idnits 2.17.1 draft-ietf-curdle-gss-keyex-sha2-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document updates RFC4462, but the abstract doesn't seem to directly say this. It does mention RFC4462 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 262 has weird spacing: '... string out...' == Line 268 has weird spacing: '... string ser...' == Line 273 has weird spacing: '... string out...' == Line 281 has weird spacing: '... string out...' == Line 287 has weird spacing: '... string mic...' == (2 more instances...) (Using the creation date from RFC4462, updated by this document, for RFC5378 checks: 2001-01-18) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (Nov 6, 2018) is 1998 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-12) exists of draft-ietf-curdle-ssh-curves-07 ** Downref: Normative reference to an Informational RFC: RFC 1321 ** Downref: Normative reference to an Informational RFC: RFC 7546 ** Downref: Normative reference to an Informational RFC: RFC 7748 -- Possible downref: Non-RFC (?) normative reference: ref. 'SEC1v2' -- Possible downref: Non-RFC (?) normative reference: ref. 'SEC2v2' Summary: 3 errors (**), 0 flaws (~~), 8 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force S. Sorce 3 Internet-Draft H. Kario 4 Updates: 4462 (if approved) Red Hat, Inc. 5 Intended status: Standards Track Nov 6, 2018 6 Expires: May 10, 2019 8 GSS-API Key Exchange with SHA2 9 draft-ietf-curdle-gss-keyex-sha2-07 11 Abstract 13 This document specifies additions and amendments to RFC4462. It 14 defines a new key exchange method that uses SHA-2 for integrity and 15 deprecates weak DH groups. The purpose of this specification is to 16 modernize the cryptographic primitives used by GSS Key Exchanges. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at https://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on May 10, 2019. 35 Copyright Notice 37 Copyright (c) 2018 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (https://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 2. Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . 2 54 3. Document Conventions . . . . . . . . . . . . . . . . . . . . 2 55 4. New Diffie-Hellman Key Exchange methods . . . . . . . . . . . 3 56 5. New Elliptic Curve Diffie-Hellman Key Exchange methods . . . 4 57 5.1. Generic GSS-API Key Exchange with ECDH . . . . . . . . . 4 58 5.2. ECDH Key Exchange Methods . . . . . . . . . . . . . . . . 8 59 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 60 7. Security Considerations . . . . . . . . . . . . . . . . . . . 9 61 7.1. New Finite Field DH mechanisms . . . . . . . . . . . . . 9 62 7.2. New Elliptic Curve DH mechanisms . . . . . . . . . . . . 10 63 7.3. GSSAPI Delegation . . . . . . . . . . . . . . . . . . . . 10 64 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 65 8.1. Normative References . . . . . . . . . . . . . . . . . . 10 66 8.2. Informative References . . . . . . . . . . . . . . . . . 11 67 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 69 1. Introduction 71 SSH GSS-API Methods [RFC4462] allows the use of GSSAPI for 72 authentication and key exchange in SSH. It defines three exchange 73 methods all based on DH groups and SHA-1. This document updates 74 RFC4462 with new methods intended to support environments that desire 75 to use the SHA-2 cryptographic hash functions. 77 2. Rationale 79 Due to security concerns with SHA-1 [RFC6194] and with MODP groups 80 with less than 2048 bits [NIST-SP-800-131Ar1] we propose the use of 81 the SHA-2 [RFC6234] based hashes with DH group14, group15, group16, 82 group17 and group18 [RFC3526]. Additionally we add support for key 83 exchange based on Elliptic Curve Diffie Hellman with the NIST P-256, 84 P-384 and P-521 as well as the X25519 and X448 curves. Following the 85 rationale of [RFC8268] only SHA-256 and SHA-512 hashes are used for 86 DH groups. For NIST curves the same curve-to-hashing algorithm 87 pairing used in [RFC5656] is adopted for consistency. 89 3. Document Conventions 91 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 92 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 93 document are to be interpreted as described in RFC 2119 [RFC2119]. 95 4. New Diffie-Hellman Key Exchange methods 97 This document adopts the same naming convention defined in [RFC4462] 98 to define families of methods that cover any GSS-API mechanism used 99 with a specific Diffie-Hellman group and SHA-2 Hash combination. 101 The following new key exchange algorithms are defined: 103 +--------------------------+--------------------------------+ 104 | Key Exchange Method Name | Implementation Recommendations | 105 +--------------------------+--------------------------------+ 106 | gss-group14-sha256-* | SHOULD/RECOMMENDED | 107 | gss-group15-sha512-* | MAY/OPTIONAL | 108 | gss-group16-sha512-* | SHOULD/RECOMMENDED | 109 | gss-group17-sha512-* | MAY/OPTIONAL | 110 | gss-group18-sha512-* | MAY/OPTIONAL | 111 +--------------------------+--------------------------------+ 113 Each key exchange method is implicitly registered by this document. 114 The IESG is considered to be the owner of all these key exchange 115 methods; this does NOT imply that the IESG is considered to be the 116 owner of the underlying GSS-API mechanism. 118 Each method in any family of methods specifies GSS-API-authenticated 119 Diffie-Hellman key exchanges as described in Section 2.1 of 120 [RFC4462]. The method name for each method is the concatenation of 121 the family method name with the Base64 encoding of the MD5 hash 122 [RFC1321] of the ASN.1 DER encoding [ISO-IEC-8825-1] of the 123 underlying GSS-API mechanism's OID. Base64 encoding is described in 124 Section 6.8 of [RFC2045]. 126 Family method refences 128 +---------------------+-------------+-------------+-----------------+ 129 | Family Name prefix | Hash | Group | Reference | 130 | | Function | | | 131 +---------------------+-------------+-------------+-----------------+ 132 | gss-group14-sha256- | SHA-256 | 2048-bit | Section 3 of | 133 | | | MODP | [RFC3526] | 134 | gss-group15-sha512- | SHA-512 | 3072-bit | Section 4 of | 135 | | | MODP | [RFC3526] | 136 | gss-group16-sha512- | SHA-512 | 4096-bit | Section 5 of | 137 | | | MODP | [RFC3526] | 138 | gss-group17-sha512- | SHA-512 | 6144-bit | Section 6 of | 139 | | | MODP | [RFC3526] | 140 | gss-group18-sha512- | SHA-512 | 8192-bit | Section 7 of | 141 | | | MODP | [RFC3526] | 142 +---------------------+-------------+-------------+-----------------+ 144 5. New Elliptic Curve Diffie-Hellman Key Exchange methods 146 In [RFC5656] new SSH key exchange algorithms based on Elliptic Curve 147 Cryptography are introduced. We reuse much of section 4 to define 148 GSS-API-authenticated ECDH Key Exchanges. 150 Additionally we utilize also the curves defined in 151 [I-D.ietf-curdle-ssh-curves] to complement the 3 classic NIST defined 152 curves required by [RFC5656]. 154 5.1. Generic GSS-API Key Exchange with ECDH 156 This section reuses much of the scheme defined in Section 2.1 of 157 [RFC4462] and combines it with the scheme defined in Section 4 of 158 [RFC5656]; in particular, all checks and verification steps 159 prescribed in Section 4 of [RFC5656] apply here as well. 161 For curve25519 and curve448 related computations see Section 6 of 162 [RFC7748]; implementations MUST check whether the computed Diffie- 163 Hellman shared secret is the all-zero value and abort if so. 165 This section defers to [RFC7546] as the source of information on GSS- 166 API context establishment operations, Section 3 being the most 167 relevant. All Security Considerations described in [RFC7546] apply 168 here too. 170 The parties generate each an ephemeral key pair, according to 171 Section 3.2.1 of [SEC1v2]. Keys are verified upon receipt by the 172 parties according to Section 3.2.3.1 of [SEC1v2]. 174 For NIST Curves keys use uncompressed point representation and must 175 be converted using the algorithm in Section 2.3.4 of [SEC1v2]. If 176 the conversion fails or the point is trasmitted using compressed 177 representation, the key exchange MUST fail. 179 A GSS Context is established according to Section 4 of [RFC5656]; The 180 client initiates the establishment using GSS_Init_sec_context() and 181 the server completes it using GSS_Accept_sec_context(). For the 182 negotiation, the client MUST set mutual_req_flag and integ_req_flag 183 to "true". In addition, deleg_req_flag MAY be set to "true" to 184 request access delegation, if requested by the user. Since the key 185 exchange process authenticates only the host, the setting of 186 anon_req_flag is immaterial to this process. If the client does not 187 support the "gssapi-keyex" user authentication method described in 188 Section 4 of [RFC4462], or does not intend to use that method in 189 conjunction with the GSS-API context established during key exchange, 190 then anon_req_flag SHOULD be set to "true". Otherwise, this flag MAY 191 be set to true if the client wishes to hide its identity. This key 192 exchange process will exchange only a single token once the context 193 has been established, therefore the replay_det_req_flag and 194 sequence_req_flag SHOULD be set to "false". 196 The client MUST include its public key with the first message it 197 sends to the server during this process; if the server receives more 198 than one key or none at all, the key exchange MUST fail. 200 During GSS Context estalishment multiple tokens may be exchanged by 201 the client and the server. When the GSS Context is established 202 (major_status is GSS_S_COMPLETE) the parties check that mutual_state 203 and integ_avail are both "true". If not the key exchange MUST fail. 205 Once a party receives the peer's public key it proceeds to compute a 206 shared secret K. For NIST Curves the computation is done according 207 to Section 3.3.1 of [SEC1v2] and the resulting value z is converted 208 to the octet string K using the conversion defined in Section 2.3.5 209 of [SEC1v2]. For curve25519 and curve448 the algorithm in Section 6 210 of [RFC7748] is used instead. 212 To verify the integrity of the handshake, peers use the Hash Function 213 defined by the selected Key Exchange method to calculate H: 215 H = hash(V_C || V_S || I_C || I_S || K_S || Q_C || Q_S || K). 217 The GSS_GetMIC() call is used by the server with H as the payload and 218 generates a MIC. The GSS_VerifyMIC() call is used by the client to 219 verify the MIC. 221 If any GSS_Init_sec_context() or GSS_Accept_sec_context() returns a 222 major_status other than GSS_S_COMPLETE or GSS_S_CONTINUE_NEEDED, or 223 any other GSS-API call returns a major_status other than 224 GSS_S_COMPLETE, the key exchange MUST fail. The same recommendations 225 expressed in Section 2.1 of [RFC4462] are followed with regards to 226 error reporting. 228 The following is an overview of the key exchange process: 230 Client Server 231 ------ ------ 232 Generate ephemeral key pair. 233 Calls GSS_Init_sec_context(). 234 SSH_MSG_KEXGSS_INIT ---------------> 236 Verify received key is valid. 237 (Optional) <------------- SSH_MSG_KEXGSS_HOSTKEY 239 (Loop) 240 | Calls GSS_Accept_sec_context(). 241 | <------------ SSH_MSG_KEXGSS_CONTINUE 242 | Calls GSS_Init_sec_context(). 243 | SSH_MSG_KEXGSS_CONTINUE ------------> 245 Calls GSS_Accept_sec_context(). 246 Generate ephemeral key pair. 247 Compute shared secret. 248 Computes hash H. 249 Calls GSS_GetMIC( H ) = MIC. 250 <------------ SSH_MSG_KEXGSS_COMPLETE 252 Verify received key is valid. 253 Compute shared secret. 254 Compute hash = H 255 Calls GSS_VerifyMIC( MIC, H ) 257 This is implemented with the following messages: 259 The client sends: 261 byte SSH_MSG_KEXGSS_INIT 262 string output_token (from GSS_Init_sec_context()) 263 string Q_C, client's ephemeral public key octet string 265 The server may responds with: 267 byte SSH_MSG_KEXGSS_HOSTKEY 268 string server public host key and certificates (K_S) 270 The server sends: 272 byte SSH_MSG_KEXGSS_CONTINUE 273 string output_token (from GSS_Accept_sec_context()) 275 Each time the client receives the message described above, it makes 276 another call to GSS_Init_sec_context(). 278 The client sends: 280 byte SSH_MSG_KEXGSS_CONTINUE 281 string output_token (from GSS_Init_sec_context()) 283 As the final message the server sends either: 285 byte SSH_MSG_KEXGSS_COMPLETE 286 string Q_S, server's ephemeral public key octet string 287 string mic_token (MIC of H) 288 boolean TRUE 289 string output_token (from GSS_Accept_sec_context()) 291 Or the following if no output_token is available: 293 byte SSH_MSG_KEXGSS_COMPLETE 294 string Q_S, server's ephemeral public key octet string 295 string mic_token (MIC of H) 296 boolean FALSE 298 The hash H is computed as the HASH hash of the concatenation of the 299 following: 301 string V_C, the client's version string (CR, NL excluded) 302 string V_S, server's version string (CR, NL excluded) 303 string I_C, payload of the client's SSH_MSG_KEXINIT 304 string I_S, payload of the server's SSH_MSG_KEXINIT 305 string K_S, server's public host key 306 string Q_C, client's ephemeral public key octet string 307 string Q_S, server's ephemeral public key octet string 308 mpint K, shared secret 310 This value is called the exchange hash, and it is used to 311 authenticate the key exchange. The exchange hash SHOULD be kept 312 secret. If no SSH_MSG_KEXGSS_HOSTKEY message has been sent by the 313 server or received by the client, then the empty string is used in 314 place of K_S when computing the exchange hash. 316 Since this key exchange method does not require the host key to be 317 used for any encryption operations, the SSH_MSG_KEXGSS_HOSTKEY 318 message is OPTIONAL. If the "null" host key algorithm described in 319 Section 5 of [RFC4462] is used, this message MUST NOT be sent. 321 If the client receives a SSH_MSG_KEXGSS_CONTINUE message after a call 322 to GSS_Init_sec_context() has returned a major_status code of 323 GSS_S_COMPLETE, a protocol error has occurred and the key exchange 324 MUST fail. 326 If the client receives a SSH_MSG_KEXGSS_COMPLETE message and a call 327 to GSS_Init_sec_context() does not result in a major_status code of 328 GSS_S_COMPLETE, a protocol error has occurred and the key exchange 329 MUST fail. 331 5.2. ECDH Key Exchange Methods 333 The following new key exchange methods are defined: 335 +--------------------------+--------------------------------+ 336 | Key Exchange Method Name | Implementation Recommendations | 337 +--------------------------+--------------------------------+ 338 | gss-nistp256-sha256-* | SHOULD/RECOMMENDED | 339 | gss-nistp384-sha384-* | MAY/OPTIONAL | 340 | gss-nistp521-sha512-* | MAY/OPTIONAL | 341 | gss-curve25519-sha256-* | SHOULD/RECOMMENDED | 342 | gss-curve448-sha512-* | MAY/OPTIONAL | 343 +--------------------------+--------------------------------+ 345 Each key exchange method is implicitly registered by this document. 346 The IESG is considered to be the owner of all these key exchange 347 methods; this does NOT imply that the IESG is considered to be the 348 owner of the underlying GSS-API mechanism. 350 Each method in any family of methods specifies GSS-API-authenticated 351 Elliptic Curve Diffie-Hellman key exchanges as described in 352 Section 5.1. The method name for each method is the concatenation of 353 the family method name with the Base64 encoding of the MD5 hash 354 [RFC1321] of the ASN.1 DER encoding [ISO-IEC-8825-1] of the 355 underlying GSS-API mechanism's OID. Base64 encoding is described in 356 Section 6.8 of [RFC2045]. 358 Family method refences 360 +------------------------+----------+---------------+---------------+ 361 | Family Name prefix | Hash | Parameters / | Definition | 362 | | Function | Function Name | | 363 +------------------------+----------+---------------+---------------+ 364 | gss-nistp256-sha256- | SHA-256 | secp256r1 | Section 2.4.2 | 365 | | | | of [SEC2v2] | 366 | gss-nistp384-sha384- | SHA-384 | secp384r1 | Section 2.5.1 | 367 | | | | of [SEC2v2] | 368 | gss-nistp521-sha512- | SHA-512 | secp521r1 | Section 2.6.1 | 369 | | | | of [SEC2v2] | 370 | gss-curve25519-sha256- | SHA-256 | X22519 | Section 5 of | 371 | | | | [RFC7748] | 372 | gss-curve448-sha512- | SHA-512 | X448 | Section 5 of | 373 | | | | [RFC7748] | 374 +------------------------+----------+---------------+---------------+ 376 6. IANA Considerations 378 This document augments the SSH Key Exchange Method Names in 379 [RFC4462]. 381 IANA is requested to update the SSH Protocol Parameters 382 [IANA-KEX-NAMES] registry with the following entries: 384 +--------------------------+------------+------------------------+ 385 | Key Exchange Method Name | Reference | Implementation Support | 386 +--------------------------+------------+------------------------+ 387 | gss-group14-sha256-* | This draft | SHOULD | 388 | gss-group15-sha512-* | This draft | MAY | 389 | gss-group16-sha512-* | This draft | SHOULD | 390 | gss-group17-sha512-* | This draft | MAY | 391 | gss-group18-sha512-* | This draft | MAY | 392 | gss-nistp256-sha256-* | This draft | SHOULD | 393 | gss-nistp384-sha384-* | This draft | MAY | 394 | gss-nistp521-sha512-* | This draft | MAY | 395 | gss-curve25519-sha256-* | This draft | SHOULD | 396 | gss-curve448-sha512-* | This draft | MAY | 397 +--------------------------+------------+------------------------+ 399 7. Security Considerations 401 7.1. New Finite Field DH mechanisms 403 Except for the use of a different secure hash function and larger DH 404 groups, no significant changes has been made to the protocol 405 described by [RFC4462]; therefore all the original Security 406 Considerations apply. 408 7.2. New Elliptic Curve DH mechanisms 410 Although a new cryptographic primitive is used with these methods the 411 actual key exchange closely follows the key exchange defined in 412 [RFC5656]; therefore all the original Security Considerations as well 413 as those expressed in [RFC5656] apply. 415 7.3. GSSAPI Delegation 417 Some GSSAPI mechanisms can optionally delegate credentials to the 418 target host by setting the deleg_ret_flag. In this case extra care 419 must be taken to ensure that the acceptor being authenticated matches 420 the target the user intended. Some mechanisms implementations (like 421 commonly used krb5 libraries) may use insecure DNS resolution to 422 canonicalize the target name; in these cases spoofing a DNS response 423 that points to an attacker-controlled machine may results in the user 424 silently delegating credentials to the attacker, who can then 425 impersonate the user at will. 427 8. References 429 8.1. Normative References 431 [I-D.ietf-curdle-ssh-curves] 432 Adamantiadis, A., Josefsson, S., and M. Baushke, "Secure 433 Shell (SSH) Key Exchange Method using Curve25519 and 434 Curve448", draft-ietf-curdle-ssh-curves-07 (work in 435 progress), January 2018. 437 [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, 438 DOI 10.17487/RFC1321, April 1992, 439 . 441 [RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail 442 Extensions (MIME) Part One: Format of Internet Message 443 Bodies", RFC 2045, DOI 10.17487/RFC2045, November 1996, 444 . 446 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 447 Requirement Levels", BCP 14, RFC 2119, 448 DOI 10.17487/RFC2119, March 1997, 449 . 451 [RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP) 452 Diffie-Hellman groups for Internet Key Exchange (IKE)", 453 RFC 3526, DOI 10.17487/RFC3526, May 2003, 454 . 456 [RFC4462] Hutzelman, J., Salowey, J., Galbraith, J., and V. Welch, 457 "Generic Security Service Application Program Interface 458 (GSS-API) Authentication and Key Exchange for the Secure 459 Shell (SSH) Protocol", RFC 4462, DOI 10.17487/RFC4462, May 460 2006, . 462 [RFC5656] Stebila, D. and J. Green, "Elliptic Curve Algorithm 463 Integration in the Secure Shell Transport Layer", 464 RFC 5656, DOI 10.17487/RFC5656, December 2009, 465 . 467 [RFC7546] Kaduk, B., "Structure of the Generic Security Service 468 (GSS) Negotiation Loop", RFC 7546, DOI 10.17487/RFC7546, 469 May 2015, . 471 [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves 472 for Security", RFC 7748, DOI 10.17487/RFC7748, January 473 2016, . 475 [SEC1v2] Certicom Research, "SEC 1: Elliptic Curve Cryptography", 476 Standards for Efficient Cryptography SEC 1, Version 2.0, 477 2009. 479 [SEC2v2] Certicom Research, "SEC 2: Recommended Elliptic Curve 480 Domain Parameters", Standards for Efficient 481 Cryptography SEC 2, Version 2.0, 2010. 483 8.2. Informative References 485 [IANA-KEX-NAMES] 486 Internet Assigned Numbers Authority, "Secure Shell (SSH) 487 Protocol Parameters: Key Exchange Method Names", June 488 2005, . 491 [ISO-IEC-8825-1] 492 International Organization for Standardization / 493 International Electrotechnical Commission, "ASN.1 encoding 494 rules: Specification of Basic Encoding Rules (BER), 495 Canonical Encoding Rules (CER) and Distinguished Encoding 496 Rules (DER)", ISO/IEC 8825-1, November 2015, 497 . 500 [NIST-SP-800-131Ar1] 501 National Institute of Standards and Technology, 502 "Transitions: Recommendation for Transitioning of the Use 503 of Cryptographic Algorithms and Key Lengths", NIST Special 504 Publication 800-131A Revision 1, November 2015, 505 . 508 [RFC6194] Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security 509 Considerations for the SHA-0 and SHA-1 Message-Digest 510 Algorithms", RFC 6194, DOI 10.17487/RFC6194, March 2011, 511 . 513 [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms 514 (SHA and SHA-based HMAC and HKDF)", RFC 6234, 515 DOI 10.17487/RFC6234, May 2011, 516 . 518 [RFC8268] Baushke, M., "More Modular Exponentiation (MODP) Diffie- 519 Hellman (DH) Key Exchange (KEX) Groups for Secure Shell 520 (SSH)", RFC 8268, DOI 10.17487/RFC8268, December 2017, 521 . 523 Authors' Addresses 525 Simo Sorce 526 Red Hat, Inc. 527 140 Broadway 528 24th Floor 529 New York, NY 10025 530 USA 532 Email: simo@redhat.com 534 Hubert Kario 535 Red Hat, Inc. 536 Purkynova 115 537 Brno 612 00 538 Czech Republic 540 Email: hkario@redhat.com