idnits 2.17.1 draft-os-ietf-sshfp-ecdsa-sha2-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC4255, updated by this document, for RFC5378 checks: 2002-08-13) -- The document seems to contain a disclaimer for pre-RFC5378 work, and may have content which was first submitted before 10 November 2008. The disclaimer is necessary when there are original authors that you have been unable to contact, or if some do not wish to grant the BCP78 rights to the IETF Trust. If you are able to get all authors (current and original) to grant those rights, you can and should remove the disclaimer; otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (December 5, 2011) is 4519 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group O. Sury 3 Internet-Draft CZ.NIC 4 Updates: 4255 (if approved) December 5, 2011 5 Intended status: Standards Track 6 Expires: June 7, 2012 8 Use of SHA-256 Algorithm with RSA, DSA and ECDSA in SSHFP Resource 9 Records 10 draft-os-ietf-sshfp-ecdsa-sha2-04 12 Abstract 14 This document updates RFC 4255, which defines a DNS resource record - 15 SSHFP that contains a standard SSH key fingerprint used to verify 16 Secure Shell (SSH) host keys using Domain Name System Security 17 (DNSSEC). This document defines additional options supporting Secure 18 Shell (SSH) public keys using the Elliptic Curve Digital Signature 19 Algorithm (ECDSA) and the use of fingerprints computed using the SHA- 20 256 message digest algorithm in SSHFP resource records. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on June 7, 2012. 39 Copyright Notice 41 Copyright (c) 2011 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 This document may contain material from IETF Documents or IETF 55 Contributions published or made publicly available before November 56 10, 2008. The person(s) controlling the copyright in some of this 57 material may not have granted the IETF Trust the right to allow 58 modifications of such material outside the IETF Standards Process. 59 Without obtaining an adequate license from the person(s) controlling 60 the copyright in such materials, this document may not be modified 61 outside the IETF Standards Process, and derivative works of it may 62 not be created outside the IETF Standards Process, except to format 63 it for publication as an RFC or to translate it into languages other 64 than English. 66 Table of Contents 68 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 69 2. Requirements Language . . . . . . . . . . . . . . . . . . . . . 3 70 3. SSHFP Resource Records . . . . . . . . . . . . . . . . . . . . 3 71 3.1. SSHFP Fingerprint Type Specification . . . . . . . . . . . 4 72 3.1.1. SHA-256 SSHFP Fingerprint Type Specification . . . . . 4 73 3.2. SSHFP Algorithm Number Specification . . . . . . . . . . . 4 74 3.2.1. ECDSA SSHFP Algorithm Number Specification . . . . . . 4 75 4. Implementation Considerations . . . . . . . . . . . . . . . . . 4 76 4.1. Support for SHA-256 fingerprints . . . . . . . . . . . . . 4 77 4.2. Support for ECDSA . . . . . . . . . . . . . . . . . . . . . 4 78 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 79 5.1. RSA public key . . . . . . . . . . . . . . . . . . . . . . 5 80 5.1.1. RSA public key with SHA1 fingerprint . . . . . . . . . 5 81 5.1.2. RSA public key with SHA256 fingerprint . . . . . . . . 5 82 5.2. DSA public key . . . . . . . . . . . . . . . . . . . . . . 6 83 5.2.1. DSA public key with SHA1 fingerprint . . . . . . . . . 6 84 5.2.2. DSA public key with SHA256 fingerprint . . . . . . . . 6 85 5.3. ECDSA public key . . . . . . . . . . . . . . . . . . . . . 6 86 5.3.1. ECDSA public key with SHA256 fingerprint . . . . . . . 7 87 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7 88 6.1. SSHFP RR Types for public key algorithms . . . . . . . . . 7 89 6.2. SSHFP RR types for fingerprint types . . . . . . . . . . . 7 90 7. Security Considerations . . . . . . . . . . . . . . . . . . . . 7 91 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 92 8.1. Normative References . . . . . . . . . . . . . . . . . . . 8 93 8.2. Informative References . . . . . . . . . . . . . . . . . . 9 95 1. Introduction 97 The Domain Name System (DNS) is the global, hierarchical distributed 98 database for Internet Naming. The Secure Shell (SSH) is a protocol 99 for secure remote login and other secure network services over an 100 insecure network. RFC 4253 [RFC4253] defines Public Key Algorithms 101 for the Secure Shell server public keys. 103 The DNS has been extended to store fingerprints in a DNS resource 104 record named SSHFP [RFC4255], which provides out-of-band verification 105 by looking up a fingerprint of the server public key in the DNS 106 [RFC1034], [RFC1035] and using Domain Name System Security Extensions 107 (DNSSEC) [RFC4033], [RFC4034], [RFC4035] to verify the lookup. 109 RFC 4255 [RFC4255] describes how to store the cryptographic 110 fingerprint of SSH public keys in SSHFP resource records. SSHFP 111 records contain the fingerprint and two index numbers identifying the 112 cryptographic algorithms used 113 1. to link the fingerprinted public key with the corresponding 114 private key, and 115 2. to derive the message digest stored as the fingerprint in the 116 record. 117 RFC 4255 then specifies lists of cryptographic algorithms and the 118 corresponding index numbers used to identify them in SSHFP records. 120 This document updates RFC 4255 by adding a new option in each list: 121 o the Elliptic Curve Digital Signature Algorithm (ECDSA)[RFC6090] 122 which has been added to the Secure Shell Public Key list by RFC 123 5656 [RFC5656] in the public key algorithms list; and 124 o the SHA-256 algorithm [FIPS.180-3.2008] in the SSHFP Fingerprint 125 Type list. 127 Familiarity with DNSSEC, SSH Protocol [RFC4251], [RFC4253], 128 [RFC4250], SSHFP [RFC4255], and the SHA-2 [FIPS.180-3.2008] family of 129 algorithms is assumed in this document. 131 2. Requirements Language 133 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 134 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 135 document are to be interpreted as described in RFC 2119 [RFC2119]. 137 3. SSHFP Resource Records 139 The format of the SSHFP RR can be found in RFC 4255 [RFC4255]. 141 3.1. SSHFP Fingerprint Type Specification 143 The fingerprint type octet identifies the message-digest algorithm 144 used to calculate the fingerprint of the public key. 146 3.1.1. SHA-256 SSHFP Fingerprint Type Specification 148 SHA-256 fingerprints of the public keys are stored in SSHFP Resource 149 Record with the fingerprint type 2. 151 3.2. SSHFP Algorithm Number Specification 153 The SSHFP Resource Record algorithm number octet describes the 154 algorithm of the public key. 156 3.2.1. ECDSA SSHFP Algorithm Number Specification 158 ECDSA public keys are stored in SSHFP Resource Records with the 159 algorithm number 3. 161 ECDSA public key fingerprints MUST use the SHA-256 algorithm for the 162 fingerprint as using the SHA-1 algorithm would weaken the security of 163 the key. 165 4. Implementation Considerations 167 4.1. Support for SHA-256 fingerprints 169 SSHFP-aware Secure Shell implementations SHOULD support the SHA-256 170 fingerprints for verification of the public key. Secure Shell 171 implementations which support SHA-256 fingerprints MUST prefer a SHA- 172 256 fingerprint over SHA-1 if both are available for a server. If 173 the SHA-256 fingerprint is tested and does not match the supplied 174 key, then the key MUST be rejected rather than testing the 175 alternative SHA-1 fingerprint. 177 4.2. Support for ECDSA 179 SSHFP-aware Secure Shell implementations which also implement ECDSA 180 algorithm for the public key SHOULD support SSHFP fingerprints for 181 ECDSA public keys. 183 5. Examples 184 5.1. RSA public key 186 Given a private key with the following value in OpenSSH format: 188 -----BEGIN RSA PRIVATE KEY----- 189 MIIEpAIBAAKCAQEAwlEeCTocU4p86u0Dt20F1uI5jwgrpRbJ4fGIuzCsKTJ3fevk 190 +7le5xMMvuvhlmLvfCMRSQciIxV1/2ugVw6d/O/MHsx9Q2drTQ/7bv3rnc+hK6Ux 191 WJp1S8hAwEWEs1QTULiCtVA6r7wein3yXMre/BacFtu3rhpKhJGpuxmrqz0QIMF3 192 oQwf4DMEbV1UWftd82FpAJgGPuTgFlZnV7kFZuZI5b3Dc7aNh95t56ibQ+CfS9ZS 193 j7klVasCa+P+oYm1yZEBL1qVL3TgFMN36yqTcGvd9n1xZN5HuK7A40P1vBspXjLS 194 t08fLROM9cLqMF7WHugWvKtywD7P5tkuKVLHMQIDAQABAoIBAQCrZP1HSjhd/5M7 195 bB+RFNrHtPbsEFre3QDpCDCAW+ge1mLLcNyio9jvnL/rTwfFrDJsnknKzj3wECfq 196 STY+U6hKyACVUe1THM9qQ6SVO+ctZUxVwPmLm4HGfDWQ4kCwJIJ8+qJf5wo8o4OU 197 yI6UBmU0mYTILLkRGiOMVycM3xGqkUJHcjj82GLWNKakdp1CuFtmyF0aUnlDp5gm 198 Ub0GgCgBFCO+/Eb7OoqZufhS6bisRyDEozLNO/I0Ih7lZgsaywOsjeXOZ2+zHH98 199 +RVrnZ6PObxPp2WmSA268gW02k2rWRGTg95boSLdxv2C1nBvdqsMXnq8hVcfKigO 200 bYH1uIOBAoGBAOBkncI1ZYOd8mye4a+hgzBgxdzrEl3QCAm3qSw5Gsz6FwTAZAit 201 u4lRSXb0birYKfJjcZ7Og/07r0KCMuCku/CTpbZP0gCSyd7SaeovFs1y9tUuY8r+ 202 iT+FxFeOQ9PcYcOccivzkLwINOrG/Glm8UWUngCRDgo/CSOSTf06juY5AoGBAN2v 203 /DQeQl/uATmIyfOGsZA4IdmAfhY8P60GVdk8zFZyDW5qmJklDA75ObepUtDnAcDd 204 NzkNyKZBIX6aFoMkXAzwMCxk6KU3gkbciuCydCXf323fKCS7SHIk+btGa+eRhUcO 205 HzPlzUqxrqg7ouQ1n2/zLbiN10zwWCPYzTGAwai5AoGBAJ9b9YnqQAjkEDnB8Ee5 206 7aBa6cpGC8oiJsM38uYcPANcjSJru99J+si/uOvJFcBJuiiRJS0CP0yFqacTLizJ 207 8UseoG5Ea8DKfqFHT77n6ErKHbAyfN66PCCn0FPaDiOU/L1eCttZ4+0V6vbdkH8O 208 g8TFkhyW56CxOb1QdyCjCL9JAoGAcexxcBsowwGdkYKRPdu3PkUKaCrXIPgfRPyf 209 e376B2afLmILP5BBTSSYm6ChVYeRaBqGuYQy2/VWkCgBb61svJ1mNDo7MESBZ4cI 210 u4YZmCkfOehXSeEQzs/fonUDGMK4uhYwxMvQnxUGi5/yCtLft3lBwrjprrlIoktU 211 z566ZskCgYBRFqGVaZZQgLeiEjuRtxo0MOmQvN3fwfgd7HbHoNjyalPRCUOurmDk 212 rIpSmbeIABBWveapZwidXNRdbAqV/XZ+tEHeak4peanFGIUV5J4P9kg6eakuwC14 213 wU+VnpDUATpddCID+jf7ory9bCvJ4gvKlyDq5PJyR8uiut+BY0m7Hg== 214 -----END RSA PRIVATE KEY----- 216 5.1.1. RSA public key with SHA1 fingerprint 218 The SSHFP Resource Record for this key would be: 220 server.example.net IN SSHFP 1 1 dd465c09cfa51fb45020cc83316fff21 221 b9ec74ac 223 5.1.2. RSA public key with SHA256 fingerprint 225 The SSHFP Resource Record for this key would be: 227 server.example.net IN SSHFP 1 2 b049f950d1397b8fee6a61e4d14a9acd 228 c4721e084eff5460bbed80cfaa2ce2cb 230 5.2. DSA public key 232 Given a private key with the following value in OpenSSH format: 234 -----BEGIN DSA PRIVATE KEY----- 235 MIIBvAIBAAKBgQD1Ra3NFN+oFmssG3yc43L/Hn9d6gF+BCZfDWusar14dbfmgiRH 236 Uu7KEY7byuCrDYZO/A43bZ34RIchShxzc94uv3P7PZT9FI1e5kQKOpwOwNxrOokB 237 JW+jvRapuolUgum2FopU0gdLWHp3BBCVKGgLmvGEBf7sUcz60Xl8Rqh54wIVAML0 238 z+mWLxUhWYQY47TALVN5RM3jAoGBAIANhW5G23qNPrv6sPJkBThVmaU2qjaO3e46 239 L95mo24eS6hFQ+8k9zEtRkhoY4L74brP3oTE6s2G403NLM1DPSZ8E+8ateT9mWAy 240 vfCFca8N9YzLbFFBJgageA1I07q7XGlpifSzWj9f5OGzKNP4aLZznDlZyD7EywRV 241 lb3TUcVAAoGAOZcDcK01NTM1qIIYbBqCffrwjQ+9PmsuSKI6nUzfS4NysXHkdbW5 242 u5VxeXLcwWj5PGbRfoS2P3vwYAmakqgq502wigam18u9nAczUYl+2kOeOiIRrtSm 243 LfpV7thLOAb8k1ESjIlkbn35jKmTcoMFRXbFmkKRTK8OEnWQ8AVg6w8CFQCS/nI5 244 MhAE/LKS/rJ5fSZ/j+/dNw== 245 -----END DSA PRIVATE KEY----- 247 5.2.1. DSA public key with SHA1 fingerprint 249 The SSHFP Resource Record for this key would be: 251 server.example.net IN SSHFP 2 1 3b6ba6110f5ffcd29469fc1ec2ee25d6 252 1718badd 254 5.2.2. DSA public key with SHA256 fingerprint 256 The SSHFP Resource Record for this key would be: 258 server.example.net IN SSHFP 2 2 f9b8a6a460639306f1b38910456a6ae1 259 018a253c47ecec12db77d7a0878b4d83 261 5.3. ECDSA public key 263 Given a private key with the following value in OpenSSH format: 265 -----BEGIN EC PRIVATE KEY----- 266 MHcCAQEEINFBNyh3bKEQ4CQ7MfNgbEGINuRHjaIBrZkiWbaGPCZZoAoGCCqGSM49 267 AwEHoUQDQgAEAP70I5SJftZiBy8g50jz52N2gUNVRPE2tyiDyxJh1sjN4b5th2yy 268 y9zLL+dF9WFcLlAEKTwhOGqzsPj+UXFfmA== 269 -----END EC PRIVATE KEY----- 271 5.3.1. ECDSA public key with SHA256 fingerprint 273 The SSHFP Resource Record for this key would be: 275 server.example.net IN SSHFP 3 2 821eb6c1c98d9cc827ab7f456304c0f1 276 4785b7008d9e8646a8519de80849afc7 278 6. IANA Considerations 280 This document updates the IANA registry "SSHFP RR Types for public 281 key algorithms" and "SSHFP RR types for fingerprint types" 282 [SSHFPVALS]. 284 6.1. SSHFP RR Types for public key algorithms 286 The following entries are added to the "SSHFP RR Types for public key 287 algorithms" registry: 289 +-------+-------------+------------+ 290 | Value | Description | Reference | 291 +-------+-------------+------------+ 292 | 3 | ECDSA | [This doc] | 293 +-------+-------------+------------+ 295 Table 1 297 6.2. SSHFP RR types for fingerprint types 299 The following entries are added to the "SSHFP RR types for 300 fingerprint types" registry: 302 +-------+-------------+------------+ 303 | Value | Description | Reference | 304 +-------+-------------+------------+ 305 | 2 | SHA-256 | [This doc] | 306 +-------+-------------+------------+ 308 Table 2 310 7. Security Considerations 312 Please see the security considerations in [RFC4255] for SSHFP record 313 and [RFC5656] for ECDSA algorithm. 315 Users of SSHFP are encouraged to deploy SHA-256 as soon as software 316 implementations allow for it. SHA-2 family of algorithms is widely 317 believed to be more resilient to attack than SHA-1, and confidence in 318 SHA-1's strength is being eroded by recently announced attacks [IACR 319 2007/474]. Regardless of whether or not the attacks on SHA-1 will 320 affect SSHFP, it is believed (at the time of this writing) that SHA- 321 256 is the better choice for use in SSHFP records. 323 SHA-256 is considered sufficiently strong for the immediate future, 324 but predictions about future development in cryptography and 325 cryptanalysis are beyond the scope of this document. 327 8. References 329 8.1. Normative References 331 [FIPS.180-3.2008] 332 National Institute of Standards and Technology, ""Secure 333 Hash Standard"", FIPS PUB 180-3, October 2008, . 337 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 338 STD 13, RFC 1034, November 1987. 340 [RFC1035] Mockapetris, P., "Domain names - implementation and 341 specification", STD 13, RFC 1035, November 1987. 343 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 344 Requirement Levels", BCP 14, RFC 2119, March 1997. 346 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 347 Rose, "DNS Security Introduction and Requirements", 348 RFC 4033, March 2005. 350 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 351 Rose, "Resource Records for the DNS Security Extensions", 352 RFC 4034, March 2005. 354 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. 355 Rose, "Protocol Modifications for the DNS Security 356 Extensions", RFC 4035, March 2005. 358 [RFC4250] Lehtinen, S. and C. Lonvick, "The Secure Shell (SSH) 359 Protocol Assigned Numbers", RFC 4250, January 2006. 361 [RFC4251] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) 362 Protocol Architecture", RFC 4251, January 2006. 364 [RFC4253] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) 365 Transport Layer Protocol", RFC 4253, January 2006. 367 [RFC4255] Schlyter, J. and W. Griffin, "Using DNS to Securely 368 Publish Secure Shell (SSH) Key Fingerprints", RFC 4255, 369 January 2006. 371 [RFC5656] Stebila, D. and J. Green, "Elliptic Curve Algorithm 372 Integration in the Secure Shell Transport Layer", 373 RFC 5656, December 2009. 375 8.2. Informative References 377 [IACR 2007/474] 378 Cochran, M., ""Notes on the Wang et al. 2^63 SHA-1 379 Di!erential Path"", IACR 2007/474, 380 . 382 [RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic 383 Curve Cryptography Algorithms", RFC 6090, February 2011. 385 [SSHFPVALS] 386 IANA, ""DNS SSHFP Resource Records Parameters"", IANA 387 registry available at:, . 390 Author's Address 392 Ondrej Sury 393 CZ.NIC 394 Americka 23 395 120 00 Praha 2 396 CZ 398 Phone: +420 222 745 110 399 Email: ondrej.sury@nic.cz