draft-ietf-curdle-gss-keyex-sha2-00.txt   draft-ietf-curdle-gss-keyex-sha2-01.txt 
Internet Engineering Task Force S. Sorce Internet Engineering Task Force S. Sorce
Internet-Draft H. Kario Internet-Draft H. Kario
Updates: 4462 (if approved) Red Hat, Inc. Updates: 4462 (if approved) Red Hat, Inc.
Intended status: Standards Track April 26, 2017 Intended status: Standards Track June 4, 2017
Expires: October 28, 2017 Expires: December 6, 2017
GSS-API Key Exchange with SHA2 GSS-API Key Exchange with SHA2
draft-ietf-curdle-gss-keyex-sha2-00 draft-ietf-curdle-gss-keyex-sha2-01
Abstract Abstract
This document specifies additions and amendments to SSH GSS-API This document specifies additions and amendments to SSH GSS-API
Methods [RFC4462]. It defines a new key exchange method that uses Methods [RFC4462]. It defines a new key exchange method that uses
SHA-2 for integrity and deprecates weak DH groups. The purpose of SHA-2 for integrity and deprecates weak DH groups. The purpose of
this specification is to modernize the cryptographic primitives used this specification is to modernize the cryptographic primitives used
by GSS Key Exchanges. by GSS Key Exchanges.
Status of This Memo Status of This Memo
skipping to change at page 1, line 35 skipping to change at page 1, line 35
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 28, 2017. This Internet-Draft will expire on December 6, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 6, line 45 skipping to change at page 6, line 45
token is sent to S. token is sent to S.
If the resulting major_status code is GSS_S_CONTINUE_NEEDED, the If the resulting major_status code is GSS_S_CONTINUE_NEEDED, the
output_token is sent to S, which will reply with a new token to be output_token is sent to S, which will reply with a new token to be
provided to GSS_Init_sec_context(). provided to GSS_Init_sec_context().
The client MUST also include Q_C with the first message it sends The client MUST also include Q_C with the first message it sends
to the server during this process; if the server receives more to the server during this process; if the server receives more
than one Q_C or none at all, the key exchange MUST fail. than one Q_C or none at all, the key exchange MUST fail.
It is an error if the call does not produce a token of non- zero It is an error if the call does not produce a token of non-zero
length to be sent to the server. In this case, the key exchange length to be sent to the server. In this case, the key exchange
MUST fail. MUST fail.
3. When a Q_C key is received, S verifies that the key is valid. If 3. When a Q_C key is received, S verifies that the key is valid. If
the key is not valid the key exchange MUST fail. the key is not valid the key exchange MUST fail.
The server first checks if the length of the Q_C matches the The server first checks if the length of the Q_C matches the
selected key exchange: 65 octets for nistp256, 97 octets for selected key exchange: 65 octets for nistp256, 97 octets for
nistp384, 133 octets for nistp521, 32 octets for curve25519 or 56 nistp384, 133 octets for nistp521, 32 octets for curve25519 or 56
octets for curve448. If the value does not have matching length octets for curve448. If the value does not have matching length
skipping to change at page 11, line 11 skipping to change at page 11, line 11
GSS_Init_sec_context() has yet resulted in a major_status code of GSS_Init_sec_context() has yet resulted in a major_status code of
GSS_S_COMPLETE, a protocol error has occurred and the key exchange GSS_S_COMPLETE, a protocol error has occurred and the key exchange
MUST fail. MUST fail.
In case of errors the messages described in Section 2.1 of [RFC4462] In case of errors the messages described in Section 2.1 of [RFC4462]
are used as well as the recommendation about the messages' order. are used as well as the recommendation about the messages' order.
The hash H is computed as the HASH hash of the concatenation of the The hash H is computed as the HASH hash of the concatenation of the
following: following:
string V_C, the client's version string (CR, NL excluded) string V_C, the client's version string (CR, NL excluded)
string V_S, server's identification string (CR and LF excluded) string V_S, server's version string (CR, NL excluded)
string I_C, payload of the client's SSH_MSG_KEXINIT string I_C, payload of the client's SSH_MSG_KEXINIT
string I_S, payload of the server's SSH_MSG_KEXINIT string I_S, payload of the server's SSH_MSG_KEXINIT
string K_S, server's public host key string K_S, server's public host key
string Q_C, client's ephemeral public key octet string string Q_C, client's ephemeral public key octet string
string Q_S, server's ephemeral public key octet string string Q_S, server's ephemeral public key octet string
mpint K, shared secret mpint K, shared secret
This value is called the exchange hash, and it is used to This value is called the exchange hash, and it is used to
authenticate the key exchange. The exchange hash SHOULD be kept authenticate the key exchange. The exchange hash SHOULD be kept
secret. If no SSH_MSG_KEXGSS_HOSTKEY message has been sent by the secret. If no SSH_MSG_KEXGSS_HOSTKEY message has been sent by the
server or received by the client, then the empty string is used in server or received by the client, then the empty string is used in
place of K_S when computing the exchange hash. place of K_S when computing the exchange hash.
The GSS_GetMIC call MUST be applied over H, not the original data. The GSS_GetMIC call MUST be applied over H, not the original data.
5.2. ECDH Key Exchange Methods 5.2. ECDH Key Exchange Methods
 End of changes. 5 change blocks. 
13 lines changed or deleted 13 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/