draft-ietf-curdle-gss-keyex-sha2-03.txt   draft-ietf-curdle-gss-keyex-sha2-04.txt 
Internet Engineering Task Force S. Sorce Internet Engineering Task Force S. Sorce
Internet-Draft H. Kario Internet-Draft H. Kario
Updates: 4462 (if approved) Red Hat, Inc. Updates: 4462 (if approved) Red Hat, Inc.
Intended status: Standards Track December 12, 2017 Intended status: Standards Track January 22, 2018
Expires: June 15, 2018 Expires: July 26, 2018
GSS-API Key Exchange with SHA2 GSS-API Key Exchange with SHA2
draft-ietf-curdle-gss-keyex-sha2-03 draft-ietf-curdle-gss-keyex-sha2-04
Abstract Abstract
This document specifies additions and amendments to SSH GSS-API This document specifies additions and amendments to RFC4462. It
Methods [RFC4462]. It defines a new key exchange method that uses defines a new key exchange method that uses SHA-2 for integrity and
SHA-2 for integrity and deprecates weak DH groups. The purpose of deprecates weak DH groups. The purpose of this specification is to
this specification is to modernize the cryptographic primitives used modernize the cryptographic primitives used by GSS Key Exchanges.
by GSS Key Exchanges.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 15, 2018. This Internet-Draft will expire on July 26, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 31 skipping to change at page 2, line 29
5.2.1. gss-nistp256-sha256-* . . . . . . . . . . . . . . . . 12 5.2.1. gss-nistp256-sha256-* . . . . . . . . . . . . . . . . 12
5.2.2. gss-nistp384-sha384-* . . . . . . . . . . . . . . . . 12 5.2.2. gss-nistp384-sha384-* . . . . . . . . . . . . . . . . 12
5.2.3. gss-nistp521-sha512-* . . . . . . . . . . . . . . . . 12 5.2.3. gss-nistp521-sha512-* . . . . . . . . . . . . . . . . 12
5.2.4. gss-curve25519-sha256-* . . . . . . . . . . . . . . . 12 5.2.4. gss-curve25519-sha256-* . . . . . . . . . . . . . . . 12
5.2.5. gss-curve448-sha512-* . . . . . . . . . . . . . . . . 13 5.2.5. gss-curve448-sha512-* . . . . . . . . . . . . . . . . 13
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
7. Security Considerations . . . . . . . . . . . . . . . . . . . 13 7. Security Considerations . . . . . . . . . . . . . . . . . . . 13
7.1. New Finite Field DH mechanisms . . . . . . . . . . . . . 13 7.1. New Finite Field DH mechanisms . . . . . . . . . . . . . 13
7.2. New Elliptic Curve DH mechanisms . . . . . . . . . . . . 13 7.2. New Elliptic Curve DH mechanisms . . . . . . . . . . . . 13
7.3. GSSAPI Delegation . . . . . . . . . . . . . . . . . . . . 14 7.3. GSSAPI Delegation . . . . . . . . . . . . . . . . . . . . 14
8. Normative References . . . . . . . . . . . . . . . . . . . . 14 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
8.1. Normative References . . . . . . . . . . . . . . . . . . 14
8.2. Informative References . . . . . . . . . . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction 1. Introduction
SSH GSS-API Methods [RFC4462] allows the use of GSSAPI for SSH GSS-API Methods [RFC4462] allows the use of GSSAPI for
authentication and key exchange in SSH. It defines three exchange authentication and key exchange in SSH. It defines three exchange
methods all based on DH groups and SHA-1. The new methods described methods all based on DH groups and SHA-1. The new methods described
in this document are intended to support environments that desire to in this document are intended to support environments that desire to
use the SHA-2 cryptographic hash functions. use the SHA-2 cryptographic hash functions.
2. Rationale 2. Rationale
Due to security concerns with SHA-1 [RFC6194] and with MODP groups Due to security concerns with SHA-1 [RFC6194] and with MODP groups
with less than 2048 bits [NIST-SP-800-131Ar1] we propose the use of with less than 2048 bits [NIST-SP-800-131Ar1] we propose the use of
the SHA-2 based hashes with DH group14, group15, group16, group17 and the SHA-2 based hashes with DH group14, group15, group16, group17 and
group18 [RFC3526]. Additionally we add support for key exchange group18 [RFC3526]. Additionally we add support for key exchange
based on Elliptic Curve Diffie Hellman with NIST P-256, P-384 and based on Elliptic Curve Diffie Hellman with NIST P-256, P-384 and
P-521 as well as X25519 and X448 curves. Following the rationale of P-521 as well as X25519 and X448 curves. Following the rationale of
[I-D.ietf-curdle-ssh-modp-dh-sha2] only SHA-256 and SHA-512 hashes [RFC8268] only SHA-256 and SHA-512 hashes are used for DH groups.
are used for DH groups. For NIST curves the same curve-to-hashing For NIST curves the same curve-to-hashing algorithm pairing used in
algorithm pairing used in [RFC5656] is adopted for consistency. [RFC5656] is adopted for consistency.
3. Document Conventions 3. Document Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
4. New Diffie-Hellman Key Exchange methods 4. New Diffie-Hellman Key Exchange methods
This document adopts the same naming convention defined in [RFC4462] This document adopts the same naming convention defined in [RFC4462]
skipping to change at page 14, line 20 skipping to change at page 14, line 20
Some GSSAPI mechanisms can optionally delegate credentials to the Some GSSAPI mechanisms can optionally delegate credentials to the
target host by setting the deleg_ret_flag. In this case extra care target host by setting the deleg_ret_flag. In this case extra care
must be taken to ensure that the acceptor being authenticated matches must be taken to ensure that the acceptor being authenticated matches
the target the user intended. Some mechanisms implementations (like the target the user intended. Some mechanisms implementations (like
commonly used krb5 libraries) may use insecure DNS resolution to commonly used krb5 libraries) may use insecure DNS resolution to
canonicalize the target name; in these cases spoofing a DNS response canonicalize the target name; in these cases spoofing a DNS response
that points to an attacker-controlled machine may results in the user that points to an attacker-controlled machine may results in the user
silently delegating credentials to the attacker, who can then silently delegating credentials to the attacker, who can then
impersonate the user at will. impersonate the user at will.
8. Normative References 8. References
8.1. Normative References
[ANSI-X9-62-2005] [ANSI-X9-62-2005]
American National Standards Institute, "Public Key American National Standards Institute, "Public Key
Cryptography for the Financial Services Industry, The Cryptography for the Financial Services Industry, The
Elliptic Curve Digital Signature Algorithm (ECDSA)", ANSI Elliptic Curve Digital Signature Algorithm (ECDSA)", ANSI
Standard X9.62, 2005. Standard X9.62, 2005.
[FIPS-180-4]
National Institute of Standards and Technology, "FIPS PUB
180-4: Secure Hash Standard (SHS)", FIPS PUB 180-4, August
2015, <http://nvlpubs.nist.gov/nistpubs/FIPS/
NIST.FIPS.180-4.pdf>.
[I-D.ietf-curdle-ssh-curves] [I-D.ietf-curdle-ssh-curves]
Adamantiadis, A., Josefsson, S., and M. Baushke, "Secure Adamantiadis, A., Josefsson, S., and M. Baushke, "Secure
Shell (SSH) Key Exchange Method using Curve25519 and Shell (SSH) Key Exchange Method using Curve25519 and
Curve448", draft-ietf-curdle-ssh-curves-04 (work in Curve448", draft-ietf-curdle-ssh-curves-07 (work in
progress), April 2017. progress), January 2018.
[I-D.ietf-curdle-ssh-modp-dh-sha2]
Baushke, M., "More Modular Exponential (MODP) Diffie-
Hellman (DH) Key Exchange (KEX) Groups for Secure Shell
(SSH)", draft-ietf-curdle-ssh-modp-dh-sha2-04 (work in
progress), April 2017.
[ISO-IEC-8825-1]
International Organization for Standardization /
International Electrotechnical Commission, "ASN.1 encoding
rules: Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished Encoding
Rules (DER)", ISO/IEC 8825-1, November 2015,
<http://standards.iso.org/ittf/PubliclyAvailableStandards/
c068345_ISO_IEC_8825-1_2015.zip>.
[NIST-SP-800-131Ar1]
National Institute of Standards and Technology,
"Transitions: Recommendation for Transitioning of the Use
of Cryptographic Algorithms and Key Lengths", NIST Special
Publication 800-131A Revision 1, November 2015,
<http://nvlpubs.nist.gov/nistpubs/SpecialPublications/
NIST.SP.800-131Ar1.pdf>.
[RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
DOI 10.17487/RFC1321, April 1992, DOI 10.17487/RFC1321, April 1992,
<https://www.rfc-editor.org/info/rfc1321>. <https://www.rfc-editor.org/info/rfc1321>.
[RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail [RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
Extensions (MIME) Part One: Format of Internet Message Extensions (MIME) Part One: Format of Internet Message
Bodies", RFC 2045, DOI 10.17487/RFC2045, November 1996, Bodies", RFC 2045, DOI 10.17487/RFC2045, November 1996,
<https://www.rfc-editor.org/info/rfc2045>. <https://www.rfc-editor.org/info/rfc2045>.
skipping to change at page 16, line 10 skipping to change at page 15, line 25
"Generic Security Service Application Program Interface "Generic Security Service Application Program Interface
(GSS-API) Authentication and Key Exchange for the Secure (GSS-API) Authentication and Key Exchange for the Secure
Shell (SSH) Protocol", RFC 4462, DOI 10.17487/RFC4462, May Shell (SSH) Protocol", RFC 4462, DOI 10.17487/RFC4462, May
2006, <https://www.rfc-editor.org/info/rfc4462>. 2006, <https://www.rfc-editor.org/info/rfc4462>.
[RFC5656] Stebila, D. and J. Green, "Elliptic Curve Algorithm [RFC5656] Stebila, D. and J. Green, "Elliptic Curve Algorithm
Integration in the Secure Shell Transport Layer", Integration in the Secure Shell Transport Layer",
RFC 5656, DOI 10.17487/RFC5656, December 2009, RFC 5656, DOI 10.17487/RFC5656, December 2009,
<https://www.rfc-editor.org/info/rfc5656>. <https://www.rfc-editor.org/info/rfc5656>.
[RFC6194] Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security
Considerations for the SHA-0 and SHA-1 Message-Digest
Algorithms", RFC 6194, DOI 10.17487/RFC6194, March 2011,
<https://www.rfc-editor.org/info/rfc6194>.
[RFC7546] Kaduk, B., "Structure of the Generic Security Service [RFC7546] Kaduk, B., "Structure of the Generic Security Service
(GSS) Negotiation Loop", RFC 7546, DOI 10.17487/RFC7546, (GSS) Negotiation Loop", RFC 7546, DOI 10.17487/RFC7546,
May 2015, <https://www.rfc-editor.org/info/rfc7546>. May 2015, <https://www.rfc-editor.org/info/rfc7546>.
[RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
for Security", RFC 7748, DOI 10.17487/RFC7748, January for Security", RFC 7748, DOI 10.17487/RFC7748, January
2016, <https://www.rfc-editor.org/info/rfc7748>. 2016, <https://www.rfc-editor.org/info/rfc7748>.
[SEC2v2] Certicom Research, "SEC 2: Recommended Elliptic Curve [SEC2v2] Certicom Research, "SEC 2: Recommended Elliptic Curve
Domain Parameters", Standards for Efficient Domain Parameters", Standards for Efficient
Cryptography SEC 2, 2010. Cryptography SEC 2, 2010.
8.2. Informative References
[ISO-IEC-8825-1]
International Organization for Standardization /
International Electrotechnical Commission, "ASN.1 encoding
rules: Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished Encoding
Rules (DER)", ISO/IEC 8825-1, November 2015,
<http://standards.iso.org/ittf/PubliclyAvailableStandards/
c068345_ISO_IEC_8825-1_2015.zip>.
[NIST-SP-800-131Ar1]
National Institute of Standards and Technology,
"Transitions: Recommendation for Transitioning of the Use
of Cryptographic Algorithms and Key Lengths", NIST Special
Publication 800-131A Revision 1, November 2015,
<http://nvlpubs.nist.gov/nistpubs/SpecialPublications/
NIST.SP.800-131Ar1.pdf>.
[RFC6194] Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security
Considerations for the SHA-0 and SHA-1 Message-Digest
Algorithms", RFC 6194, DOI 10.17487/RFC6194, March 2011,
<https://www.rfc-editor.org/info/rfc6194>.
[RFC8268] Baushke, M., "More Modular Exponentiation (MODP) Diffie-
Hellman (DH) Key Exchange (KEX) Groups for Secure Shell
(SSH)", RFC 8268, DOI 10.17487/RFC8268, December 2017,
<https://www.rfc-editor.org/info/rfc8268>.
Authors' Addresses Authors' Addresses
Simo Sorce Simo Sorce
Red Hat, Inc. Red Hat, Inc.
140 Broadway 140 Broadway
24th Floor 24th Floor
New York, NY 10025 New York, NY 10025
USA USA
Email: simo@redhat.com Email: simo@redhat.com
 End of changes. 12 change blocks. 
51 lines changed or deleted 49 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/