| < draft-baushke-ssh-dh-group-sha2-05.txt | draft-baushke-ssh-dh-group-sha2-06.txt > | |||
|---|---|---|---|---|
| Internet Engineering Task Force M. Baushke | Internet Engineering Task Force M. Baushke | |||
| Internet-Draft Juniper Networks, Inc. | Internet-Draft Juniper Networks, Inc. | |||
| Updates: 4253, 4419, 4432, 4462, 5656 February 19, 2016 | Updates: 4253, 4419, 4432, 4462, 5656 March 1, 2016 | |||
| (if approved) | (if approved) | |||
| Intended status: Standards Track | Intended status: Standards Track | |||
| Expires: August 22, 2016 | Expires: September 2, 2016 | |||
| More Modular Exponential (MODP) Diffie-Hellman Key Exchange Groups for | More Modular Exponential (MODP) Diffie-Hellman Key Exchange Groups for | |||
| Secure Shell (SSH) | Secure Shell (SSH) | |||
| draft-baushke-ssh-dh-group-sha2-05 | draft-baushke-ssh-dh-group-sha2-06 | |||
| Abstract | Abstract | |||
| This document defines two added Modular Exponential (MODP) Groups for | This document defines two added Modular Exponential (MODP) Groups for | |||
| the Secure Shell (SSH) protocol. It also updates [RFC4253], | the Secure Shell (SSH) protocol. It also updates [RFC4253], | |||
| [RFC4419], [RFC4462], and [RFC5656] by specifying the set key | [RFC4419], [RFC4462], and [RFC5656] by specifying the set key | |||
| exchange algorithms that currently exist and which ones MUST, SHOULD, | exchange algorithms that currently exist and which ones MUST, SHOULD, | |||
| MAY, and SHOULD NOT be implemented including two new Diffie-Hellman | MAY, and SHOULD NOT be implemented including two new Diffie-Hellman | |||
| key exchange algorithms using SHA-2 hashes. | key exchange algorithms using SHA-2 hashes. | |||
| skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on August 22, 2016. | This Internet-Draft will expire on September 2, 2016. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2016 IETF Trust and the persons identified as the | Copyright (c) 2016 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 37 ¶ | skipping to change at page 2, line 37 ¶ | |||
| method. This is the same reason that the stronger MODP groups being | method. This is the same reason that the stronger MODP groups being | |||
| introduced are using SHA2-512 as the hash algorithm. Group14 is | introduced are using SHA2-512 as the hash algorithm. Group14 is | |||
| already present in most SSH implementations and most implementations | already present in most SSH implementations and most implementations | |||
| already have a SHA2-256 implementation, so diffie-hellman- | already have a SHA2-256 implementation, so diffie-hellman- | |||
| group14-sha256 is provided as an easy to implement and faster to use | group14-sha256 is provided as an easy to implement and faster to use | |||
| key exchange for small embedded applications. | key exchange for small embedded applications. | |||
| It has been observed in [safe-curves] that the NIST recommended | It has been observed in [safe-curves] that the NIST recommended | |||
| Elliptic Curve Prime Curves (P-256, P-384, and P-521) are perhaps not | Elliptic Curve Prime Curves (P-256, P-384, and P-521) are perhaps not | |||
| the best available for Elliptic Curve Cryptography Security. For | the best available for Elliptic Curve Cryptography Security. For | |||
| this reason, none of the RFC5656 curves are marked as a MUST | this reason, none of the [RFC5656] curves are marked as a MUST | |||
| implement. | implement. However, the requirement that "every compliant SSH ECC | |||
| implementation MUST implement ECDH key exchange" is now taken to mean | ||||
| that if ecdsa-sha2-[identifier] is implemented, then ecdh- | ||||
| sha2-[identifier] MUST be implemented. | ||||
| Please send comments on this draft to ietf-ssh@NetBSD.org. | Please send comments on this draft to ietf-ssh@NetBSD.org. | |||
| 2. Requirements Language | 2. Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| 3. Key Exchange Algorithms | 3. Key Exchange Algorithms | |||
| skipping to change at page 3, line 40 ¶ | skipping to change at page 3, line 40 ¶ | |||
| part of the key exchange method name. | part of the key exchange method name. | |||
| 4. IANA Considerations | 4. IANA Considerations | |||
| This document augments the Key Exchange Method Names in [RFC4253]. | This document augments the Key Exchange Method Names in [RFC4253]. | |||
| It downgrades the use of SHA-1 hashing for key exchange methods in | It downgrades the use of SHA-1 hashing for key exchange methods in | |||
| [RFC4419], [RFC4432], and [RFC4462]. It also moves from MUST to MAY | [RFC4419], [RFC4432], and [RFC4462]. It also moves from MUST to MAY | |||
| the ecdh-sha2-nistp256 given in [RFC5656]. | the ecdh-sha2-nistp256 given in [RFC5656]. | |||
| It is desirable to also include the ssh-curves from the | It is desirable to also include the ssh-curves from the | |||
| [I-D.josefsson-ssh-curves] in this list. It is not yet clear if | [I-D.josefsson-ssh-curves] in this list. The "curve25519-sha256" is | |||
| curve448-sha256 or curve448-sha512 will be defined in that draft. | currently available in some Secure Shell implementations under the | |||
| The curve25519-sha256 is currently available in some Secure Shell | name "curve25519-sha256@libssh.org" and is the best candidate for a | |||
| implementations under the name curve25519-sha256@libssh.org and is | fast, safe, and secure key exchange method. | |||
| the best candidate for a fast, safe, and secure key exchange method. | ||||
| IANA is requested to update the SSH algorithm registry with the | IANA is requested to update the SSH algorithm registry with the | |||
| following entries: | following entries: | |||
| Key Exchange Method Name Reference Note | Key Exchange Method Name Reference Note | |||
| diffie-hellman-group-exchange-sha1 RFC4419 SHOULD NOT | diffie-hellman-group-exchange-sha1 RFC4419 SHOULD NOT | |||
| diffie-hellman-group-exchange-sha256 RFC4419 MAY | diffie-hellman-group-exchange-sha256 RFC4419 MAY | |||
| diffie-hellman-group1-sha1 RFC4253 SHOULD NOT | diffie-hellman-group1-sha1 RFC4253 SHOULD NOT | |||
| diffie-hellman-group14-sha1 RFC4253 SHOULD | diffie-hellman-group14-sha1 RFC4253 SHOULD | |||
| ecdh-sha2-nistp256 RFC5656 MAY | ecdh-sha2-nistp256 RFC5656 MAY | |||
| skipping to change at page 4, line 28 ¶ | skipping to change at page 4, line 28 ¶ | |||
| gss-gex-sha1-* RFC4462 SHOULD NOT | gss-gex-sha1-* RFC4462 SHOULD NOT | |||
| gss-group1-sha1-* RFC4462 SHOULD NOT | gss-group1-sha1-* RFC4462 SHOULD NOT | |||
| gss-group14-sha1-* RFC4462 MAY | gss-group14-sha1-* RFC4462 MAY | |||
| gss-* RFC4462 MAY | gss-* RFC4462 MAY | |||
| rsa1024-sha1 RFC4432 SHOULD NOT | rsa1024-sha1 RFC4432 SHOULD NOT | |||
| rsa2048-sha256 RFC4432 MAY | rsa2048-sha256 RFC4432 MAY | |||
| diffie-hellman-group14-sha256 This Draft MAY | diffie-hellman-group14-sha256 This Draft MAY | |||
| diffie-hellman-group16-sha512 This Draft SHOULD | diffie-hellman-group16-sha512 This Draft SHOULD | |||
| diffie-hellman-group18-sha512 This Draft MAY | diffie-hellman-group18-sha512 This Draft MAY | |||
| curve25519-sha256 ssh-curves MUST | curve25519-sha256 ssh-curves MUST | |||
| curve448-sha256 ssh-curves MAY | curve448-sha512 ssh-curves MAY | |||
| Figure 2 | Figure 2 | |||
| The Note in the above table is an implementation suggestion for the | The Note in the above table is an implementation suggestion/ | |||
| listed key exchange method. It is up to the end-user as to what | recommendation for the listed key exchange method. It is up to the | |||
| algorithms they choose to be able to negotiate. | end-user as to what algorithms they choose to be able to negotiate. | |||
| The guidance of his document is that the SHA-1 algorithm hashing | The guidance of his document is that the SHA-1 algorithm hashing | |||
| SHOULD NOT be used. If it is used, it should only be provided for | SHOULD NOT be used. If it is used, it should only be provided for | |||
| backwards compatibility, should not be used in new designs, and | backwards compatibility, should not be used in new designs, and | |||
| should be phased out of existing key exchanges as quickly as possible | should be phased out of existing key exchanges as quickly as possible | |||
| because of its known weaknesses. Any key exchange using SHA-1 SHOULD | because of its known weaknesses. Any key exchange using SHA-1 SHOULD | |||
| NOT be in a default key exchange list if at all possible. If they | NOT be in a default key exchange list if at all possible. If they | |||
| are needed for backward compatibility, they SHOULD be listed after | are needed for backward compatibility, they SHOULD be listed after | |||
| all of the SHA-2 based key exchanges. | all of the SHA-2 based key exchanges. | |||
| The RFC4253 REQUIRED diffie-hellman-group14-sha1 method SHOULD be | The RFC4253 REQUIRED diffie-hellman-group14-sha1 method SHOULD be | |||
| retained for compatibility with older Secure Shell implementations. | retained for compatibility with older Secure Shell implementations. | |||
| It is intended that this key exchange be phased out as soon as | It is intended that this key exchange be phased out as soon as | |||
| possible. | possible. | |||
| 5. Security Considerations | 5. Acknowledgements | |||
| Thanks to the following people for review and comments: Denis Bider, | ||||
| Peter Gutmann, Damien Miller, Niels Moeller, Matt Johnston, Iwamoto | ||||
| Kouichi, Simon Josefsson, Dave Dugal. | ||||
| Thanks to the following people for code to implement interoperable | ||||
| exchanges using some of these groups as found in an the -01 draft: | ||||
| Darren Tucker for OpenSSH and Matt Johnston for Dropbear. And thanks | ||||
| to Iwamoto Kouichi for information about RLogin, Tera Term (ttssh) | ||||
| and Poderosa implementations also adopting new Diffie-Hellman groups | ||||
| based on the -01 draft. | ||||
| 6. Security Considerations | ||||
| The security considerations of [RFC4253] apply to this document. | The security considerations of [RFC4253] apply to this document. | |||
| The security considerations of [RFC3526] suggest that these MODP | The security considerations of [RFC3526] suggest that these MODP | |||
| groups have security strengths given in this table. They are based | groups have security strengths given in this table. They are based | |||
| on [RFC3766] Determining Strengths For Public Keys Used For | on [RFC3766] Determining Strengths For Public Keys Used For | |||
| Exchanging Symmetric Keys. | Exchanging Symmetric Keys. | |||
| Group modulus security strength estimates (RFC3526) | Group modulus security strength estimates (RFC3526) | |||
| skipping to change at page 5, line 31 ¶ | skipping to change at page 5, line 44 ¶ | |||
| +--------+----------+----------+----------+----------+----------+ | +--------+----------+----------+----------+----------+----------+ | |||
| | 14 | 2048-bit | 110 | 220- | 160 | 320- | | | 14 | 2048-bit | 110 | 220- | 160 | 320- | | |||
| | 15 | 3072-bit | 130 | 260- | 210 | 420- | | | 15 | 3072-bit | 130 | 260- | 210 | 420- | | |||
| | 16 | 4096-bit | 150 | 300- | 240 | 480- | | | 16 | 4096-bit | 150 | 300- | 240 | 480- | | |||
| | 17 | 6144-bit | 170 | 340- | 270 | 540- | | | 17 | 6144-bit | 170 | 340- | 270 | 540- | | |||
| | 18 | 8192-bit | 190 | 380- | 310 | 620- | | | 18 | 8192-bit | 190 | 380- | 310 | 620- | | |||
| +--------+----------+---------------------+---------------------+ | +--------+----------+---------------------+---------------------+ | |||
| Figure 3 | Figure 3 | |||
| Many users seem to be interested in the perceived safety of using the | Many users seem to be interested in the perceived safety of using | |||
| SHA2-based algorithms for hashing. | larger MODP groups and hashing with SHA2-based algorithms. | |||
| 6. References | ||||
| 6.1. Normative References | 7. References | |||
| 7.1. Normative References | ||||
| [FIPS-180-4] | [FIPS-180-4] | |||
| National Institute of Standards and Technology, "Secure | National Institute of Standards and Technology, "Secure | |||
| Hash Standard (SHS)", FIPS PUB 180-4, August 2015, | Hash Standard (SHS)", FIPS PUB 180-4, August 2015, | |||
| <http://nvlpubs.nist.gov/nistpubs/FIPS/ | <http://nvlpubs.nist.gov/nistpubs/FIPS/ | |||
| NIST.FIPS.180-4.pdf>. | NIST.FIPS.180-4.pdf>. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| skipping to change at page 6, line 9 ¶ | skipping to change at page 6, line 26 ¶ | |||
| [RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP) | [RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP) | |||
| Diffie-Hellman groups for Internet Key Exchange (IKE)", | Diffie-Hellman groups for Internet Key Exchange (IKE)", | |||
| RFC 3526, DOI 10.17487/RFC3526, May 2003, | RFC 3526, DOI 10.17487/RFC3526, May 2003, | |||
| <http://www.rfc-editor.org/info/rfc3526>. | <http://www.rfc-editor.org/info/rfc3526>. | |||
| [RFC4253] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) | [RFC4253] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) | |||
| Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253, | Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253, | |||
| January 2006, <http://www.rfc-editor.org/info/rfc4253>. | January 2006, <http://www.rfc-editor.org/info/rfc4253>. | |||
| 6.2. Informative References | 7.2. Informative References | |||
| [I-D.josefsson-ssh-curves] | [I-D.josefsson-ssh-curves] | |||
| Adamantiadis, A. and S. Josefsson, "Secure Shell (SSH) Key | Adamantiadis, A. and S. Josefsson, "Secure Shell (SSH) Key | |||
| Exchange Method using Curve25519 and Curve448", draft- | Exchange Method using Curve25519 and Curve448", draft- | |||
| josefsson-ssh-curves-03 (work in progress), November 2015. | josefsson-ssh-curves-04 (work in progress), March 2016. | |||
| [MFQ-U-OO-815099-15] | [MFQ-U-OO-815099-15] | |||
| "National Security Agency/Central Security Service", "CNSA | "National Security Agency/Central Security Service", "CNSA | |||
| Suite and Quantum Computing FAQ", January 2016, | Suite and Quantum Computing FAQ", January 2016, | |||
| <https://www.iad.gov/iad/library/ia-guidance/ia-solutions- | <https://www.iad.gov/iad/library/ia-guidance/ia-solutions- | |||
| for-classified/algorithm-guidance/cnsa-suite-and-quantum- | for-classified/algorithm-guidance/cnsa-suite-and-quantum- | |||
| computing-faq.cfm>. | computing-faq.cfm>. | |||
| [NIST-SP-800-131Ar1] | [NIST-SP-800-131Ar1] | |||
| Barker, and Roginsky, "Transitions: Recommendation for the | Barker, and Roginsky, "Transitions: Recommendation for the | |||
| End of changes. 13 change blocks. | ||||
| 23 lines changed or deleted | 37 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||