idnits 2.17.1 draft-os-ietf-sshfp-ecdsa-sha2-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC4255, updated by this document, for RFC5378 checks: 2002-08-13) -- The document seems to contain a disclaimer for pre-RFC5378 work, and may have content which was first submitted before 10 November 2008. The disclaimer is necessary when there are original authors that you have been unable to contact, or if some do not wish to grant the BCP78 rights to the IETF Trust. If you are able to get all authors (current and original) to grant those rights, you can and should remove the disclaimer; otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (December 5, 2011) is 4519 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group O. Sury 3 Internet-Draft CZ.NIC 4 Updates: 4255 (if approved) December 5, 2011 5 Intended status: Standards Track 6 Expires: June 7, 2012 8 Use of SHA-256 Algorithm with RSA, DSA and ECDSA in SSHFP Resource 9 Records 10 draft-os-ietf-sshfp-ecdsa-sha2-03 12 Abstract 14 This document updates RFC 4255, which defines a DNS resource record - 15 SSHFP that contains a standard SSH key fingerprint used to verify 16 Secure Shell (SSH) host keys using Domain Name System Security 17 (DNSSEC). This document defines how to store Secure Shell (SSH) 18 ECDSA public keys and SHA-256 fingerprints in SSHFP resource records. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on June 7, 2012. 37 Copyright Notice 39 Copyright (c) 2011 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 This document may contain material from IETF Documents or IETF 53 Contributions published or made publicly available before November 54 10, 2008. The person(s) controlling the copyright in some of this 55 material may not have granted the IETF Trust the right to allow 56 modifications of such material outside the IETF Standards Process. 57 Without obtaining an adequate license from the person(s) controlling 58 the copyright in such materials, this document may not be modified 59 outside the IETF Standards Process, and derivative works of it may 60 not be created outside the IETF Standards Process, except to format 61 it for publication as an RFC or to translate it into languages other 62 than English. 64 Table of Contents 66 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 67 2. Requirements Language . . . . . . . . . . . . . . . . . . . . . 3 68 3. SSHFP Resource Records . . . . . . . . . . . . . . . . . . . . 3 69 3.1. SSHFP Fingerprint Type Specification . . . . . . . . . . . 3 70 3.1.1. SHA-256 SSHFP Fingerprint Type Specification . . . . . 3 71 3.2. SSHFP Algorithm Number Specification . . . . . . . . . . . 4 72 3.2.1. ECDSA SSHFP Algorithm Number Specification . . . . . . 4 73 4. Implementation Considerations . . . . . . . . . . . . . . . . . 4 74 4.1. Support for SHA-256 fingerprints . . . . . . . . . . . . . 4 75 4.2. Support for ECDSA . . . . . . . . . . . . . . . . . . . . . 4 76 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 77 5.1. RSA public key . . . . . . . . . . . . . . . . . . . . . . 5 78 5.1.1. RSA public key with SHA1 fingerprint . . . . . . . . . 5 79 5.1.2. RSA public key with SHA256 fingerprint . . . . . . . . 5 80 5.2. DSA public key . . . . . . . . . . . . . . . . . . . . . . 6 81 5.2.1. DSA public key with SHA1 fingerprint . . . . . . . . . 6 82 5.2.2. DSA public key with SHA256 fingerprint . . . . . . . . 6 83 5.3. ECDSA public key . . . . . . . . . . . . . . . . . . . . . 6 84 5.3.1. ECDSA public key with SHA256 fingerprint . . . . . . . 7 85 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7 86 6.1. SSHFP RR Types for public key algorithms . . . . . . . . . 7 87 6.2. SSHFP RR types for fingerprint types . . . . . . . . . . . 7 88 7. Security Considerations . . . . . . . . . . . . . . . . . . . . 7 89 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 90 8.1. Normative References . . . . . . . . . . . . . . . . . . . 8 91 8.2. Informative References . . . . . . . . . . . . . . . . . . 9 93 1. Introduction 95 The Domain Name System (DNS) is the global, hierarchical distributed 96 database for Internet Naming. The Secure Shell (SSH) is a protocol 97 for secure remote login and other secure network services over an 98 insecure network. RFC 4253 [RFC4253] defines Public Key Algorithms 99 for the Secure Shell server public keys. 101 The DNS has been extended to store fingerprints in a DNS recource 102 record named SSHFP [RFC4255], which provide out-of-band verification 103 by looking up a fingerprint of the server public key in the DNS 104 [RFC1034], [RFC1035] and using DNSSEC [RFC4033], [RFC4034], [RFC4035] 105 to verify the lookup. 107 RFC 4255 [RFC4255] describes how to store SSH public keys in SSHFP 108 resource records and specifies a list of cryptographic algorithms to 109 use for Algorithm Number and Fingerprint Type. This document 110 extendes the SSHFP Algorithm Number list with the ECDSA algorithm 111 [RFC6090] which has been added to Secure Shell Public Key list in RFC 112 5656 [RFC5656] and the SSHFP Fingerprint Type list with SHA-256 113 algorithm. 115 Familiarity with DNSSEC, SSH Protocol [RFC4251], [RFC4253], 116 [RFC4250], SSHFP [RFC4255], and the SHA-2 [FIPS.180-3.2008] family of 117 algorithms is assumed in this document. 119 This document updates RFC 4255 [RFC4255]. 121 2. Requirements Language 123 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 124 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 125 document are to be interpreted as described in RFC 2119 [RFC2119]. 127 3. SSHFP Resource Records 129 The format of the SSHFP RR can be found in RFC 4255 [RFC4255]. 131 3.1. SSHFP Fingerprint Type Specification 133 The fingerprint type octet describes the message-digest algorithm 134 used to calculate the fingerprint of the public key. 136 3.1.1. SHA-256 SSHFP Fingerprint Type Specification 138 SHA-256 fingerprints of the public keys are stored in SSHFP Resource 139 Record with the fingerprint type 2. 141 3.2. SSHFP Algorithm Number Specification 143 The SSHFP Resource Record algorithm number octet describes the 144 algorithm of the public key. 146 3.2.1. ECDSA SSHFP Algorithm Number Specification 148 ECDSA public keys are stored in SSHFP Resource Records with the 149 algorithm number 3. 151 ECDSA public key fingerprints MUST use the SHA-256 algorithm for the 152 fingerprint as using the SHA-1 algorithm would weaken the security of 153 the key. 155 4. Implementation Considerations 157 4.1. Support for SHA-256 fingerprints 159 SSHFP-aware Secure Shell implementations SHOULD support the SHA-256 160 fingerprints for verification of the public key. Secure Shell 161 implementations which support SHA-256 fingerprints MUST prefer the 162 SHA-256 fingerprints if available over SHA-1 to prevent downgrade 163 attacks. 165 4.2. Support for ECDSA 167 SSHFP-aware Secure Shell implementations which also implement ECDSA 168 algorithm for the public key SHOULD support SSHFP fingerprints for 169 ECDSA public keys. 171 5. Examples 172 5.1. RSA public key 174 Given a private key with the following value in OpenSSH format: 176 -----BEGIN RSA PRIVATE KEY----- 177 MIIEpAIBAAKCAQEAwlEeCTocU4p86u0Dt20F1uI5jwgrpRbJ4fGIuzCsKTJ3fevk 178 +7le5xMMvuvhlmLvfCMRSQciIxV1/2ugVw6d/O/MHsx9Q2drTQ/7bv3rnc+hK6Ux 179 WJp1S8hAwEWEs1QTULiCtVA6r7wein3yXMre/BacFtu3rhpKhJGpuxmrqz0QIMF3 180 oQwf4DMEbV1UWftd82FpAJgGPuTgFlZnV7kFZuZI5b3Dc7aNh95t56ibQ+CfS9ZS 181 j7klVasCa+P+oYm1yZEBL1qVL3TgFMN36yqTcGvd9n1xZN5HuK7A40P1vBspXjLS 182 t08fLROM9cLqMF7WHugWvKtywD7P5tkuKVLHMQIDAQABAoIBAQCrZP1HSjhd/5M7 183 bB+RFNrHtPbsEFre3QDpCDCAW+ge1mLLcNyio9jvnL/rTwfFrDJsnknKzj3wECfq 184 STY+U6hKyACVUe1THM9qQ6SVO+ctZUxVwPmLm4HGfDWQ4kCwJIJ8+qJf5wo8o4OU 185 yI6UBmU0mYTILLkRGiOMVycM3xGqkUJHcjj82GLWNKakdp1CuFtmyF0aUnlDp5gm 186 Ub0GgCgBFCO+/Eb7OoqZufhS6bisRyDEozLNO/I0Ih7lZgsaywOsjeXOZ2+zHH98 187 +RVrnZ6PObxPp2WmSA268gW02k2rWRGTg95boSLdxv2C1nBvdqsMXnq8hVcfKigO 188 bYH1uIOBAoGBAOBkncI1ZYOd8mye4a+hgzBgxdzrEl3QCAm3qSw5Gsz6FwTAZAit 189 u4lRSXb0birYKfJjcZ7Og/07r0KCMuCku/CTpbZP0gCSyd7SaeovFs1y9tUuY8r+ 190 iT+FxFeOQ9PcYcOccivzkLwINOrG/Glm8UWUngCRDgo/CSOSTf06juY5AoGBAN2v 191 /DQeQl/uATmIyfOGsZA4IdmAfhY8P60GVdk8zFZyDW5qmJklDA75ObepUtDnAcDd 192 NzkNyKZBIX6aFoMkXAzwMCxk6KU3gkbciuCydCXf323fKCS7SHIk+btGa+eRhUcO 193 HzPlzUqxrqg7ouQ1n2/zLbiN10zwWCPYzTGAwai5AoGBAJ9b9YnqQAjkEDnB8Ee5 194 7aBa6cpGC8oiJsM38uYcPANcjSJru99J+si/uOvJFcBJuiiRJS0CP0yFqacTLizJ 195 8UseoG5Ea8DKfqFHT77n6ErKHbAyfN66PCCn0FPaDiOU/L1eCttZ4+0V6vbdkH8O 196 g8TFkhyW56CxOb1QdyCjCL9JAoGAcexxcBsowwGdkYKRPdu3PkUKaCrXIPgfRPyf 197 e376B2afLmILP5BBTSSYm6ChVYeRaBqGuYQy2/VWkCgBb61svJ1mNDo7MESBZ4cI 198 u4YZmCkfOehXSeEQzs/fonUDGMK4uhYwxMvQnxUGi5/yCtLft3lBwrjprrlIoktU 199 z566ZskCgYBRFqGVaZZQgLeiEjuRtxo0MOmQvN3fwfgd7HbHoNjyalPRCUOurmDk 200 rIpSmbeIABBWveapZwidXNRdbAqV/XZ+tEHeak4peanFGIUV5J4P9kg6eakuwC14 201 wU+VnpDUATpddCID+jf7ory9bCvJ4gvKlyDq5PJyR8uiut+BY0m7Hg== 202 -----END RSA PRIVATE KEY----- 204 5.1.1. RSA public key with SHA1 fingerprint 206 The SSHFP Resource Record for this key would be: 208 server.example.net IN SSHFP 1 1 dd465c09cfa51fb45020cc83316fff21 209 b9ec74ac 211 5.1.2. RSA public key with SHA256 fingerprint 213 The SSHFP Resource Record for this key would be: 215 server.example.net IN SSHFP 1 2 b049f950d1397b8fee6a61e4d14a9acd 216 c4721e084eff5460bbed80cfaa2ce2cb 218 5.2. DSA public key 220 Given a private key with the following value in OpenSSH format: 222 -----BEGIN DSA PRIVATE KEY----- 223 MIIBvAIBAAKBgQD1Ra3NFN+oFmssG3yc43L/Hn9d6gF+BCZfDWusar14dbfmgiRH 224 Uu7KEY7byuCrDYZO/A43bZ34RIchShxzc94uv3P7PZT9FI1e5kQKOpwOwNxrOokB 225 JW+jvRapuolUgum2FopU0gdLWHp3BBCVKGgLmvGEBf7sUcz60Xl8Rqh54wIVAML0 226 z+mWLxUhWYQY47TALVN5RM3jAoGBAIANhW5G23qNPrv6sPJkBThVmaU2qjaO3e46 227 L95mo24eS6hFQ+8k9zEtRkhoY4L74brP3oTE6s2G403NLM1DPSZ8E+8ateT9mWAy 228 vfCFca8N9YzLbFFBJgageA1I07q7XGlpifSzWj9f5OGzKNP4aLZznDlZyD7EywRV 229 lb3TUcVAAoGAOZcDcK01NTM1qIIYbBqCffrwjQ+9PmsuSKI6nUzfS4NysXHkdbW5 230 u5VxeXLcwWj5PGbRfoS2P3vwYAmakqgq502wigam18u9nAczUYl+2kOeOiIRrtSm 231 LfpV7thLOAb8k1ESjIlkbn35jKmTcoMFRXbFmkKRTK8OEnWQ8AVg6w8CFQCS/nI5 232 MhAE/LKS/rJ5fSZ/j+/dNw== 233 -----END DSA PRIVATE KEY----- 235 5.2.1. DSA public key with SHA1 fingerprint 237 The SSHFP Resource Record for this key would be: 239 server.example.net IN SSHFP 2 1 3b6ba6110f5ffcd29469fc1ec2ee25d6 240 1718badd 242 5.2.2. DSA public key with SHA256 fingerprint 244 The SSHFP Resource Record for this key would be: 246 server.example.net IN SSHFP 2 2 f9b8a6a460639306f1b38910456a6ae1 247 018a253c47ecec12db77d7a0878b4d83 249 5.3. ECDSA public key 251 Given a private key with the following value in OpenSSH format: 253 -----BEGIN EC PRIVATE KEY----- 254 MHcCAQEEINFBNyh3bKEQ4CQ7MfNgbEGINuRHjaIBrZkiWbaGPCZZoAoGCCqGSM49 255 AwEHoUQDQgAEAP70I5SJftZiBy8g50jz52N2gUNVRPE2tyiDyxJh1sjN4b5th2yy 256 y9zLL+dF9WFcLlAEKTwhOGqzsPj+UXFfmA== 257 -----END EC PRIVATE KEY----- 259 5.3.1. ECDSA public key with SHA256 fingerprint 261 The SSHFP Resource Record for this key would be: 263 server.example.net IN SSHFP 3 2 821eb6c1c98d9cc827ab7f456304c0f1 264 4785b7008d9e8646a8519de80849afc7 266 6. IANA Considerations 268 This document updates the IANA registry "SSHFP RR Types for public 269 key algorithms" and "SSHFP RR types for fingerprint types" 270 [SSHFPVALS]. 272 6.1. SSHFP RR Types for public key algorithms 274 The following entries are added to the "SSHFP RR Types for public key 275 algorithms" registry: 277 +-------+-------------+------------+ 278 | Value | Description | Reference | 279 +-------+-------------+------------+ 280 | 3 | ECDSA | [This doc] | 281 +-------+-------------+------------+ 283 Table 1 285 6.2. SSHFP RR types for fingerprint types 287 The following entries are added to the "SSHFP RR types for 288 fingerprint types" registry: 290 +-------+-------------+------------+ 291 | Value | Description | Reference | 292 +-------+-------------+------------+ 293 | 2 | SHA-256 | [This doc] | 294 +-------+-------------+------------+ 296 Table 2 298 7. Security Considerations 300 Please see the security considerations in [RFC4255] for SSHFP record 301 and [RFC5656] for ECDSA algorithm. 303 Users of SSHFP are encouraged to deploy SHA-256 as soon as software 304 implementations allow for it. SHA-2 family of algorithms is widely 305 believed to be more resilient to attack than SHA-1, and confidence in 306 SHA-1's strength is being eroded by recently announced attacks [IACR 307 2007/474]. Regardless of whether or not the attacks on SHA-1 will 308 affect SSHFP, it is believed (at the time of this writing) that SHA- 309 256 is the better choice for use in SSHFP records. 311 SHA-256 is considered sufficiently strong for the immediate future, 312 but predictions about future development in cryptography and 313 cryptanalysis are beyond the scope of this document. 315 8. References 317 8.1. Normative References 319 [FIPS.180-3.2008] 320 National Institute of Standards and Technology, ""Secure 321 Hash Standard"", FIPS PUB 180-3, October 2008, . 325 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 326 STD 13, RFC 1034, November 1987. 328 [RFC1035] Mockapetris, P., "Domain names - implementation and 329 specification", STD 13, RFC 1035, November 1987. 331 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 332 Requirement Levels", BCP 14, RFC 2119, March 1997. 334 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 335 Rose, "DNS Security Introduction and Requirements", 336 RFC 4033, March 2005. 338 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 339 Rose, "Resource Records for the DNS Security Extensions", 340 RFC 4034, March 2005. 342 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. 343 Rose, "Protocol Modifications for the DNS Security 344 Extensions", RFC 4035, March 2005. 346 [RFC4250] Lehtinen, S. and C. Lonvick, "The Secure Shell (SSH) 347 Protocol Assigned Numbers", RFC 4250, January 2006. 349 [RFC4251] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) 350 Protocol Architecture", RFC 4251, January 2006. 352 [RFC4253] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) 353 Transport Layer Protocol", RFC 4253, January 2006. 355 [RFC4255] Schlyter, J. and W. Griffin, "Using DNS to Securely 356 Publish Secure Shell (SSH) Key Fingerprints", RFC 4255, 357 January 2006. 359 [RFC5656] Stebila, D. and J. Green, "Elliptic Curve Algorithm 360 Integration in the Secure Shell Transport Layer", 361 RFC 5656, December 2009. 363 8.2. Informative References 365 [IACR 2007/474] 366 Cochran, M., ""Notes on the Wang et al. 2^63 SHA-1 367 Di!erential Path"", IACR 2007/474, 368 . 370 [RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic 371 Curve Cryptography Algorithms", RFC 6090, February 2011. 373 [SSHFPVALS] 374 IANA, ""DNS SSHFP Resource Records Parameters"", IANA 375 registry available at:, . 378 Author's Address 380 Ondrej Sury 381 CZ.NIC 382 Americka 23 383 120 00 Praha 2 384 CZ 386 Phone: +420 222 745 110 387 Email: ondrej.sury@nic.cz