draft-ietf-curdle-gss-keyex-sha2-02.txt   draft-ietf-curdle-gss-keyex-sha2-03.txt 
Internet Engineering Task Force S. Sorce Internet Engineering Task Force S. Sorce
Internet-Draft H. Kario Internet-Draft H. Kario
Updates: 4462 (if approved) Red Hat, Inc. Updates: 4462 (if approved) Red Hat, Inc.
Intended status: Standards Track June 15, 2017 Intended status: Standards Track December 12, 2017
Expires: December 17, 2017 Expires: June 15, 2018
GSS-API Key Exchange with SHA2 GSS-API Key Exchange with SHA2
draft-ietf-curdle-gss-keyex-sha2-02 draft-ietf-curdle-gss-keyex-sha2-03
Abstract Abstract
This document specifies additions and amendments to SSH GSS-API This document specifies additions and amendments to SSH GSS-API
Methods [RFC4462]. It defines a new key exchange method that uses Methods [RFC4462]. It defines a new key exchange method that uses
SHA-2 for integrity and deprecates weak DH groups. The purpose of SHA-2 for integrity and deprecates weak DH groups. The purpose of
this specification is to modernize the cryptographic primitives used this specification is to modernize the cryptographic primitives used
by GSS Key Exchanges. by GSS Key Exchanges.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 17, 2017. This Internet-Draft will expire on June 15, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
skipping to change at page 8, line 48 skipping to change at page 8, line 48
and q_V. The result of the function is the shared secret. and q_V. The result of the function is the shared secret.
For curve25519 and curve448, if all the octets of the shared For curve25519 and curve448, if all the octets of the shared
secret are zero octets, the key exchange MUST fail. secret are zero octets, the key exchange MUST fail.
H = hash(V_C || V_S || I_C || I_S || K_S || Q_C || Q_S || K). H = hash(V_C || V_S || I_C || I_S || K_S || Q_C || Q_S || K).
MIC is the GSS-API message integrity code for H computed by MIC is the GSS-API message integrity code for H computed by
calling GSS_GetMIC(). calling GSS_GetMIC().
S then sends Q_S and the message integrity code (MIC) to C.
6. This step is performed only if the server's final call to 6. This step is performed only if the server's final call to
GSS_Accept_sec_context() produced a non-zero-length final reply token GSS_Accept_sec_context() produced a non-zero-length final reply token
to be sent to the client and if no previous call by the client to to be sent to the client and if no previous call by the client to
GSS_Init_sec_context() has resulted in a major_status of GSS_Init_sec_context() has resulted in a major_status of
GSS_S_COMPLETE. Under these conditions, the client makes an GSS_S_COMPLETE. Under these conditions, the client makes an
additional call to GSS_Init_sec_context() to process the final reply additional call to GSS_Init_sec_context() to process the final reply
token. This call is made exactly as described above. However, if token. This call is made exactly as described above. However, if
the resulting major_status is anything other than GSS_S_COMPLETE, or the resulting major_status is anything other than GSS_S_COMPLETE, or
a non-zero-length token is returned, it is an error and the key a non-zero-length token is returned, it is an error and the key
exchange MUST fail. exchange MUST fail.
7. C verifies that the key Q_S is valid the same way it is done in 7. C verifies that the key Q_S is valid the same way it is done in
step 3. If the key is not valid the key exchange MUST fail. step 3. If the key is not valid the key exchange MUST fail.
8. C computes the shared secret K and H the same way it is done in 8. C computes the shared secret K and H and verifies that it is
step 5. It then calls GSS_VerifyMIC() to check that the MIC sent by valid the same way it is done in step 5. It then calls
S verifies H's integrity. If the MIC is not successfully verified, GSS_VerifyMIC() to check that the MIC sent by S verifies H's
the key exchange MUST fail. integrity. If the MIC is not successfully verified, the key exchange
MUST fail.
If any GSS_Init_sec_context() or GSS_Accept_sec_context() returns a If any GSS_Init_sec_context() or GSS_Accept_sec_context() returns a
major_status other than GSS_S_COMPLETE or GSS_S_CONTINUE_NEEDED, or major_status other than GSS_S_COMPLETE or GSS_S_CONTINUE_NEEDED, or
any other GSS-API call returns a major_status other than any other GSS-API call returns a major_status other than
GSS_S_COMPLETE, the key exchange MUST fail. The same recommendations GSS_S_COMPLETE, the key exchange MUST fail. The same recommendations
expressed in Section 2.1 of [RFC4462] are followed with regards to expressed in Section 2.1 of [RFC4462] are followed with regards to
error reporting. error reporting.
This exchange is implemented with the following messages: This exchange is implemented with the following messages:
skipping to change at page 15, line 24 skipping to change at page 15, line 24
[NIST-SP-800-131Ar1] [NIST-SP-800-131Ar1]
National Institute of Standards and Technology, National Institute of Standards and Technology,
"Transitions: Recommendation for Transitioning of the Use "Transitions: Recommendation for Transitioning of the Use
of Cryptographic Algorithms and Key Lengths", NIST Special of Cryptographic Algorithms and Key Lengths", NIST Special
Publication 800-131A Revision 1, November 2015, Publication 800-131A Revision 1, November 2015,
<http://nvlpubs.nist.gov/nistpubs/SpecialPublications/ <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/
NIST.SP.800-131Ar1.pdf>. NIST.SP.800-131Ar1.pdf>.
[RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
DOI 10.17487/RFC1321, April 1992, DOI 10.17487/RFC1321, April 1992,
<http://www.rfc-editor.org/info/rfc1321>. <https://www.rfc-editor.org/info/rfc1321>.
[RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail [RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
Extensions (MIME) Part One: Format of Internet Message Extensions (MIME) Part One: Format of Internet Message
Bodies", RFC 2045, DOI 10.17487/RFC2045, November 1996, Bodies", RFC 2045, DOI 10.17487/RFC2045, November 1996,
<http://www.rfc-editor.org/info/rfc2045>. <https://www.rfc-editor.org/info/rfc2045>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP) [RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP)
Diffie-Hellman groups for Internet Key Exchange (IKE)", Diffie-Hellman groups for Internet Key Exchange (IKE)",
RFC 3526, DOI 10.17487/RFC3526, May 2003, RFC 3526, DOI 10.17487/RFC3526, May 2003,
<http://www.rfc-editor.org/info/rfc3526>. <https://www.rfc-editor.org/info/rfc3526>.
[RFC4253] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) [RFC4253] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253, Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253,
January 2006, <http://www.rfc-editor.org/info/rfc4253>. January 2006, <https://www.rfc-editor.org/info/rfc4253>.
[RFC4462] Hutzelman, J., Salowey, J., Galbraith, J., and V. Welch, [RFC4462] Hutzelman, J., Salowey, J., Galbraith, J., and V. Welch,
"Generic Security Service Application Program Interface "Generic Security Service Application Program Interface
(GSS-API) Authentication and Key Exchange for the Secure (GSS-API) Authentication and Key Exchange for the Secure
Shell (SSH) Protocol", RFC 4462, DOI 10.17487/RFC4462, May Shell (SSH) Protocol", RFC 4462, DOI 10.17487/RFC4462, May
2006, <http://www.rfc-editor.org/info/rfc4462>. 2006, <https://www.rfc-editor.org/info/rfc4462>.
[RFC5656] Stebila, D. and J. Green, "Elliptic Curve Algorithm [RFC5656] Stebila, D. and J. Green, "Elliptic Curve Algorithm
Integration in the Secure Shell Transport Layer", Integration in the Secure Shell Transport Layer",
RFC 5656, DOI 10.17487/RFC5656, December 2009, RFC 5656, DOI 10.17487/RFC5656, December 2009,
<http://www.rfc-editor.org/info/rfc5656>. <https://www.rfc-editor.org/info/rfc5656>.
[RFC6194] Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security [RFC6194] Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security
Considerations for the SHA-0 and SHA-1 Message-Digest Considerations for the SHA-0 and SHA-1 Message-Digest
Algorithms", RFC 6194, DOI 10.17487/RFC6194, March 2011, Algorithms", RFC 6194, DOI 10.17487/RFC6194, March 2011,
<http://www.rfc-editor.org/info/rfc6194>. <https://www.rfc-editor.org/info/rfc6194>.
[RFC7546] Kaduk, B., "Structure of the Generic Security Service [RFC7546] Kaduk, B., "Structure of the Generic Security Service
(GSS) Negotiation Loop", RFC 7546, DOI 10.17487/RFC7546, (GSS) Negotiation Loop", RFC 7546, DOI 10.17487/RFC7546,
May 2015, <http://www.rfc-editor.org/info/rfc7546>. May 2015, <https://www.rfc-editor.org/info/rfc7546>.
[RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
for Security", RFC 7748, DOI 10.17487/RFC7748, January for Security", RFC 7748, DOI 10.17487/RFC7748, January
2016, <http://www.rfc-editor.org/info/rfc7748>. 2016, <https://www.rfc-editor.org/info/rfc7748>.
[SEC2v2] Certicom Research, "SEC 2: Recommended Elliptic Curve [SEC2v2] Certicom Research, "SEC 2: Recommended Elliptic Curve
Domain Parameters", Standards for Efficient Domain Parameters", Standards for Efficient
Cryptography SEC 2, 2010. Cryptography SEC 2, 2010.
Authors' Addresses Authors' Addresses
Simo Sorce Simo Sorce
Red Hat, Inc. Red Hat, Inc.
140 Broadway 140 Broadway
 End of changes. 17 change blocks. 
20 lines changed or deleted 23 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/