| < draft-ietf-curdle-ssh-kex-sha2-15.txt | draft-ietf-curdle-ssh-kex-sha2-16.txt > | |||
|---|---|---|---|---|
| Internet Engineering Task Force M. D. Baushke | Internet Engineering Task Force M. D. Baushke | |||
| Internet-Draft Juniper Networks, Inc. | Internet-Draft 22 April 2021 | |||
| Updates: 4250 4253 4432 4462 (if approved) 17 March 2021 | Updates: 4250 4253 4432 4462 (if approved) | |||
| Intended status: Standards Track | Intended status: Standards Track | |||
| Expires: 18 September 2021 | Expires: 24 October 2021 | |||
| Key Exchange (KEX) Method Updates and Recommendations for Secure Shell | Key Exchange (KEX) Method Updates and Recommendations for Secure Shell | |||
| (SSH) | (SSH) | |||
| draft-ietf-curdle-ssh-kex-sha2-15 | draft-ietf-curdle-ssh-kex-sha2-16 | |||
| Abstract | Abstract | |||
| This document is intended to update the recommended set of key | This document is intended to update the recommended set of key | |||
| exchange methods for use in the Secure Shell (SSH) protocol to meet | exchange methods for use in the Secure Shell (SSH) protocol to meet | |||
| evolving needs for stronger security. This document updates RFC | evolving needs for stronger security. This document updates RFC | |||
| 4250, RFC 4253, RFC 4432, and RFC 4462. | 4250, RFC 4253, RFC 4432, and RFC 4462. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 35 ¶ | skipping to change at page 1, line 35 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 18 September 2021. | This Internet-Draft will expire on 24 October 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| skipping to change at page 11, line 35 ¶ | skipping to change at page 11, line 35 ¶ | |||
| Table 8: ECDH Implementation Guidance | Table 8: ECDH Implementation Guidance | |||
| It is advisable to match the ECDSA and ECDH algorithms to use the | It is advisable to match the ECDSA and ECDH algorithms to use the | |||
| same curve for both to maintain the same security strength in the | same curve for both to maintain the same security strength in the | |||
| connection. | connection. | |||
| 3.2. Finite Field Cryptography (FFC) | 3.2. Finite Field Cryptography (FFC) | |||
| 3.2.1. FFC diffie-hellman using generated MODP groups | 3.2.1. FFC diffie-hellman using generated MODP groups | |||
| This random selection from a set of pre-generated moduli for key | [RFC4419] defines two key exchange methods that use a random | |||
| exchange uses SHA2-256 as defined in [RFC4419]. [RFC8270] mandates | selection from a set of pre-generated moduli for key exchange: the | |||
| that implementations avoid any MODP group whose modulus size is less | diffie-hellman-group-exchange-sha1 method, and the diffie-hellman- | |||
| than 2048 bits. Care should be taken in the pre-generation of the | group-exchange-sha256 method. Per [RFC8270], implementations SHOULD | |||
| moduli P and generator G such that the generator provides a Q-ordered | use a MODP group whose modulus size is equal to or greater than 2048 | |||
| subgroup of P. Otherwise, the parameter set may leak one bit of the | bits. MODP groups with a modulus size less than 2048 bits are weak | |||
| shared secret. The diffie-hellman-group-exchange-sha1 uses SHA-1 | and MUST NOT be used. | |||
| which is being deprecated. This key exchange SHOULD NOT be used. | ||||
| The diffie-hellman-group-exchange-sha256 uses SHA2-256 which is | The diffie-hellman-group-exchange-sha1 key exchange method SHOULD NOT | |||
| reasonable for MODP groups less than 4K bits. The diffie-hellman- | be used. This method uses SHA-1, which is being deprecated. | |||
| group-exchange-sha256 key exchange MAY be used. | ||||
| The diffie-hellman-group-exchange-sha256 key exchange method MAY be | ||||
| used. This method uses SHA-256, which is reasonable for MODP groups | ||||
| less than 4K bits. | ||||
| Care should be taken in the pre-generation of the moduli P and | ||||
| generator G such that the generator provides a Q-ordered subgroup of | ||||
| P. Otherwise, the parameter set may leak one bit of the shared | ||||
| secret. | ||||
| Table 9 provides a summary of the Guidance for these exchanges. | Table 9 provides a summary of the Guidance for these exchanges. | |||
| +======================================+============+ | +======================================+============+ | |||
| | Key Exchange Method Name | Guidance | | | Key Exchange Method Name | Guidance | | |||
| +======================================+============+ | +======================================+============+ | |||
| | diffie-hellman-group-exchange-sha1 | SHOULD NOT | | | diffie-hellman-group-exchange-sha1 | SHOULD NOT | | |||
| +--------------------------------------+------------+ | +--------------------------------------+------------+ | |||
| | diffie-hellman-group-exchange-sha256 | MAY | | | diffie-hellman-group-exchange-sha256 | MAY | | |||
| +--------------------------------------+------------+ | +--------------------------------------+------------+ | |||
| skipping to change at page 18, line 18 ¶ | skipping to change at page 18, line 18 ¶ | |||
| rsa1024-sha1 or rsa2048-sha256 key exchanges. | rsa1024-sha1 or rsa2048-sha256 key exchanges. | |||
| It is desirable to deprecate or disallow key exchange methods that | It is desirable to deprecate or disallow key exchange methods that | |||
| are considered weak so they are not in still actively in operation | are considered weak so they are not in still actively in operation | |||
| when they are broken. | when they are broken. | |||
| A key exchange method is considered weak when the security strength | A key exchange method is considered weak when the security strength | |||
| is insufficient to match the symmetric cipher or the algorithm has | is insufficient to match the symmetric cipher or the algorithm has | |||
| been broken. | been broken. | |||
| At this time, the 1024-bit MODP group used by diffie-hellman- | The 1024-bit MODP group used by diffie-hellman-group1-sha1 is too | |||
| group1-sha1 is too small for the symmetric ciphers used in SSH. | small for the symmetric ciphers used in SSH. | |||
| MODP groups with a modulus size less than 2048 bits are too small for | ||||
| the symmetric ciphers used in SSH. If the diffie-hellman-group- | ||||
| exchange-sha256 or diffie-hellman-group-exchange-sha1 key exchange | ||||
| method is used, the modulus size of the MODP group used needs to be | ||||
| at least 2048 bits. | ||||
| At this time, the rsa1024-sha1 key exchange is too small for the | At this time, the rsa1024-sha1 key exchange is too small for the | |||
| symmetric ciphers used in SSH. | symmetric ciphers used in SSH. | |||
| The use of SHA-1 for use with any key exchange may not yet be | The use of SHA-1 for use with any key exchange may not yet be | |||
| completely broken, but it is time to retire all uses of this | completely broken, but it is time to retire all uses of this | |||
| algorithm as soon as possible. | algorithm as soon as possible. | |||
| The diffie-hellman-group14-sha1 algorithm is not yet completely | The diffie-hellman-group14-sha1 algorithm is not yet completely | |||
| deprecated. This is to provide a practical transition from the MTI | deprecated. This is to provide a practical transition from the MTI | |||
| skipping to change at page 19, line 39 ¶ | skipping to change at page 19, line 44 ¶ | |||
| (SSH) Protocol", RFC 8308, DOI 10.17487/RFC8308, March | (SSH) Protocol", RFC 8308, DOI 10.17487/RFC8308, March | |||
| 2018, <https://www.rfc-editor.org/info/rfc8308>. | 2018, <https://www.rfc-editor.org/info/rfc8308>. | |||
| [RFC8731] Adamantiadis, A., Josefsson, S., and M. Baushke, "Secure | [RFC8731] Adamantiadis, A., Josefsson, S., and M. Baushke, "Secure | |||
| Shell (SSH) Key Exchange Method Using Curve25519 and | Shell (SSH) Key Exchange Method Using Curve25519 and | |||
| Curve448", RFC 8731, DOI 10.17487/RFC8731, February 2020, | Curve448", RFC 8731, DOI 10.17487/RFC8731, February 2020, | |||
| <https://www.rfc-editor.org/info/rfc8731>. | <https://www.rfc-editor.org/info/rfc8731>. | |||
| 8.2. Informative References | 8.2. Informative References | |||
| [IANA-KEX] Internet Assigned Numbers Authority (IANA), "Secure Shell | [IANA-KEX] IANA, "Secure Shell (SSH) Protocol Parameters: Key | |||
| (SSH) Protocol Parameters: Key Exchange Method Names", | Exchange Method Names", April 2021, | |||
| December 2020, <http://www.iana.org/assignments/ssh- | <http://www.iana.org/assignments/ssh-parameters/ssh- | |||
| parameters/ssh-parameters.xhtml#ssh-parameters-16>. | parameters.xhtml#ssh-parameters-16>. | |||
| [RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP) | [RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP) | |||
| Diffie-Hellman groups for Internet Key Exchange (IKE)", | Diffie-Hellman groups for Internet Key Exchange (IKE)", | |||
| RFC 3526, DOI 10.17487/RFC3526, May 2003, | RFC 3526, DOI 10.17487/RFC3526, May 2003, | |||
| <https://www.rfc-editor.org/info/rfc3526>. | <https://www.rfc-editor.org/info/rfc3526>. | |||
| [RFC4251] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) | [RFC4251] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) | |||
| Protocol Architecture", RFC 4251, DOI 10.17487/RFC4251, | Protocol Architecture", RFC 4251, DOI 10.17487/RFC4251, | |||
| January 2006, <https://www.rfc-editor.org/info/rfc4251>. | January 2006, <https://www.rfc-editor.org/info/rfc4251>. | |||
| skipping to change at page 21, line 8 ¶ | skipping to change at page 21, line 11 ¶ | |||
| Bhargavan, K. and G. Leurent, "Transcript Collision | Bhargavan, K. and G. Leurent, "Transcript Collision | |||
| Attacks: Breaking Authentication in TLS, IKE, and SSH", | Attacks: Breaking Authentication in TLS, IKE, and SSH", | |||
| Network and Distributed System Security Symposium - NDSS | Network and Distributed System Security Symposium - NDSS | |||
| 2016, Feb 2016, San Diego, United | 2016, Feb 2016, San Diego, United | |||
| States. 10.14722/ndss.2016.23418 . hal-01244855, | States. 10.14722/ndss.2016.23418 . hal-01244855, | |||
| <https://hal.inria.fr/hal-01244855/document>. | <https://hal.inria.fr/hal-01244855/document>. | |||
| Author's Address | Author's Address | |||
| Mark D. Baushke | Mark D. Baushke | |||
| Juniper Networks, Inc. | ||||
| Email: mdb@juniper.net | Email: mbaushke+ietf@gmail.com | |||
| End of changes. 9 change blocks. | ||||
| 23 lines changed or deleted | 36 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||