draft-ietf-curdle-gss-keyex-sha2-04.txt   draft-ietf-curdle-gss-keyex-sha2-05.txt 
Internet Engineering Task Force S. Sorce Internet Engineering Task Force S. Sorce
Internet-Draft H. Kario Internet-Draft H. Kario
Updates: 4462 (if approved) Red Hat, Inc. Updates: 4462 (if approved) Red Hat, Inc.
Intended status: Standards Track January 22, 2018 Intended status: Standards Track Feb 22, 2018
Expires: July 26, 2018 Expires: August 26, 2018
GSS-API Key Exchange with SHA2 GSS-API Key Exchange with SHA2
draft-ietf-curdle-gss-keyex-sha2-04 draft-ietf-curdle-gss-keyex-sha2-05
Abstract Abstract
This document specifies additions and amendments to RFC4462. It This document specifies additions and amendments to RFC4462. It
defines a new key exchange method that uses SHA-2 for integrity and defines a new key exchange method that uses SHA-2 for integrity and
deprecates weak DH groups. The purpose of this specification is to deprecates weak DH groups. The purpose of this specification is to
modernize the cryptographic primitives used by GSS Key Exchanges. modernize the cryptographic primitives used by GSS Key Exchanges.
Status of This Memo Status of This Memo
skipping to change at page 1, line 34 skipping to change at page 1, line 34
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 26, 2018. This Internet-Draft will expire on August 26, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 38 skipping to change at page 2, line 38
7.3. GSSAPI Delegation . . . . . . . . . . . . . . . . . . . . 14 7.3. GSSAPI Delegation . . . . . . . . . . . . . . . . . . . . 14
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
8.1. Normative References . . . . . . . . . . . . . . . . . . 14 8.1. Normative References . . . . . . . . . . . . . . . . . . 14
8.2. Informative References . . . . . . . . . . . . . . . . . 15 8.2. Informative References . . . . . . . . . . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction 1. Introduction
SSH GSS-API Methods [RFC4462] allows the use of GSSAPI for SSH GSS-API Methods [RFC4462] allows the use of GSSAPI for
authentication and key exchange in SSH. It defines three exchange authentication and key exchange in SSH. It defines three exchange
methods all based on DH groups and SHA-1. The new methods described methods all based on DH groups and SHA-1. This document updates
in this document are intended to support environments that desire to RFC4462 with new methods intended to support environments that desire
use the SHA-2 cryptographic hash functions. to use the SHA-2 cryptographic hash functions.
2. Rationale 2. Rationale
Due to security concerns with SHA-1 [RFC6194] and with MODP groups Due to security concerns with SHA-1 [RFC6194] and with MODP groups
with less than 2048 bits [NIST-SP-800-131Ar1] we propose the use of with less than 2048 bits [NIST-SP-800-131Ar1] we propose the use of
the SHA-2 based hashes with DH group14, group15, group16, group17 and the SHA-2 based hashes with DH group14, group15, group16, group17 and
group18 [RFC3526]. Additionally we add support for key exchange group18 [RFC3526]. Additionally we add support for key exchange
based on Elliptic Curve Diffie Hellman with NIST P-256, P-384 and based on Elliptic Curve Diffie Hellman with NIST P-256, P-384 and
P-521 as well as X25519 and X448 curves. Following the rationale of P-521 as well as X25519 and X448 curves. Following the rationale of
[RFC8268] only SHA-256 and SHA-512 hashes are used for DH groups. [RFC8268] only SHA-256 and SHA-512 hashes are used for DH groups.
For NIST curves the same curve-to-hashing algorithm pairing used in For NIST curves the same curve-to-hashing algorithm pairing used in
[RFC5656] is adopted for consistency. [RFC5656] is adopted for consistency.
3. Document Conventions 3. Document Conventions
skipping to change at page 3, line 37 skipping to change at page 3, line 37
+--------------------------+--------------------------------+ +--------------------------+--------------------------------+
Each key exchange method is implicitly registered by this document. Each key exchange method is implicitly registered by this document.
The IESG is considered to be the owner of all these key exchange The IESG is considered to be the owner of all these key exchange
methods; this does NOT imply that the IESG is considered to be the methods; this does NOT imply that the IESG is considered to be the
owner of the underlying GSS-API mechanism. owner of the underlying GSS-API mechanism.
4.1. gss-group14-sha256-* 4.1. gss-group14-sha256-*
Each of these methods specifies GSS-API-authenticated Diffie-Hellman Each of these methods specifies GSS-API-authenticated Diffie-Hellman
key exchange as described in Section 2.1 of [RFC4462] with SHA-256 as key exchange as described in Section 2.1 of [RFC4462] with SHA-256
HASH, and the group defined in Section 8.2 of [RFC4253] The method as HASH, and the group defined in Section 8.2 of [RFC4253] The method
name for each method is the concatenation of the string "gss- name for each method is the concatenation of the string "gss-
group14-sha256-" with the Base64 encoding of the MD5 hash [RFC1321] group14-sha256-" with the Base64 encoding of the MD5 hash [RFC1321]
of the ASN.1 DER encoding [ISO-IEC-8825-1] of the underlying GSS-API of the ASN.1 DER encoding [ISO-IEC-8825-1] of the underlying GSS-API
mechanism's OID. Base64 encoding is described in Section 6.8 of mechanism's OID. Base64 encoding is described in Section 6.8 of
[RFC2045]. [RFC2045].
4.2. gss-group15-sha512-* 4.2. gss-group15-sha512-*
Each of these methods specifies GSS-API-authenticated Diffie-Hellman Each of these methods specifies GSS-API-authenticated Diffie-Hellman
key exchange as described in Section 2.1 of [RFC4462] with SHA-512 as key exchange as described in Section 2.1 of [RFC4462] with SHA-512
HASH, and the group defined in Section 4 of [RFC3526] The method name as HASH, and the group defined in Section 4 of [RFC3526] The method
for each method is the concatenation of the string "gss- name for each method is the concatenation of the string "gss-
group15-sha512-" with the Base64 encoding of the MD5 hash of the group15-sha512-" with the Base64 encoding of the MD5 hash of the
ASN.1 DER encoding of the underlying GSS-API mechanism's OID. ASN.1 DER encoding of the underlying GSS-API mechanism's OID.
4.3. gss-group16-sha512-* 4.3. gss-group16-sha512-*
Each of these methods specifies GSS-API-authenticated Diffie-Hellman Each of these methods specifies GSS-API-authenticated Diffie-Hellman
key exchange as described in Section 2.1 of [RFC4462] with SHA-512 as key exchange as described in Section 2.1 of [RFC4462] with SHA-512
HASH, and the group defined in Section 5 of [RFC3526] The method name as HASH, and the group defined in Section 5 of [RFC3526] The method
for each method is the concatenation of the string "gss- name for each method is the concatenation of the string "gss-
group16-sha512-" with the Base64 encoding of the MD5 hash of the group16-sha512-" with the Base64 encoding of the MD5 hash of the
ASN.1 DER encoding of the underlying GSS-API mechanism's OID. ASN.1 DER encoding of the underlying GSS-API mechanism's OID.
4.4. gss-group17-sha512-* 4.4. gss-group17-sha512-*
Each of these methods specifies GSS-API-authenticated Diffie-Hellman Each of these methods specifies GSS-API-authenticated Diffie-Hellman
key exchange as described in Section 2.1 of [RFC4462] with SHA-512 as key exchange as described in Section 2.1 of [RFC4462] with SHA-512
HASH, and the group defined in Section 6 of [RFC3526] The method name as HASH, and the group defined in Section 6 of [RFC3526] The method
for each method is the concatenation of the string "gss- name for each method is the concatenation of the string "gss-
group17-sha512-" with the Base64 encoding of the MD5 hash of the group17-sha512-" with the Base64 encoding of the MD5 hash of the
ASN.1 DER encoding of the underlying GSS-API mechanism's OID. ASN.1 DER encoding of the underlying GSS-API mechanism's OID.
4.5. gss-group18-sha512-* 4.5. gss-group18-sha512-*
Each of these methods specifies GSS-API-authenticated Diffie-Hellman Each of these methods specifies GSS-API-authenticated Diffie-Hellman
key exchange as described in Section 2.1 of [RFC4462] with SHA-512 as key exchange as described in Section 2.1 of [RFC4462] with SHA-512
HASH, and the group defined in Section 7 of [RFC3526] The method name as HASH, and the group defined in Section 7 of [RFC3526] The method
for each method is the concatenation of the string "gss- name for each method is the concatenation of the string "gss-
group18-sha512-" with the Base64 encoding of the MD5 hash of the group18-sha512-" with the Base64 encoding of the MD5 hash of the
ASN.1 DER encoding of the underlying GSS-API mechanism's OID. ASN.1 DER encoding of the underlying GSS-API mechanism's OID.
5. New Elliptic Curve Diffie-Hellman Key Exchange methods 5. New Elliptic Curve Diffie-Hellman Key Exchange methods
In [RFC5656] new SSH key exchange algorithms based on Elliptic Curve In [RFC5656] new SSH key exchange algorithms based on Elliptic Curve
Cryptography are introduced. We reuse much of section 4 to implement Cryptography are introduced. We reuse much of section 4 to implement
GSS-API-authenticated ECDH Key Exchanges. GSS-API-authenticated ECDH Key Exchanges.
Additionally we utilize also the curves defined in Additionally we utilize also the curves defined in
[I-D.ietf-curdle-ssh-curves] to complement the 3 classic NIST defined [I-D.ietf-curdle-ssh-curves] to complement the 3 classic NIST defined
curves required by [RFC5656]. curves required by [RFC5656].
5.1. Generic GSS-API Key Exchange with ECDH 5.1. Generic GSS-API Key Exchange with ECDH
This section reuses much of the scheme defined in Section 2.1 of This section reuses much of the scheme defined in Section 2.1 of
[RFC4462] and combines it with the scheme defined in Section 4 of [RFC4462] and combines it with the scheme defined in Section 4 of
[RFC5656]; in particular, all checks and verification steps [RFC5656]; in particular, all checks and verification steps
prescribed in Section 4 of [RFC5656] apply here as well. prescribed in Section 4 of [RFC5656] apply here as well.
The symbols used in this description conform to the symbols used in The symbols used in this description conform to the symbols used in
Section 2.1 of [RFC4462]. Additionally, the following symbols are Section 2.1 of [RFC4462]. Additionally, the following symbols are
defined: defined:
Q_C is the client ephemeral public key octet string Q_C is the client ephemeral public key octet string
Q_S is the server ephemeral public key octet string Q_S is the server ephemeral public key octet string
This section defers to [RFC7546] as the source of information on GSS- This section defers to [RFC7546] as the source of information on GSS-
skipping to change at page 8, line 32 skipping to change at page 8, line 32
server. server.
For NIST curves, the peers perform point multiplication using For NIST curves, the peers perform point multiplication using
d_U and q_V to get point P. d_U and q_V to get point P.
For NIST curves, peers verify that P is not a point at For NIST curves, peers verify that P is not a point at
infinity. If P is a point at infinity, the key exchange MUST infinity. If P is a point at infinity, the key exchange MUST
fail. fail.
For NIST curves, the shared secret is the zero-padded big- For NIST curves, the shared secret is the zero-padded big-
endian representation of the x coordinate of P. endian representation of the x coordinate of P - 32 octets long
for nistp256, 48 octets for nistp384 and 64 octets long for
nistp521.
For curve25519 and curve448, the peers apply the X25519 or X448 For curve25519 and curve448, the peers apply the X25519 or X448
function, respectively for curve25519 and curve448, on the d_U function, respectively for curve25519 and curve448, on the d_U
and q_V. The result of the function is the shared secret. and q_V. The result of the function is the shared secret.
For curve25519 and curve448, if all the octets of the shared For curve25519 and curve448, if all the octets of the shared
secret are zero octets, the key exchange MUST fail. secret are zero octets, the key exchange MUST fail.
H = hash(V_C || V_S || I_C || I_S || K_S || Q_C || Q_S || K). H = hash(V_C || V_S || I_C || I_S || K_S || Q_C || Q_S || K).
skipping to change at page 13, line 21 skipping to change at page 13, line 21
concatenation of the string "gss-curve448-sha512-" with the Base64 concatenation of the string "gss-curve448-sha512-" with the Base64
encoding of the MD5 hash [RFC1321] of the ASN.1 DER encoding encoding of the MD5 hash [RFC1321] of the ASN.1 DER encoding
[ISO-IEC-8825-1] of the underlying GSS-API mechanism's OID. Base64 [ISO-IEC-8825-1] of the underlying GSS-API mechanism's OID. Base64
encoding is described in Section 6.8 of [RFC2045]. encoding is described in Section 6.8 of [RFC2045].
6. IANA Considerations 6. IANA Considerations
This document augments the SSH Key Exchange Method Names in This document augments the SSH Key Exchange Method Names in
[RFC4462]. [RFC4462].
IANA is requested to update the SSH algorithm registry with the IANA is requested to update the SSH Protocol Parameters
following entries: [IANA-KEX-NAMES] registry with the following entries:
+--------------------------+------------+------------------------+ +--------------------------+------------+------------------------+
| Key Exchange Method Name | Reference | Implementation Support | | Key Exchange Method Name | Reference | Implementation Support |
+--------------------------+------------+------------------------+ +--------------------------+------------+------------------------+
| gss-group14-sha256-* | This draft | SHOULD | | gss-group14-sha256-* | This draft | SHOULD |
| gss-group15-sha512-* | This draft | MAY | | gss-group15-sha512-* | This draft | MAY |
| gss-group16-sha512-* | This draft | SHOULD | | gss-group16-sha512-* | This draft | SHOULD |
| gss-group17-sha512-* | This draft | MAY | | gss-group17-sha512-* | This draft | MAY |
| gss-group18-sha512-* | This draft | MAY | | gss-group18-sha512-* | This draft | MAY |
| gss-nistp256-sha256-* | This draft | SHOULD | | gss-nistp256-sha256-* | This draft | SHOULD |
skipping to change at page 14, line 6 skipping to change at page 14, line 6
groups, no significant changes has been made to the protocol groups, no significant changes has been made to the protocol
described by [RFC4462]; therefore all the original Security described by [RFC4462]; therefore all the original Security
Considerations apply. Considerations apply.
7.2. New Elliptic Curve DH mechanisms 7.2. New Elliptic Curve DH mechanisms
Although a new cryptographic primitive is used with these methods the Although a new cryptographic primitive is used with these methods the
actual key exchange closely follows the key exchange defined in actual key exchange closely follows the key exchange defined in
[RFC5656]; therefore all the original Security Considerations as well [RFC5656]; therefore all the original Security Considerations as well
as those expressed in [RFC5656] apply. as those expressed in [RFC5656] apply.
7.3. GSSAPI Delegation 7.3. GSSAPI Delegation
Some GSSAPI mechanisms can optionally delegate credentials to the Some GSSAPI mechanisms can optionally delegate credentials to the
target host by setting the deleg_ret_flag. In this case extra care target host by setting the deleg_ret_flag. In this case extra care
must be taken to ensure that the acceptor being authenticated matches must be taken to ensure that the acceptor being authenticated matches
the target the user intended. Some mechanisms implementations (like the target the user intended. Some mechanisms implementations (like
commonly used krb5 libraries) may use insecure DNS resolution to commonly used krb5 libraries) may use insecure DNS resolution to
canonicalize the target name; in these cases spoofing a DNS response canonicalize the target name; in these cases spoofing a DNS response
that points to an attacker-controlled machine may results in the user that points to an attacker-controlled machine may results in the user
skipping to change at page 15, line 39 skipping to change at page 15, line 39
[RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
for Security", RFC 7748, DOI 10.17487/RFC7748, January for Security", RFC 7748, DOI 10.17487/RFC7748, January
2016, <https://www.rfc-editor.org/info/rfc7748>. 2016, <https://www.rfc-editor.org/info/rfc7748>.
[SEC2v2] Certicom Research, "SEC 2: Recommended Elliptic Curve [SEC2v2] Certicom Research, "SEC 2: Recommended Elliptic Curve
Domain Parameters", Standards for Efficient Domain Parameters", Standards for Efficient
Cryptography SEC 2, 2010. Cryptography SEC 2, 2010.
8.2. Informative References 8.2. Informative References
[IANA-KEX-NAMES]
Internet Assigned Numbers Authority, "Secure Shell (SSH)
Protocol Parameters: Key Exchange Method Names", June
2005, <https://www.iana.org/assignments/ssh-parameters/
ssh-parameters.xhtml#ssh-parameters-16>.
[ISO-IEC-8825-1] [ISO-IEC-8825-1]
International Organization for Standardization / International Organization for Standardization /
International Electrotechnical Commission, "ASN.1 encoding International Electrotechnical Commission, "ASN.1 encoding
rules: Specification of Basic Encoding Rules (BER), rules: Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished Encoding Canonical Encoding Rules (CER) and Distinguished Encoding
Rules (DER)", ISO/IEC 8825-1, November 2015, Rules (DER)", ISO/IEC 8825-1, November 2015,
<http://standards.iso.org/ittf/PubliclyAvailableStandards/ <http://standards.iso.org/ittf/PubliclyAvailableStandards/
c068345_ISO_IEC_8825-1_2015.zip>. c068345_ISO_IEC_8825-1_2015.zip>.
[NIST-SP-800-131Ar1] [NIST-SP-800-131Ar1]
 End of changes. 15 change blocks. 
27 lines changed or deleted 35 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/