| < draft-harris-ssh-rsa-kex-02.txt | draft-harris-ssh-rsa-kex-03.txt > | |||
|---|---|---|---|---|
| Network Working Group B. Harris | Network Working Group B. Harris | |||
| Internet-Draft July 4, 2005 | Internet-Draft July 13, 2005 | |||
| Expires: January 5, 2006 | Expires: January 14, 2006 | |||
| Rivest-Shamir-Adleman (RSA) key exchange for the Secure Shell (SSH) | Rivest-Shamir-Adleman (RSA) key exchange for the Secure Shell (SSH) | |||
| Transport Layer Protocol | Transport Layer Protocol | |||
| draft-harris-ssh-rsa-kex-02 | draft-harris-ssh-rsa-kex-03 | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 1, line 34 ¶ | skipping to change at page 1, line 34 ¶ | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on January 5, 2006. | This Internet-Draft will expire on January 14, 2006. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The Internet Society (2005). | Copyright (C) The Internet Society (2005). | |||
| Abstract | Abstract | |||
| This memo describes a key-exchange method for the Secure Shell (SSH) | This memo describes a key-exchange method for the Secure Shell (SSH) | |||
| protocol based on Rivest-Shamir-Adleman (RSA) public-key encryption. | protocol based on Rivest-Shamir-Adleman (RSA) public-key encryption. | |||
| It uses much less client CPU time than the Diffie-Hellman algorithm | It uses much less client CPU time than the Diffie-Hellman algorithm | |||
| skipping to change at page 3, line 11 ¶ | skipping to change at page 3, line 11 ¶ | |||
| HASH hash algorithm for calculating exchange hash etc. | HASH hash algorithm for calculating exchange hash etc. | |||
| HLEN output length of HASH in bits | HLEN output length of HASH in bits | |||
| MINKLEN minimum transient RSA modulus length in bits | MINKLEN minimum transient RSA modulus length in bits | |||
| The method uses the following messages. | The method uses the following messages. | |||
| First, the server sends: | First, the server sends: | |||
| byte SSH_MSG_KEXRSA_PUBKEY | byte SSH_MSG_KEXRSA_PUBKEY | |||
| string K_T, transient RSA public key | string K_T, transient RSA public key | |||
| string server public host key and certificates (K_S) | ||||
| The key K_T is encoded according to the "ssh-rsa" scheme described in | The key K_T is encoded according to the "ssh-rsa" scheme described in | |||
| section 6.6 of [I-D.ietf-secsh-transport]. Note that unlike an "ssh- | section 6.6 of [I-D.ietf-secsh-transport]. Note that unlike an "ssh- | |||
| rsa" host key, K_T is only used for encryption, and not for | rsa" host key, K_T is only used for encryption, and not for | |||
| signature. The modulus of K_T MUST be at least MINKLEN bits long. | signature. The modulus of K_T MUST be at least MINKLEN bits long. | |||
| The client generates a random integer, K, in the range | The client generates a random integer, K, in the range | |||
| 0 <= K < 2^(KLEN-2HLEN-49), where KLEN is the length of the modulus | 0 <= K < 2^(KLEN-2HLEN-49), where KLEN is the length of the modulus | |||
| of K_T, in bits. The client then uses K_T to encrypt: | of K_T, in bits. The client then uses K_T to encrypt: | |||
| skipping to change at page 3, line 45 ¶ | skipping to change at page 3, line 46 ¶ | |||
| result which is similar, but not identical, to the SSH "mpint" | result which is similar, but not identical, to the SSH "mpint" | |||
| encoding applied to that integer. This is the same encoding as is | encoding applied to that integer. This is the same encoding as is | |||
| used by "ssh-rsa" signatures in [I-D.ietf-secsh-transport]. | used by "ssh-rsa" signatures in [I-D.ietf-secsh-transport]. | |||
| The server decrypts K. If a decryption error occurs, the server | The server decrypts K. If a decryption error occurs, the server | |||
| SHOULD send SSH_MESSAGE_DISCONNECT with a reason code of | SHOULD send SSH_MESSAGE_DISCONNECT with a reason code of | |||
| SSH_DISCONNECT_KEY_EXCHANGE_FAILED and MUST disconnect. Otherwise, | SSH_DISCONNECT_KEY_EXCHANGE_FAILED and MUST disconnect. Otherwise, | |||
| the server responds with: | the server responds with: | |||
| byte SSH_MSG_KEXRSA_DONE | byte SSH_MSG_KEXRSA_DONE | |||
| string server public host key and certificates (K_S) | string signature of H with host key | |||
| string signature of H | ||||
| The hash H is computed as the HASH hash of the concatenation of the | The hash H is computed as the HASH hash of the concatenation of the | |||
| following: | following: | |||
| string V_C, the client's version string (CR and NL excluded) | string V_C, the client's version string (CR and NL excluded) | |||
| string V_S, the server's version string (CR and NL excluded) | string V_S, the server's version string (CR and NL excluded) | |||
| string I_C, the payload of the client's SSH_MSG_KEXINIT | string I_C, the payload of the client's SSH_MSG_KEXINIT | |||
| string I_S, the payload of the server's SSH_MSG_KEXINIT | string I_S, the payload of the server's SSH_MSG_KEXINIT | |||
| string K_S, the host key | string K_S, the host key | |||
| string K_T, the transient RSA key | string K_T, the transient RSA key | |||
| skipping to change at page 4, line 27 ¶ | skipping to change at page 4, line 27 ¶ | |||
| This value is called the exchange hash, and it is used to | This value is called the exchange hash, and it is used to | |||
| authenticate the key exchange. The exchange hash SHOULD be kept | authenticate the key exchange. The exchange hash SHOULD be kept | |||
| secret. | secret. | |||
| The signature algorithm MUST be applied over H, not the original | The signature algorithm MUST be applied over H, not the original | |||
| data. Most signature algorithms include hashing and additional | data. Most signature algorithms include hashing and additional | |||
| padding - for example, "ssh-dss" specifies SHA-1 hashing. In that | padding - for example, "ssh-dss" specifies SHA-1 hashing. In that | |||
| case, the data is first hashed with HASH to compute H, and H is then | case, the data is first hashed with HASH to compute H, and H is then | |||
| hashed with SHA-1 as part of the signing operation. | hashed with SHA-1 as part of the signing operation. | |||
| 5. rsa1024-sha1-draft-02@putty.projects.tartarus.org | 5. rsa1024-sha1-draft-03@putty.projects.tartarus.org | |||
| The "rsa1024-sha1-draft-02@putty.projects.tartarus.org" method | The "rsa1024-sha1-draft-03@putty.projects.tartarus.org" method | |||
| specifies RSA key exchange as described above with the following | specifies RSA key exchange as described above with the following | |||
| parameters: | parameters: | |||
| HASH SHA-1, as defined in [RFC3174] | HASH SHA-1, as defined in [RFC3174] | |||
| HLEN 160 | HLEN 160 | |||
| MINKLEN 1024 | MINKLEN 1024 | |||
| 6. rsa2048-sha512-draft-02@putty.projects.tartarus.org | 6. rsa2048-sha256-draft-03@putty.projects.tartarus.org | |||
| The "rsa2048-sha512-draft-02@putty.projects.tartarus.org" method | The "rsa2048-sha256-draft-03@putty.projects.tartarus.org" method | |||
| specifies RSA key exchange as described above with the following | specifies RSA key exchange as described above with the following | |||
| parameters: | parameters: | |||
| HASH SHA-512, as defined in [FIPS-180-2] | HASH SHA-256, as defined in [FIPS-180-2] | |||
| HLEN 512 | HLEN 256 | |||
| MINKLEN 2048 | MINKLEN 2048 | |||
| 7. Message numbers | 7. Message numbers | |||
| The following message numbers are defined: | The following message numbers are defined: | |||
| SSH_MSG_KEXRSA_PUBKEY 30 | SSH_MSG_KEXRSA_PUBKEY 30 | |||
| SSH_MSG_KEXRSA_SECRET 31 | SSH_MSG_KEXRSA_SECRET 31 | |||
| SSH_MSG_KEXRSA_DONE 32 | SSH_MSG_KEXRSA_DONE 32 | |||
| End of changes. 10 change blocks. | ||||
| 12 lines changed or deleted | 12 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||