process. | ||||
| Without obtaining an adequate license from the person(s) controlling | ||||
| the copyright in such materials, this document may not be modified | ||||
| outside the IETF Standards Process, and derivative works of it may | ||||
| not be created outside the IETF Standards Process, except to format | ||||
| it for publication as an RFC or to translate it into languages other | ||||
| than English. | ||||
| 1. Overview and Rationale | 1. Overview and Rationale | |||
| Secure Shell (SSH) is a common protocol for secure communication on | Secure Shell (SSH) is a common protocol for secure communication on | |||
| the Internet. Due to recent security concerns with SHA-1 [RFC6194] | the Internet. Security protocols and primitives are an active area | |||
| and with MODP groups with less than 2048 bits [NIST-SP-800-131Ar1] | for research and help to suggest updates to SSH. | |||
| implementer and users request support for larger Diffie Hellman (DH) | ||||
| MODP group sizes with data integrity verification using the SHA-2 | Section 3 of the [RFC4253] contains a small errata for checking the | |||
| family of secure hash algorithms as well as MODP groups providing | Peer's DH Public key. Section 4 of this document provides the | |||
| more security. | correction. | |||
| Due to security concerns with SHA-1 [RFC6194] and with MODP groups | ||||
| with less than 2048 bits [NIST-SP-800-131Ar1] implementer and users | ||||
| request support for larger Diffie Hellman (DH) MODP group sizes with | ||||
| data integrity verification using the SHA-2 family of secure hash | ||||
| algorithms as well as MODP groups providing more security. The use | ||||
| of larger MODP groups and the move to the SHA-2 family of hashes are | ||||
| important features to strengthen the key exchange algorithms | ||||
| available to the SSH client and server. | ||||
| DH primes being adopted by this document are all "safe primes" such | DH primes being adopted by this document are all "safe primes" such | |||
| that p = 2q + 1 where q is also a prime. New MODP groups are being | that p = 2q + 1 where q is also a prime. New MODP groups are being | |||
| introduced starting with the MODP 3072-bit group 15 all use SHA512 as | introduced starting with the MODP 3072-bit group 15. All use SHA512 | |||
| the hash algorithm. | as the hash algorithm. | |||
| The DH 2048-bit MODP group 14 is already present in most SSH | The DH 2048-bit MODP group 14 is already present in most SSH | |||
| implementations and most implementations already have a SHA256 | implementations and most implementations already have a SHA256 | |||
| implementation, so diffie-hellman-group14-sha256 is provided as easy | implementation, so diffie-hellman-group14-sha256 is provided as easy | |||
| to implement. | to implement. | |||
| It is intended that these new MODP groups with SHA-2 based hashes | It is intended that these new MODP groups with SHA-2 based hashes | |||
| update the [RFC4253] section 6.4 and [RFC4250] section 4.10 | update the [RFC4253] section 6.4 and [RFC4250] section 4.10 | |||
| standards. | standards. | |||
| skipping to change at page 3, line 41 ¶ | skipping to change at page 3, line 41 ¶ | |||
| curdle@ietf.org.] | curdle@ietf.org.] | |||
| 2. Requirements Language | 2. Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in RFC 2119 [RFC2119]. | document are to be interpreted as described in RFC 2119 [RFC2119]. | |||
| 3. Key Exchange Algorithms | 3. Key Exchange Algorithms | |||
| This memo adopts the style and conventions of [RFC4253] in specifying | This document adds some new Key Exchange Algorithm Method Names in | |||
| how the use of new data key exchange is indicated in SSH. | [RFC4253] and [RFC4250]. | |||
| The following new key exchange algorithms are defined: | This document adopts the style and conventions of [RFC4253] in | |||
| specifying how the use of new data key exchange is indicated in SSH. | ||||
| Key Exchange Method Name | The following new key exchange method algorithms are defined: | |||
| diffie-hellman-group14-sha256 | ||||
| diffie-hellman-group15-sha512 | ||||
| diffie-hellman-group16-sha512 | ||||
| diffie-hellman-group17-sha512 | ||||
| diffie-hellman-group18-sha512 | ||||
| Figure 1 | o diffie-hellman-group14-sha256 | |||
| o diffie-hellman-group15-sha512 | ||||
| o diffie-hellman-group16-sha512 | ||||
| o diffie-hellman-group17-sha512 | ||||
| o diffie-hellman-group18-sha512 | ||||
| The SHA-2 family of secure hash algorithms are defined in [RFC6234]. | The SHA-2 family of secure hash algorithms are defined in [RFC6234]. | |||
| The method of key exchange used for the name "diffie-hellman- | The method of key exchange used for the name "diffie-hellman- | |||
| group14-sha256" is the same as that for "diffie-hellman-group14-sha1" | group14-sha256" is the same as that for "diffie-hellman-group14-sha1" | |||
| except that the SHA256 hash algorithm is used. It is recommended | except that the SHA256 hash algorithm is used. It is recommended | |||
| that diffie-hellman-group14-sha256 SHOULD be supported to smooth the | that diffie-hellman-group14-sha256 SHOULD be supported to smooth the | |||
| transition to newer group sizes. | transition to newer group sizes. | |||
| The group15 through group18 names are the same as those specified in | The group15 through group18 names are the same as those specified in | |||
| skipping to change at page 5, line 17 ¶ | skipping to change at page 5, line 9 ¶ | |||
| violated, then the key exchange fails. | violated, then the key exchange fails. | |||
| This simple check ensures: | This simple check ensures: | |||
| o The remote peer behaves properly. | o The remote peer behaves properly. | |||
| o The local system is not forced into the two-element subgroup. | o The local system is not forced into the two-element subgroup. | |||
| 5. IANA Considerations | 5. IANA Considerations | |||
| This document augments the Key Exchange Method Names in [RFC4253] and | ||||
| [RFC4250]. | ||||
| IANA is requested to add to the Key Exchange Method Names algorithm | IANA is requested to add to the Key Exchange Method Names algorithm | |||
| registry [IANA-KEX] with the following entries: | registry [IANA-KEX] with the following entries: | |||
| Key Exchange Method Name Reference | Key Exchange Method Name Reference | |||
| ----------------------------- ---------- | ----------------------------- ---------- | |||
| diffie-hellman-group14-sha256 This Draft | diffie-hellman-group14-sha256 This Draft | |||
| diffie-hellman-group15-sha512 This Draft | diffie-hellman-group15-sha512 This Draft | |||
| diffie-hellman-group16-sha512 This Draft | diffie-hellman-group16-sha512 This Draft | |||
| diffie-hellman-group17-sha512 This Draft | diffie-hellman-group17-sha512 This Draft | |||
| diffie-hellman-group18-sha512 This Draft | diffie-hellman-group18-sha512 This Draft | |||
| skipping to change at page 6, line 11 ¶ | skipping to change at page 6, line 4 ¶ | |||
| Symmetric Keys. Care should be taken to use sufficient entropy and/ | Symmetric Keys. Care should be taken to use sufficient entropy and/ | |||
| or DRBG algorithms to maximize the true security strength of the key | or DRBG algorithms to maximize the true security strength of the key | |||
| exchange and ciphers selected. | exchange and ciphers selected. | |||
| Using a fixed set of Diffie-Hellman parameters makes them a high | Using a fixed set of Diffie-Hellman parameters makes them a high | |||
| value target for pre-computation. Generating additional sets of | value target for pre-computation. Generating additional sets of | |||
| primes to be used, or moving to larger values is a mitigation against | primes to be used, or moving to larger values is a mitigation against | |||
| this issue. | this issue. | |||
| 8. References | 8. References | |||
| 8.1. Normative References | 8.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <http://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP) | [RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP) | |||
| Diffie-Hellman groups for Internet Key Exchange (IKE)", | Diffie-Hellman groups for Internet Key Exchange (IKE)", | |||
| RFC 3526, DOI 10.17487/RFC3526, May 2003, | RFC 3526, DOI 10.17487/RFC3526, May 2003, | |||
| <http://www.rfc-editor.org/info/rfc3526>. | <https://www.rfc-editor.org/info/rfc3526>. | |||
| [RFC4250] Lehtinen, S. and C. Lonvick, Ed., "The Secure Shell (SSH) | [RFC4250] Lehtinen, S. and C. Lonvick, Ed., "The Secure Shell (SSH) | |||
| Protocol Assigned Numbers", RFC 4250, | Protocol Assigned Numbers", RFC 4250, | |||
| DOI 10.17487/RFC4250, January 2006, | DOI 10.17487/RFC4250, January 2006, | |||
| <http://www.rfc-editor.org/info/rfc4250>. | <https://www.rfc-editor.org/info/rfc4250>. | |||
| [RFC4253] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) | [RFC4253] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) | |||
| Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253, | Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253, | |||
| January 2006, <http://www.rfc-editor.org/info/rfc4253>. | January 2006, <https://www.rfc-editor.org/info/rfc4253>. | |||
| [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms | ||||
| (SHA and SHA-based HMAC and HKDF)", RFC 6234, | ||||
| DOI 10.17487/RFC6234, May 2011, | ||||
| <https://www.rfc-editor.org/info/rfc6234>. | ||||
| 8.2. Informative References | 8.2. Informative References | |||
| [IANA-KEX] | [IANA-KEX] | |||
| Internet Assigned Numbers Authority (IANA), "Secure Shell | Internet Assigned Numbers Authority (IANA), "Secure Shell | |||
| (SSH) Protocol Parameters: Key Exchange Method Names", | (SSH) Protocol Parameters: Key Exchange Method Names", | |||
| March 2017, <http://www.iana.org/assignments/ssh- | March 2017, <http://www.iana.org/assignments/ssh- | |||
| parameters/ssh-parameters.xhtml#ssh-parameters-16>. | parameters/ssh-parameters.xhtml#ssh-parameters-16>. | |||
| [MFQ-U-OO-815099-15] | [MFQ-U-OO-815099-15] | |||
| "National Security Agency/Central Security Service", "CNSA | "National Security Agency/Central Security Service", "CNSA | |||
| Suite and Quantum Computing FAQ", January 2016, | Suite and Quantum Computing FAQ", January 2016, | |||
| <https://www.iad.gov/iad/library/ia-guidance/ia-solutions- | <https://www.iad.gov/iad/library/ia-guidance/ | |||
| for-classified/algorithm-guidance/cnsa-suite-and-quantum- | ia-solutions-for-classified/algorithm-guidance/ | |||
| computing-faq.cfm>. | cnsa-suite-and-quantum-computing-faq.cfm>. | |||
| [NIST-SP-800-131Ar1] | [NIST-SP-800-131Ar1] | |||
| Barker and Roginsky, "Transitions: Recommendation for the | Barker and Roginsky, "Transitions: Recommendation for the | |||
| Transitioning of the Use of Cryptographic Algorithms and | Transitioning of the Use of Cryptographic Algorithms and | |||
| Key Lengths", NIST Special Publication 800-131A Revision | Key Lengths", NIST Special Publication 800-131A Revision | |||
| 1, November 2015, | 1, November 2015, | |||
| <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/ | <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/ | |||
| NIST.SP.800-131Ar1.pdf>. | NIST.SP.800-131Ar1.pdf>. | |||
| [RFC3766] Orman, H. and P. Hoffman, "Determining Strengths For | [RFC3766] Orman, H. and P. Hoffman, "Determining Strengths For | |||
| Public Keys Used For Exchanging Symmetric Keys", BCP 86, | Public Keys Used For Exchanging Symmetric Keys", BCP 86, | |||
| RFC 3766, DOI 10.17487/RFC3766, April 2004, | RFC 3766, DOI 10.17487/RFC3766, April 2004, | |||
| <http://www.rfc-editor.org/info/rfc3766>. | <https://www.rfc-editor.org/info/rfc3766>. | |||
| [RFC6194] Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security | [RFC6194] Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security | |||
| Considerations for the SHA-0 and SHA-1 Message-Digest | Considerations for the SHA-0 and SHA-1 Message-Digest | |||
| Algorithms", RFC 6194, DOI 10.17487/RFC6194, March 2011, | Algorithms", RFC 6194, DOI 10.17487/RFC6194, March 2011, | |||
| <http://www.rfc-editor.org/info/rfc6194>. | <https://www.rfc-editor.org/info/rfc6194>. | |||
| [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms | ||||
| (SHA and SHA-based HMAC and HKDF)", RFC 6234, | ||||
| DOI 10.17487/RFC6234, May 2011, | ||||
| <http://www.rfc-editor.org/info/rfc6234>. | ||||
| Author's Address | Author's Address | |||
| Mark D. Baushke | Mark D. Baushke | |||
| Juniper Networks, Inc. | Juniper Networks, Inc. | |||
| 1133 Innovation Way | 1133 Innovation Way | |||
| Sunnyvale, CA 94089-1228 | Sunnyvale, CA 94089-1228 | |||
| US | US | |||
| Phone: +1 408 745 2952 | Phone: +1 408 745 2952 | |||
| End of changes. 23 change blocks. | ||||
| 55 lines changed or deleted | 52 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||