| < draft-ietf-curdle-ssh-kex-sha2-02.txt | draft-ietf-curdle-ssh-kex-sha2-03.txt > | |||
|---|---|---|---|---|
| Internet Engineering Task Force M. Baushke | Internet Engineering Task Force M. Baushke | |||
| Internet-Draft Juniper Networks, Inc. | Internet-Draft Juniper Networks, Inc. | |||
| Updates: 4253, 4419, 4432, 4462, 5656 March 8, 2016 | Updates: 4253, 4419, 4432, 4462, 5656 March 14, 2016 | |||
| (if approved) | (if approved) | |||
| Intended status: Standards Track | Intended status: Standards Track | |||
| Expires: September 9, 2016 | Expires: September 15, 2016 | |||
| Key Exchange Method Updates for Secure Shell (SSH) | Key Exchange (KEX) Method Updates and Recommendations for Secure Shell | |||
| draft-ietf-curdle-ssh-kex-sha2-02 | (SSH) | |||
| draft-ietf-curdle-ssh-kex-sha2-03 | ||||
| Abstract | Abstract | |||
| This document deprecates some previously specified Key Exchange | This document adds recommendations for adoption of ssh-curves from | |||
| Method algorithm names as well as defining a few added Modular | the [I-D.ietf-curdle-ssh-curves], adds some new Modular Exponential | |||
| Exponential (MODP) Groups for the Secure Shell (SSH) protocol. It | (MODP) Groups, and deprecates some previously specified Key Exchange | |||
| also updates [RFC4253], [RFC4419], [RFC4462], and [RFC5656] by | Method algorithm names for the Secure Shell (SSH) protocol. It also | |||
| specifying the set key exchange algorithms that currently exist and | updates [RFC4253], [RFC4419], [RFC4462], and [RFC5656] by specifying | |||
| which ones MUST, SHOULD, MAY, and SHOULD NOT be implemented. New key | the set key exchange algorithms that currently exist and which ones | |||
| exchange methods use the SHA-2 family of hashes. | MUST, SHOULD, MAY, and SHOULD NOT be implemented. New key exchange | |||
| methods use the SHA-2 family of hashes. | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on September 9, 2016. | This Internet-Draft will expire on September 15, 2016. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2016 IETF Trust and the persons identified as the | Copyright (c) 2016 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 21 ¶ | skipping to change at page 2, line 23 ¶ | |||
| Secure Shell (SSH) is a common protocol for secure communication on | Secure Shell (SSH) is a common protocol for secure communication on | |||
| the Internet. In [RFC4253], SSH originally defined the Key Exchange | the Internet. In [RFC4253], SSH originally defined the Key Exchange | |||
| Method Name diffie-hellman-group1-sha1 which used [RFC2409] Oakley | Method Name diffie-hellman-group1-sha1 which used [RFC2409] Oakley | |||
| Group 1 (a MODP group with 768 bits) and SHA-1 [RFC3174]. Due to | Group 1 (a MODP group with 768 bits) and SHA-1 [RFC3174]. Due to | |||
| recent security concerns with SHA-1 [RFC6194] and with MODP groups | recent security concerns with SHA-1 [RFC6194] and with MODP groups | |||
| with less than 2048 bits [NIST-SP-800-131Ar1] implementer and users | with less than 2048 bits [NIST-SP-800-131Ar1] implementer and users | |||
| request support for larger MODP group sizes with data integrity | request support for larger MODP group sizes with data integrity | |||
| verification using the SHA-2 family of secure hash algorithms as well | verification using the SHA-2 family of secure hash algorithms as well | |||
| as MODP groups providing more security. | as MODP groups providing more security. | |||
| The United States Information Assurance Directorate at the National | The United States Information Assurance Directorate (IAD) at the | |||
| Security Agency has published a FAQ [MFQ-U-OO-815099-15] suggesting | National Security Agency (NSA) has published a FAQ | |||
| that the use of ECDH using the nistp256 curve and SHA-2 based hashes | [MFQ-U-OO-815099-15] suggesting that the use of Elliptic Curve | |||
| Diffie-Hellman (ECDH) using the nistp256 curve and SHA-2 based hashes | ||||
| less than SHA2-384 are no longer sufficient for transport of Top | less than SHA2-384 are no longer sufficient for transport of Top | |||
| Secret information. It is for this reason that this draft moves | Secret information. It is for this reason that this draft moves | |||
| ecdh-sha2-nistp256 from a REQUIRED to OPTIONAL as a key exchange | ecdh-sha2-nistp256 from a REQUIRED to OPTIONAL as a key exchange | |||
| method. This is the same reason that the stronger MODP groups being | method. This is the same reason that the stronger MODP groups being | |||
| introduced are using SHA2-512 as the hash algorithm. Group14 is | introduced are using SHA2-512 as the hash algorithm. Group14 is | |||
| already present in most SSH implementations and most implementations | already present in most SSH implementations and most implementations | |||
| already have a SHA2-256 implementation, so diffie-hellman- | already have a SHA2-256 implementation, so diffie-hellman- | |||
| group14-sha256 is provided as an easy to implement and faster to use | group14-sha256 is provided as an easy to implement and faster to use | |||
| key exchange for small embedded applications. | key exchange for small embedded applications. | |||
| It has been observed in [safe-curves] that the NIST recommended | It has been observed in [safe-curves] that the NIST recommended | |||
| Elliptic Curve Prime Curves (P-256, P-384, and P-521) are perhaps not | Elliptic Curve Prime Curves (P-256, P-384, and P-521) are perhaps not | |||
| the best available for Elliptic Curve Cryptography Security. For | the best available for Elliptic Curve Cryptography (ECC) Security. | |||
| this reason, none of the [RFC5656] curves are marked as a MUST | For this reason, none of the [RFC5656] curves are marked as a MUST | |||
| implement. However, the requirement that "every compliant SSH ECC | implement. However, the requirement that "every compliant SSH ECC | |||
| implementation MUST implement ECDH key exchange" is now taken to mean | implementation MUST implement ECDH key exchange" is now taken to mean | |||
| that if ecdsa-sha2-[identifier] is implemented, then ecdh- | that if ecdsa-sha2-[identifier] is implemented, then ecdh- | |||
| sha2-[identifier] MUST be implemented. | sha2-[identifier] MUST be implemented. | |||
| Please send comments on this draft to ietf-ssh@NetBSD.org. | Please send comments on this draft to curdle@ietf.org. | |||
| 2. Requirements Language | 2. Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| 3. Key Exchange Algorithms | 3. Key Exchange Algorithms | |||
| This memo adopts the style and conventions of [RFC4253] in specifying | This memo adopts the style and conventions of [RFC4253] in specifying | |||
| how the use of new data key exchange is indicated in SSH. | how the use of new data key exchange is indicated in SSH. | |||
| A new set of Elliptic Curve Diffie-Hellman ssh-curves exist. The | ||||
| curve25519-sha256 MUST be adopted where possible. | ||||
| As a hedge against uncertainty raised by the NSA IAD FAQ publication, | ||||
| three new MODP Diffie-Hellman based key exchanges are proposed for | ||||
| inclusion in the set of key exchange method names as well as the | ||||
| curve448-sha512 curve. | ||||
| The following new key exchange algorithms are defined: | The following new key exchange algorithms are defined: | |||
| Key Exchange Method Name Note | Key Exchange Method Name Note | |||
| diffie-hellman-group14-sha256 MAY/OPTIONAL | diffie-hellman-group14-sha256 MAY/OPTIONAL | |||
| diffie-hellman-group16-sha512 SHOULD/RECOMMENDED | diffie-hellman-group16-sha512 SHOULD/RECOMMENDED | |||
| diffie-hellman-group18-sha512 MAY/OPTIONAL | diffie-hellman-group18-sha512 MAY/OPTIONAL | |||
| Figure 1 | Figure 1 | |||
| The SHA-2 family of secure hash algorithms are defined in | The SHA-2 family of secure hash algorithms are defined in | |||
| skipping to change at page 4, line 47 ¶ | skipping to change at page 5, line 4 ¶ | |||
| SHOULD NOT be used. If it is used, it should only be provided for | SHOULD NOT be used. If it is used, it should only be provided for | |||
| backwards compatibility, should not be used in new designs, and | backwards compatibility, should not be used in new designs, and | |||
| should be phased out of existing key exchanges as quickly as possible | should be phased out of existing key exchanges as quickly as possible | |||
| because of its known weaknesses. Any key exchange using SHA-1 SHOULD | because of its known weaknesses. Any key exchange using SHA-1 SHOULD | |||
| NOT be in a default key exchange list if at all possible. If they | NOT be in a default key exchange list if at all possible. If they | |||
| are needed for backward compatibility, they SHOULD be listed after | are needed for backward compatibility, they SHOULD be listed after | |||
| all of the SHA-2 based key exchanges. | all of the SHA-2 based key exchanges. | |||
| The RFC4253 REQUIRED diffie-hellman-group14-sha1 method SHOULD be | The RFC4253 REQUIRED diffie-hellman-group14-sha1 method SHOULD be | |||
| retained for compatibility with older Secure Shell implementations. | retained for compatibility with older Secure Shell implementations. | |||
| It is intended that this key exchange be phased out as soon as | It is intended that this key exchange be phased out as soon as | |||
| possible. | possible. | |||
| 5. Acknowledgements | 5. Acknowledgements | |||
| Thanks to the following people for review and comments: Denis Bider, | Thanks to the following people for review and comments: Denis Bider, | |||
| Peter Gutmann, Damien Miller, Niels Moeller, Matt Johnston, Iwamoto | Peter Gutmann, Damien Miller, Niels Moeller, Matt Johnston, Iwamoto | |||
| Kouichi, Simon Josefsson, Dave Dugal. | Kouichi, Simon Josefsson, Dave Dugal, Daniel Migault. | |||
| Thanks to the following people for code to implement interoperable | Thanks to the following people for code to implement interoperable | |||
| exchanges using some of these groups as found in an the -01 draft: | exchanges using some of these groups as found in an this draft: | |||
| Darren Tucker for OpenSSH and Matt Johnston for Dropbear. And thanks | Darren Tucker for OpenSSH and Matt Johnston for Dropbear. And thanks | |||
| to Iwamoto Kouichi for information about RLogin, Tera Term (ttssh) | to Iwamoto Kouichi for information about RLogin, Tera Term (ttssh) | |||
| and Poderosa implementations also adopting new Diffie-Hellman groups | and Poderosa implementations also adopting new Diffie-Hellman groups | |||
| based on the -01 draft. | based on this draft. | |||
| 6. Security Considerations | 6. Security Considerations | |||
| The security considerations of [RFC4253] apply to this document. | The security considerations of [RFC4253] apply to this document. | |||
| The security considerations of [RFC3526] suggest that these MODP | The security considerations of [RFC3526] suggest that these MODP | |||
| groups have security strengths given in this table. They are based | groups have security strengths given in this table. They are based | |||
| on [RFC3766] Determining Strengths For Public Keys Used For | on [RFC3766] Determining Strengths For Public Keys Used For | |||
| Exchanging Symmetric Keys. | Exchanging Symmetric Keys. | |||
| End of changes. 13 change blocks. | ||||
| 21 lines changed or deleted | 33 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||