| < draft-ietf-curdle-ssh-kex-sha2-18.txt | draft-ietf-curdle-ssh-kex-sha2-19.txt > | |||
|---|---|---|---|---|
| Internet Engineering Task Force M. D. Baushke | Internet Engineering Task Force M. D. Baushke | |||
| Internet-Draft 16 June 2021 | Internet-Draft 25 June 2021 | |||
| Updates: 4250 4253 4432 4462 (if approved) | Updates: 4250 4253 4432 4462 (if approved) | |||
| Intended status: Standards Track | Intended status: Standards Track | |||
| Expires: 18 December 2021 | Expires: 27 December 2021 | |||
| Key Exchange (KEX) Method Updates and Recommendations for Secure Shell | Key Exchange (KEX) Method Updates and Recommendations for Secure Shell | |||
| (SSH) | (SSH) | |||
| draft-ietf-curdle-ssh-kex-sha2-18 | draft-ietf-curdle-ssh-kex-sha2-19 | |||
| Abstract | Abstract | |||
| This document is intended to update the recommended set of key | This document is intended to update the recommended set of key | |||
| exchange methods for use in the Secure Shell (SSH) protocol to meet | exchange methods for use in the Secure Shell (SSH) protocol to meet | |||
| evolving needs for stronger security. This document updates RFC | evolving needs for stronger security. This document updates RFC | |||
| 4250, RFC 4253, RFC 4432, and RFC 4462. | 4250, RFC 4253, RFC 4432, and RFC 4462. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 35 ¶ | skipping to change at page 1, line 35 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 18 December 2021. | This Internet-Draft will expire on 27 December 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| skipping to change at page 9, line 39 ¶ | skipping to change at page 9, line 39 ¶ | |||
| +--------------------------+----------+ | +--------------------------+----------+ | |||
| Table 6: Curve25519 Implementation | Table 6: Curve25519 Implementation | |||
| Guidance | Guidance | |||
| 3.1.2. curve448-sha512 and gss-curve448-sha512-* | 3.1.2. curve448-sha512 and gss-curve448-sha512-* | |||
| Curve448 provides more security strength than Curve25519 at a higher | Curve448 provides more security strength than Curve25519 at a higher | |||
| computational and bandwidth cost. The corresponding key exchange | computational and bandwidth cost. The corresponding key exchange | |||
| methods use SHA2-512 (also known as SHA-512) defined in [RFC6234]. | methods use SHA2-512 (also known as SHA-512) defined in [RFC6234]. | |||
| SHA2-512 is reasonable hash in both the KDF and integrity in both gss | SHA2-512 is a reasonable hash in both the KDF and integrity in both | |||
| and non-gss uses of curve448 key exchange methods. These key | gss and non-gss uses of curve448 key exchange methods. These key | |||
| exchange methods are described in [RFC8731] and [RFC8732] and are | exchange methods are described in [RFC8731] and [RFC8732] and are | |||
| similar to the IKEv2 key agreement described in [RFC8031]. The | similar to the IKEv2 key agreement described in [RFC8031]. The | |||
| curve448-sha512 key exchange method MAY be implemented. The gss- | curve448-sha512 key exchange method MAY be implemented. The gss- | |||
| curve448-sha512-* key exchange method MAY also be implemented because | curve448-sha512-* key exchange method MAY also be implemented because | |||
| it shares the same performance and security characteristics as | it shares the same performance and security characteristics as | |||
| curve448-sha512. | curve448-sha512. | |||
| Table 7 contains a summary of the recommendations for curve448 based | Table 7 contains a summary of the recommendations for curve448 based | |||
| key exchanges. | key exchanges. | |||
| skipping to change at page 12, line 31 ¶ | skipping to change at page 12, line 31 ¶ | |||
| Guidance | Guidance | |||
| 3.2.2. FFC diffie-hellman using named MODP groups | 3.2.2. FFC diffie-hellman using named MODP groups | |||
| The diffie-hellman-group14-sha256 key exchange method is defined in | The diffie-hellman-group14-sha256 key exchange method is defined in | |||
| [RFC8268] and represents a key exchange which has approximately 112 | [RFC8268] and represents a key exchange which has approximately 112 | |||
| bits of security strength that matches 3des-cbc symmetric cipher | bits of security strength that matches 3des-cbc symmetric cipher | |||
| security strength. It is a reasonably simple transition from SHA-1 | security strength. It is a reasonably simple transition from SHA-1 | |||
| to SHA-2 and given that diffie-hellman-group14-sha1 and diffie- | to SHA-2 and given that diffie-hellman-group14-sha1 and diffie- | |||
| hellman-group14-sha256 share a MODP group and only differ in the hash | hellman-group14-sha256 share a MODP group and only differ in the hash | |||
| function used for the KDF and integrity. Given that diffie-hellman- | function used for the KDF and integrity, it is a correspondingly | |||
| group14-sha1 is being removed from MTI status, the diffie-hellman- | simple transition from implementing diffie-hellman-group14-sha1 to | |||
| group14-sha256 method MUST be implemented. The rest of the FFC MODP | implementing diffie-hellman-group14-sha256. Given that diffie- | |||
| group from [RFC8268] have a larger number of security bits and are | hellman-group14-sha1 is being removed from MTI status, the diffie- | |||
| suitable for symmetric ciphers that also have a similar number of | hellman-group14-sha256 method MUST be implemented. The rest of the | |||
| security bits. | FFC MODP group from [RFC8268] have a larger number of security bits | |||
| and are suitable for symmetric ciphers that also have a similar | ||||
| number of security bits. | ||||
| Table 10 below provides explicit guidance by name. | Table 10 below provides explicit guidance by name. | |||
| +===============================+==========+ | +===============================+==========+ | |||
| | Key Exchange Method Name | Guidance | | | Key Exchange Method Name | Guidance | | |||
| +===============================+==========+ | +===============================+==========+ | |||
| | diffie-hellman-group14-sha256 | MUST | | | diffie-hellman-group14-sha256 | MUST | | |||
| +-------------------------------+----------+ | +-------------------------------+----------+ | |||
| | gss-group14-sha256-* | SHOULD | | | gss-group14-sha256-* | SHOULD | | |||
| +-------------------------------+----------+ | +-------------------------------+----------+ | |||
| skipping to change at page 16, line 50 ¶ | skipping to change at page 16, line 50 ¶ | |||
| | gss-group1-sha1-* | RFC4462/ | SHOULD NOT | SHOULD | | | gss-group1-sha1-* | RFC4462/ | SHOULD NOT | SHOULD | | |||
| | | RFC8732 | | NOT | | | | RFC8732 | | NOT | | |||
| +--------------------------+-----------+----------------+-----------+ | +--------------------------+-----------+----------------+-----------+ | |||
| | gss-group14-sha1-* | RFC4462/ | SHOULD NOT | SHOULD | | | gss-group14-sha1-* | RFC4462/ | SHOULD NOT | SHOULD | | |||
| | | RFC8732 | | NOT | | | | RFC8732 | | NOT | | |||
| +--------------------------+-----------+----------------+-----------+ | +--------------------------+-----------+----------------+-----------+ | |||
| | gss-group14-sha256-* | RFC8732 | SHOULD | SHOULD | | | gss-group14-sha256-* | RFC8732 | SHOULD | SHOULD | | |||
| +--------------------------+-----------+----------------+-----------+ | +--------------------------+-----------+----------------+-----------+ | |||
| | gss-group15-sha512-* | RFC8732 | MAY | MAY | | | gss-group15-sha512-* | RFC8732 | MAY | MAY | | |||
| +--------------------------+-----------+----------------+-----------+ | +--------------------------+-----------+----------------+-----------+ | |||
| | gss-group16-sha512-* | RFC8732 | SHOULD | SHOULD | | | gss-group16-sha512-* | RFC8732 | SHOULD | MAY | | |||
| +--------------------------+-----------+----------------+-----------+ | +--------------------------+-----------+----------------+-----------+ | |||
| | gss-group17-sha512-* | RFC8732 | MAY | MAY | | | gss-group17-sha512-* | RFC8732 | MAY | MAY | | |||
| +--------------------------+-----------+----------------+-----------+ | +--------------------------+-----------+----------------+-----------+ | |||
| | gss-group18-sha512-* | RFC8732 | MAY | MAY | | | gss-group18-sha512-* | RFC8732 | MAY | MAY | | |||
| +--------------------------+-----------+----------------+-----------+ | +--------------------------+-----------+----------------+-----------+ | |||
| | gss-nistp256-sha256-* | RFC8732 | SHOULD | SHOULD | | | gss-nistp256-sha256-* | RFC8732 | SHOULD | SHOULD | | |||
| +--------------------------+-----------+----------------+-----------+ | +--------------------------+-----------+----------------+-----------+ | |||
| | gss-nistp384-sha384-* | RFC8732 | MAY | SHOULD | | | gss-nistp384-sha384-* | RFC8732 | MAY | SHOULD | | |||
| +--------------------------+-----------+----------------+-----------+ | +--------------------------+-----------+----------------+-----------+ | |||
| | gss-nistp521-sha512-* | RFC8732 | MAY | SHOULD | | | gss-nistp521-sha512-* | RFC8732 | MAY | SHOULD | | |||
| End of changes. 7 change blocks. | ||||
| 13 lines changed or deleted | 15 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||