draft-ietf-curdle-gss-keyex-sha2-05.txt   draft-ietf-curdle-gss-keyex-sha2-06.txt 
Internet Engineering Task Force S. Sorce Internet Engineering Task Force S. Sorce
Internet-Draft H. Kario Internet-Draft H. Kario
Updates: 4462 (if approved) Red Hat, Inc. Updates: 4462 (if approved) Red Hat, Inc.
Intended status: Standards Track Feb 22, 2018 Intended status: Standards Track Jul 2, 2018
Expires: August 26, 2018 Expires: January 3, 2019
GSS-API Key Exchange with SHA2 GSS-API Key Exchange with SHA2
draft-ietf-curdle-gss-keyex-sha2-05 draft-ietf-curdle-gss-keyex-sha2-06
Abstract Abstract
This document specifies additions and amendments to RFC4462. It This document specifies additions and amendments to RFC4462. It
defines a new key exchange method that uses SHA-2 for integrity and defines a new key exchange method that uses SHA-2 for integrity and
deprecates weak DH groups. The purpose of this specification is to deprecates weak DH groups. The purpose of this specification is to
modernize the cryptographic primitives used by GSS Key Exchanges. modernize the cryptographic primitives used by GSS Key Exchanges.
Status of This Memo Status of This Memo
skipping to change at page 1, line 34 skipping to change at page 1, line 34
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 26, 2018. This Internet-Draft will expire on January 3, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . 2
3. Document Conventions . . . . . . . . . . . . . . . . . . . . 3 3. Document Conventions . . . . . . . . . . . . . . . . . . . . 2
4. New Diffie-Hellman Key Exchange methods . . . . . . . . . . . 3 4. New Diffie-Hellman Key Exchange methods . . . . . . . . . . . 3
4.1. gss-group14-sha256-* . . . . . . . . . . . . . . . . . . 3
4.2. gss-group15-sha512-* . . . . . . . . . . . . . . . . . . 3
4.3. gss-group16-sha512-* . . . . . . . . . . . . . . . . . . 4
4.4. gss-group17-sha512-* . . . . . . . . . . . . . . . . . . 4
4.5. gss-group18-sha512-* . . . . . . . . . . . . . . . . . . 4
5. New Elliptic Curve Diffie-Hellman Key Exchange methods . . . 4 5. New Elliptic Curve Diffie-Hellman Key Exchange methods . . . 4
5.1. Generic GSS-API Key Exchange with ECDH . . . . . . . . . 4 5.1. Generic GSS-API Key Exchange with ECDH . . . . . . . . . 4
5.2. ECDH Key Exchange Methods . . . . . . . . . . . . . . . . 11 5.2. ECDH Key Exchange Methods . . . . . . . . . . . . . . . . 8
5.2.1. gss-nistp256-sha256-* . . . . . . . . . . . . . . . . 12 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
5.2.2. gss-nistp384-sha384-* . . . . . . . . . . . . . . . . 12 7. Security Considerations . . . . . . . . . . . . . . . . . . . 9
5.2.3. gss-nistp521-sha512-* . . . . . . . . . . . . . . . . 12 7.1. New Finite Field DH mechanisms . . . . . . . . . . . . . 9
5.2.4. gss-curve25519-sha256-* . . . . . . . . . . . . . . . 12 7.2. New Elliptic Curve DH mechanisms . . . . . . . . . . . . 10
5.2.5. gss-curve448-sha512-* . . . . . . . . . . . . . . . . 13 7.3. GSSAPI Delegation . . . . . . . . . . . . . . . . . . . . 10
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
7. Security Considerations . . . . . . . . . . . . . . . . . . . 13 8.1. Normative References . . . . . . . . . . . . . . . . . . 10
7.1. New Finite Field DH mechanisms . . . . . . . . . . . . . 13 8.2. Informative References . . . . . . . . . . . . . . . . . 11
7.2. New Elliptic Curve DH mechanisms . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
7.3. GSSAPI Delegation . . . . . . . . . . . . . . . . . . . . 14
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
8.1. Normative References . . . . . . . . . . . . . . . . . . 14
8.2. Informative References . . . . . . . . . . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction 1. Introduction
SSH GSS-API Methods [RFC4462] allows the use of GSSAPI for SSH GSS-API Methods [RFC4462] allows the use of GSSAPI for
authentication and key exchange in SSH. It defines three exchange authentication and key exchange in SSH. It defines three exchange
methods all based on DH groups and SHA-1. This document updates methods all based on DH groups and SHA-1. This document updates
RFC4462 with new methods intended to support environments that desire RFC4462 with new methods intended to support environments that desire
to use the SHA-2 cryptographic hash functions. to use the SHA-2 cryptographic hash functions.
2. Rationale 2. Rationale
Due to security concerns with SHA-1 [RFC6194] and with MODP groups Due to security concerns with SHA-1 [RFC6194] and with MODP groups
with less than 2048 bits [NIST-SP-800-131Ar1] we propose the use of with less than 2048 bits [NIST-SP-800-131Ar1] we propose the use of
the SHA-2 based hashes with DH group14, group15, group16, group17 and the SHA-2 [RFC6234] based hashes with DH group14, group15, group16,
group18 [RFC3526]. Additionally we add support for key exchange group17 and group18 [RFC3526]. Additionally we add support for key
based on Elliptic Curve Diffie Hellman with NIST P-256, P-384 and exchange based on Elliptic Curve Diffie Hellman with the NIST P-256,
P-521 as well as X25519 and X448 curves. Following the rationale of P-384 and P-521 as well as the X25519 and X448 curves. Following the
[RFC8268] only SHA-256 and SHA-512 hashes are used for DH groups. rationale of [RFC8268] only SHA-256 and SHA-512 hashes are used for
For NIST curves the same curve-to-hashing algorithm pairing used in DH groups. For NIST curves the same curve-to-hashing algorithm
[RFC5656] is adopted for consistency. pairing used in [RFC5656] is adopted for consistency.
3. Document Conventions 3. Document Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
4. New Diffie-Hellman Key Exchange methods 4. New Diffie-Hellman Key Exchange methods
This document adopts the same naming convention defined in [RFC4462] This document adopts the same naming convention defined in [RFC4462]
skipping to change at page 3, line 34 skipping to change at page 3, line 28
| gss-group16-sha512-* | SHOULD/RECOMMENDED | | gss-group16-sha512-* | SHOULD/RECOMMENDED |
| gss-group17-sha512-* | MAY/OPTIONAL | | gss-group17-sha512-* | MAY/OPTIONAL |
| gss-group18-sha512-* | MAY/OPTIONAL | | gss-group18-sha512-* | MAY/OPTIONAL |
+--------------------------+--------------------------------+ +--------------------------+--------------------------------+
Each key exchange method is implicitly registered by this document. Each key exchange method is implicitly registered by this document.
The IESG is considered to be the owner of all these key exchange The IESG is considered to be the owner of all these key exchange
methods; this does NOT imply that the IESG is considered to be the methods; this does NOT imply that the IESG is considered to be the
owner of the underlying GSS-API mechanism. owner of the underlying GSS-API mechanism.
4.1. gss-group14-sha256-* Each method in any family of methods specifies GSS-API-authenticated
Diffie-Hellman key exchanges as described in Section 2.1 of
Each of these methods specifies GSS-API-authenticated Diffie-Hellman [RFC4462]. The method name for each method is the concatenation of
key exchange as described in Section 2.1 of [RFC4462] with SHA-256 the family method name with the Base64 encoding of the MD5 hash
as HASH, and the group defined in Section 8.2 of [RFC4253] The method [RFC1321] of the ASN.1 DER encoding [ISO-IEC-8825-1] of the
name for each method is the concatenation of the string "gss- underlying GSS-API mechanism's OID. Base64 encoding is described in
group14-sha256-" with the Base64 encoding of the MD5 hash [RFC1321] Section 6.8 of [RFC2045].
of the ASN.1 DER encoding [ISO-IEC-8825-1] of the underlying GSS-API
mechanism's OID. Base64 encoding is described in Section 6.8 of
[RFC2045].
4.2. gss-group15-sha512-*
Each of these methods specifies GSS-API-authenticated Diffie-Hellman
key exchange as described in Section 2.1 of [RFC4462] with SHA-512
as HASH, and the group defined in Section 4 of [RFC3526] The method
name for each method is the concatenation of the string "gss-
group15-sha512-" with the Base64 encoding of the MD5 hash of the
ASN.1 DER encoding of the underlying GSS-API mechanism's OID.
4.3. gss-group16-sha512-*
Each of these methods specifies GSS-API-authenticated Diffie-Hellman
key exchange as described in Section 2.1 of [RFC4462] with SHA-512
as HASH, and the group defined in Section 5 of [RFC3526] The method
name for each method is the concatenation of the string "gss-
group16-sha512-" with the Base64 encoding of the MD5 hash of the
ASN.1 DER encoding of the underlying GSS-API mechanism's OID.
4.4. gss-group17-sha512-*
Each of these methods specifies GSS-API-authenticated Diffie-Hellman
key exchange as described in Section 2.1 of [RFC4462] with SHA-512
as HASH, and the group defined in Section 6 of [RFC3526] The method
name for each method is the concatenation of the string "gss-
group17-sha512-" with the Base64 encoding of the MD5 hash of the
ASN.1 DER encoding of the underlying GSS-API mechanism's OID.
4.5. gss-group18-sha512-* Family method refences
Each of these methods specifies GSS-API-authenticated Diffie-Hellman +---------------------+-------------+-------------+-----------------+
key exchange as described in Section 2.1 of [RFC4462] with SHA-512 | Family Name prefix | Hash | Group | Reference |
as HASH, and the group defined in Section 7 of [RFC3526] The method | | Function | | |
name for each method is the concatenation of the string "gss- +---------------------+-------------+-------------+-----------------+
group18-sha512-" with the Base64 encoding of the MD5 hash of the | gss-group14-sha256- | SHA-256 | 2048-bit | Section 3 of |
ASN.1 DER encoding of the underlying GSS-API mechanism's OID. | | | MODP | [RFC3526] |
| gss-group15-sha512- | SHA-512 | 3072-bit | Section 4 of |
| | | MODP | [RFC3526] |
| gss-group16-sha512- | SHA-512 | 4096-bit | Section 5 of |
| | | MODP | [RFC3526] |
| gss-group17-sha512- | SHA-512 | 6144-bit | Section 6 of |
| | | MODP | [RFC3526] |
| gss-group18-sha512- | SHA-512 | 8192-bit | Section 7 of |
| | | MODP | [RFC3526] |
+---------------------+-------------+-------------+-----------------+
5. New Elliptic Curve Diffie-Hellman Key Exchange methods 5. New Elliptic Curve Diffie-Hellman Key Exchange methods
In [RFC5656] new SSH key exchange algorithms based on Elliptic Curve In [RFC5656] new SSH key exchange algorithms based on Elliptic Curve
Cryptography are introduced. We reuse much of section 4 to implement Cryptography are introduced. We reuse much of section 4 to define
GSS-API-authenticated ECDH Key Exchanges. GSS-API-authenticated ECDH Key Exchanges.
Additionally we utilize also the curves defined in Additionally we utilize also the curves defined in
[I-D.ietf-curdle-ssh-curves] to complement the 3 classic NIST defined [I-D.ietf-curdle-ssh-curves] to complement the 3 classic NIST defined
curves required by [RFC5656]. curves required by [RFC5656].
5.1. Generic GSS-API Key Exchange with ECDH 5.1. Generic GSS-API Key Exchange with ECDH
This section reuses much of the scheme defined in Section 2.1 of This section reuses much of the scheme defined in Section 2.1 of
[RFC4462] and combines it with the scheme defined in Section 4 of [RFC4462] and combines it with the scheme defined in Section 4 of
[RFC5656]; in particular, all checks and verification steps [RFC5656]; in particular, all checks and verification steps
prescribed in Section 4 of [RFC5656] apply here as well. prescribed in Section 4 of [RFC5656] apply here as well.
The symbols used in this description conform to the symbols used in
Section 2.1 of [RFC4462]. Additionally, the following symbols are
defined:
Q_C is the client ephemeral public key octet string
Q_S is the server ephemeral public key octet string For curve25519 and curve448 related computations see Section 6 of
[RFC7748].
This section defers to [RFC7546] as the source of information on GSS- This section defers to [RFC7546] as the source of information on GSS-
API context establishment operations, Section 3 being the most API context establishment operations, Section 3 being the most
relevant. All Security Considerations described in [RFC7546] apply relevant. All Security Considerations described in [RFC7546] apply
here too. here too.
The Client: The parties generate each an ephemeral key pair, according to
Section 3.2.1 of [SEC1v2]. Keys are verified upon receipt by the
1. C generates an ephemeral key pair with public key Q_C. It does parties according to Section 3.2.3.1 of [SEC1v2].
that by:
For NIST curves:
Selecting a value d_C uniformly at random from the interval [1,
n-1] where n is the order of generator of the curve associated
with the selected key exchange method.
Performing point multiplication between the curve base point
and selected integer d_C to get the public point q_C.
Converts the point q_C to the Q_C octet string by concatenation
of value 0x04 and big-endian representation of the x coordinate
and then y coordinate. The coordinate coversion MUST preserve
leading zero octets. Thus for nistp521 curve the encoded x
coordinate will always have a length of 66 octets while the Q_C
representation will be 133 octets long. This is the
uncompressed representation specified in Section 4.3.6 of
[ANSI-X9-62-2005].
For curve25519 and curve448:
Selecting d_C as 32 uniformly distributed random octets for
curve25519 and 56 octets for curve448.
Preparing the generator g as the number 9 little-endian encoded
in 32 octets for curve25519 and number 5 in 56 octets for
curve448. This is the same as an octet of value 0x09 followed
by 31 zero octets for curve255519 and as an octect of value
0x05 followed by 55 zero octets.
Calculating Q_C as the result of the call to X25519 or X448 For NIST Curves keys use uncompressed point representation and must
function, respectively for curve25519 and curve448 key be converted using the algorithm in Section 2.3.4 of [SEC1v2]. If
exchange, with parameters d_C and g. the conversion fails or the point is trasmitted using compressed
representation, the key exchange MUST fail.
2. C calls GSS_Init_sec_context(), using the most recent reply token A GSS Context is established according to Section 4 of [RFC5656]; The
received from S during this exchange, if any. For this call, the client initiates the establishment using GSS_Init_sec_context() and
client MUST set mutual_req_flag to "true" to request that mutual the server completes it using GSS_Accept_sec_context(). For the
authentication be performed. It also MUST set integ_req_flag to negotiation, the client MUST set mutual_req_flag and integ_req_flag
"true" to request that per-message integrity protection be supported to "true". In addition, deleg_req_flag MAY be set to "true" to
for this context. In addition, deleg_req_flag MAY be set to "true" request access delegation, if requested by the user. Since the key
to request access delegation, if requested by the user. Since the exchange process authenticates only the host, the setting of
key exchange process authenticates only the host, the setting of
anon_req_flag is immaterial to this process. If the client does not anon_req_flag is immaterial to this process. If the client does not
support the "gssapi-keyex" user authentication method described in support the "gssapi-keyex" user authentication method described in
Section 4 of [RFC4462], or does not intend to use that method in Section 4 of [RFC4462], or does not intend to use that method in
conjunction with the GSS-API context established during key exchange, conjunction with the GSS-API context established during key exchange,
then anon_req_flag SHOULD be set to "true". Otherwise, this flag MAY then anon_req_flag SHOULD be set to "true". Otherwise, this flag MAY
be set to true if the client wishes to hide its identity. Since the be set to true if the client wishes to hide its identity. This key
key exchange process will involve the exchange of only a single token exchange process will exchange only a single token once the context
once the context has been established, it is not necessary that the has been established, therefore the replay_det_req_flag and
GSS-API context support detection of replayed or out-of-sequence sequence_req_flag SHOULD be set to "false".
tokens. Thus, replay_det_req_flag and sequence_req_flag need not be
set for this process. These flags SHOULD be set to "false".
If the resulting major_status code is GSS_S_COMPLETE and the
mutual_state flag is not true, then mutual authentication has not
been established, and the key exchange MUST fail.
If the resulting major_status code is GSS_S_COMPLETE and the
integ_avail flag is not true, then per-message integrity
protection is not available, and the key exchange MUST fail.
If the resulting major_status code is GSS_S_COMPLETE and both the
mutual_state and integ_avail flags are true, the resulting output
token is sent to S.
If the resulting major_status code is GSS_S_CONTINUE_NEEDED, the
output_token is sent to S, which will reply with a new token to be
provided to GSS_Init_sec_context().
The client MUST also include Q_C with the first message it sends
to the server during this process; if the server receives more
than one Q_C or none at all, the key exchange MUST fail.
It is an error if the call does not produce a token of non-zero
length to be sent to the server. In this case, the key exchange
MUST fail.
3. When a Q_C key is received, S verifies that the key is valid. If
the key is not valid the key exchange MUST fail.
The server first checks if the length of the Q_C matches the
selected key exchange: 65 octets for nistp256, 97 octets for
nistp384, 133 octets for nistp521, 32 octets for curve25519 or 56
octets for curve448. If the value does not have matching length
the key exchange MUST fail.
In case of key exchanges that use NIST curves, the server MUST
check if the first octet of the Q_C is equal to 0x04. If the
octet has different value the key exchange MUST fail.
For NIST curves, the server converts the octet representation of
the key to q_C point representation by interpreting the first half
of remaining octets as the unsigned big-endian representation of
the x coordinate of the point and the second half as the unsigned
big-endian representation of the y coordinate.
For NIST curves, the server verifies that the q_C is not a point
at infinity, that both coordinates are in the interval [0, p - 1],
where p is the prime associated with the curve of the selected key
exchange and that the point lies on the curve (satisfies the curve
equation).
For curve25519, the server verifies that the the high-order bit of
the last octet is not set - this prevents distinguishing attacks
between implementations that use Montgomery ladder implementation
of the curve and ones that use generic elliptic-curve libraries.
If the bit is set, the key exchange SHOULD fail. For curve448 any
bit can be set.
For curve25519 and curve448, the point is not decoded but used as
is. Q_C and q_C are considered equivalent.
4. S calls GSS_Accept_sec_context(), using the token received from
C.
If the resulting major_status code is GSS_S_COMPLETE and the
mutual_state flag is not true, then mutual authentication has not
been established, and the key exchange MUST fail.
If the resulting major_status code is GSS_S_COMPLETE and the
integ_avail flag is not true, then per-message integrity
protection is not available, and the key exchange MUST fail.
If the resulting major_status code is GSS_S_COMPLETE and both the
mutual_state and integ_avail flags are true, then the security
context has been established, and processing continues with step
5.
If the resulting major_status code is GSS_S_CONTINUE_NEEDED, then
the output token is sent to C, and processing continues with step
2.
If the resulting major_status code is GSS_S_COMPLETE, but a non-
zero-length reply token is returned, then that token is sent to
the client.
5. S generates an ephemeral key pair with public key Q_S calculated
the same way it is done in step 1 and peforms the following
computations:
K a shared secret obtained using ECDH key exchange:
Both client and server perform the same calculation where d_U
is the secret value, d_C for client and d_S for server and q_V
is the received public value, q_S for client and q_C for
server.
For NIST curves, the peers perform point multiplication using
d_U and q_V to get point P.
For NIST curves, peers verify that P is not a point at
infinity. If P is a point at infinity, the key exchange MUST
fail.
For NIST curves, the shared secret is the zero-padded big-
endian representation of the x coordinate of P - 32 octets long
for nistp256, 48 octets for nistp384 and 64 octets long for
nistp521.
For curve25519 and curve448, the peers apply the X25519 or X448
function, respectively for curve25519 and curve448, on the d_U
and q_V. The result of the function is the shared secret.
For curve25519 and curve448, if all the octets of the shared
secret are zero octets, the key exchange MUST fail.
H = hash(V_C || V_S || I_C || I_S || K_S || Q_C || Q_S || K). The client MUST include its public key with the first message it
sends to the server during this process; if the server receives more
than one key or none at all, the key exchange MUST fail.
MIC is the GSS-API message integrity code for H computed by During GSS Context estalishment multiple tokens may be exchanged by
calling GSS_GetMIC(). the client and the server. When the GSS Context is established
(major_status is GSS_S_COMPLETE) the parties check that mutual_state
and integ_avail are both "true". If not the key exchange MUST fail.
S then sends Q_S and the message integrity code (MIC) to C. Once a party receives the peer's public key it proceeds to compute a
shared secret K. For NIST Curves the computation is done according
to Section 3.3.1 of [SEC1v2] and the resulting value z is converted
to the octet string K using the conversion defined in Section 2.3.5
of [SEC1v2]. For curve25519 and curve448 the algorithm in Section 6
of [RFC7748] is used instead.
6. This step is performed only if the server's final call to To verify the integrity of the handshake, peers use the Hash Function
GSS_Accept_sec_context() produced a non-zero-length final reply token defined by the selected Key Exchange method to calculate H:
to be sent to the client and if no previous call by the client to
GSS_Init_sec_context() has resulted in a major_status of
GSS_S_COMPLETE. Under these conditions, the client makes an
additional call to GSS_Init_sec_context() to process the final reply
token. This call is made exactly as described above. However, if
the resulting major_status is anything other than GSS_S_COMPLETE, or
a non-zero-length token is returned, it is an error and the key
exchange MUST fail.
7. C verifies that the key Q_S is valid the same way it is done in H = hash(V_C || V_S || I_C || I_S || K_S || Q_C || Q_S || K).
step 3. If the key is not valid the key exchange MUST fail.
8. C computes the shared secret K and H and verifies that it is The GSS_GetMIC() call is used by the server with H as the payload and
valid the same way it is done in step 5. It then calls generates a MIC. The GSS_VerifyMIC() call is used by the client to
GSS_VerifyMIC() to check that the MIC sent by S verifies H's verify the MIC.
integrity. If the MIC is not successfully verified, the key exchange
MUST fail.
If any GSS_Init_sec_context() or GSS_Accept_sec_context() returns a If any GSS_Init_sec_context() or GSS_Accept_sec_context() returns a
major_status other than GSS_S_COMPLETE or GSS_S_CONTINUE_NEEDED, or major_status other than GSS_S_COMPLETE or GSS_S_CONTINUE_NEEDED, or
any other GSS-API call returns a major_status other than any other GSS-API call returns a major_status other than
GSS_S_COMPLETE, the key exchange MUST fail. The same recommendations GSS_S_COMPLETE, the key exchange MUST fail. The same recommendations
expressed in Section 2.1 of [RFC4462] are followed with regards to expressed in Section 2.1 of [RFC4462] are followed with regards to
error reporting. error reporting.
This exchange is implemented with the following messages: The following is an overview of the key exchange process:
Client Server
------ ------
Generate ephemeral key pair.
Calls GSS_Init_sec_context().
SSH_MSG_KEXGSS_INIT --------------->
Verify received key is valid.
(Optional) <------------- SSH_MSG_KEXGSS_HOSTKEY
(Loop)
| Calls GSS_Accept_sec_context().
| <------------ SSH_MSG_KEXGSS_CONTINUE
| Calls GSS_Init_sec_context().
| SSH_MSG_KEXGSS_CONTINUE ------------>
Calls GSS_Accept_sec_context().
Generate ephemeral key pair.
Compute shared secret.
Computes hash H.
Calls GSS_GetMIC( H ) = MIC.
<------------ SSH_MSG_KEXGSS_COMPLETE
Verify received key is valid.
Compute shared secret.
Compute hash = H
Calls GSS_VerifyMIC( MIC, H )
This is implemented with the following messages:
The client sends: The client sends:
byte SSH_MSG_KEXGSS_INIT byte SSH_MSG_KEXGSS_INIT
string output_token (from GSS_Init_sec_context()) string output_token (from GSS_Init_sec_context())
string Q_C, client's ephemeral public key octet string string Q_C, client's ephemeral public key octet string
The server may responds with: The server may responds with:
byte SSH_MSG_KEXGSS_HOSTKEY byte SSH_MSG_KEXGSS_HOSTKEY
string server public host key and certificates (K_S) string server public host key and certificates (K_S)
Since this key exchange method does not require the host key to be The server sends:
used for any encryption operations, this message is OPTIONAL. If the
"null" host key algorithm described in Section 5 of [RFC4462] is
used, this message MUST NOT be sent.
Each time the server's call to GSS_Accept_sec_context() returns a
major_status code of GSS_S_CONTINUE_NEEDED
The server replies:
byte SSH_MSG_KEXGSS_CONTINUE byte SSH_MSG_KEXGSS_CONTINUE
string output_token (from GSS_Accept_sec_context()) string output_token (from GSS_Accept_sec_context())
If the client receives this message after a call to
GSS_Init_sec_context() has returned a major_status code of
GSS_S_COMPLETE, a protocol error has occurred and the key exchange
MUST fail.
Each time the client receives the message described above, it makes Each time the client receives the message described above, it makes
another call to GSS_Init_sec_context(). another call to GSS_Init_sec_context().
The client sends: The client sends:
byte SSH_MSG_KEXGSS_CONTINUE byte SSH_MSG_KEXGSS_CONTINUE
string output_token (from GSS_Init_sec_context()) string output_token (from GSS_Init_sec_context())
The server and client continue to trade these two messages as long as As the final message the server sends either:
the server's calls to GSS_Accept_sec_context() result in major_status
codes of GSS_S_CONTINUE_NEEDED. When a call results in a
major_status code of GSS_S_COMPLETE, it sends one of two final
messages.
If the server's final call to GSS_Accept_sec_context() (resulting in
a major_status code of GSS_S_COMPLETE) returns a non-zero-length
token to be sent to the client, it sends the following:
byte SSH_MSG_KEXGSS_COMPLETE byte SSH_MSG_KEXGSS_COMPLETE
string Q_S, server's ephemeral public key octet string string Q_S, server's ephemeral public key octet string
string mic_token (MIC of H) string mic_token (MIC of H)
boolean TRUE boolean TRUE
string output_token (from GSS_Accept_sec_context()) string output_token (from GSS_Accept_sec_context())
If the client receives this message after a call to Or the following if no output_token is available:
GSS_Init_sec_context() has returned a major_status code of
GSS_S_COMPLETE, a protocol error has occurred and the key exchange
MUST fail.
If the server's final call to GSS_Accept_sec_context() (resulting in
a major_status code of GSS_S_COMPLETE) returns a zero-length token or
no token at all, it sends the following:
byte SSH_MSG_KEXGSS_COMPLETE byte SSH_MSG_KEXGSS_COMPLETE
string Q_S, server's ephemeral public key octet string string Q_S, server's ephemeral public key octet string
string mic_token (MIC of H) string mic_token (MIC of H)
boolean FALSE boolean FALSE
If the client receives this message when no call to
GSS_Init_sec_context() has yet resulted in a major_status code of
GSS_S_COMPLETE, a protocol error has occurred and the key exchange
MUST fail.
In case of errors the messages described in Section 2.1 of [RFC4462]
are used as well as the recommendation about the messages' order.
The hash H is computed as the HASH hash of the concatenation of the The hash H is computed as the HASH hash of the concatenation of the
following: following:
string V_C, the client's version string (CR, NL excluded) string V_C, the client's version string (CR, NL excluded)
string V_S, server's version string (CR, NL excluded) string V_S, server's version string (CR, NL excluded)
string I_C, payload of the client's SSH_MSG_KEXINIT string I_C, payload of the client's SSH_MSG_KEXINIT
string I_S, payload of the server's SSH_MSG_KEXINIT string I_S, payload of the server's SSH_MSG_KEXINIT
string K_S, server's public host key string K_S, server's public host key
string Q_C, client's ephemeral public key octet string string Q_C, client's ephemeral public key octet string
string Q_S, server's ephemeral public key octet string string Q_S, server's ephemeral public key octet string
mpint K, shared secret mpint K, shared secret
This value is called the exchange hash, and it is used to This value is called the exchange hash, and it is used to
authenticate the key exchange. The exchange hash SHOULD be kept authenticate the key exchange. The exchange hash SHOULD be kept
secret. If no SSH_MSG_KEXGSS_HOSTKEY message has been sent by the secret. If no SSH_MSG_KEXGSS_HOSTKEY message has been sent by the
server or received by the client, then the empty string is used in server or received by the client, then the empty string is used in
place of K_S when computing the exchange hash. place of K_S when computing the exchange hash.
The GSS_GetMIC call MUST be applied over H, not the original data. Since this key exchange method does not require the host key to be
used for any encryption operations, the SSH_MSG_KEXGSS_HOSTKEY
message is OPTIONAL. If the "null" host key algorithm described in
Section 5 of [RFC4462] is used, this message MUST NOT be sent.
If the client receives a SSH_MSG_KEXGSS_CONTINUE message after a call
to GSS_Init_sec_context() has returned a major_status code of
GSS_S_COMPLETE, a protocol error has occurred and the key exchange
MUST fail.
If the client receives a SSH_MSG_KEXGSS_COMPLETE message and a call
to GSS_Init_sec_context() does not result in a major_status code of
GSS_S_COMPLETE, a protocol error has occurred and the key exchange
MUST fail.
5.2. ECDH Key Exchange Methods 5.2. ECDH Key Exchange Methods
The following new key exchange methods are defined: The following new key exchange methods are defined:
+--------------------------+--------------------------------+ +--------------------------+--------------------------------+
| Key Exchange Method Name | Implementation Recommendations | | Key Exchange Method Name | Implementation Recommendations |
+--------------------------+--------------------------------+ +--------------------------+--------------------------------+
| gss-nistp256-sha256-* | SHOULD/RECOMMENDED | | gss-nistp256-sha256-* | SHOULD/RECOMMENDED |
| gss-nistp384-sha384-* | MAY/OPTIONAL | | gss-nistp384-sha384-* | MAY/OPTIONAL |
| gss-nistp521-sha512-* | MAY/OPTIONAL | | gss-nistp521-sha512-* | MAY/OPTIONAL |
| gss-curve25519-sha256-* | SHOULD/RECOMMENDED | | gss-curve25519-sha256-* | SHOULD/RECOMMENDED |
| gss-curve448-sha512-* | MAY/OPTIONAL | | gss-curve448-sha512-* | MAY/OPTIONAL |
+--------------------------+--------------------------------+ +--------------------------+--------------------------------+
Each key exchange method is implicitly registered by this document. Each key exchange method is implicitly registered by this document.
The IESG is considered to be the owner of all these key exchange The IESG is considered to be the owner of all these key exchange
methods; this does NOT imply that the IESG is considered to be the methods; this does NOT imply that the IESG is considered to be the
owner of the underlying GSS-API mechanism. owner of the underlying GSS-API mechanism.
5.2.1. gss-nistp256-sha256-* Each method in any family of methods specifies GSS-API-authenticated
Elliptic Curve Diffie-Hellman key exchanges as described in
Each of these methods specifies GSS-API-authenticated Elliptic Curve Section 5.1. The method name for each method is the concatenation of
Diffie-Hellman key exchange as described in Section 5.1 of this the family method name with the Base64 encoding of the MD5 hash
document with SHA-256 as HASH, and the curve and base point defined [RFC1321] of the ASN.1 DER encoding [ISO-IEC-8825-1] of the
in section 2.4.2 of [SEC2v2] as secp256r1. The method name for each underlying GSS-API mechanism's OID. Base64 encoding is described in
method is the concatenation of the string "gss-nistp256-sha256-" with Section 6.8 of [RFC2045].
the Base64 encoding of the MD5 hash [RFC1321] of the ASN.1 DER
encoding [ISO-IEC-8825-1] of the underlying GSS-API mechanism's OID.
Base64 encoding is described in Section 6.8 of [RFC2045].
5.2.2. gss-nistp384-sha384-*
Each of these methods specifies GSS-API-authenticated Elliptic Curve
Diffie-Hellman key exchange as described in Section 5.1 of this
document with SHA-384 as HASH, and the curve and base point defined
in section 2.5.1 of [SEC2v2] as secp384r1. The method name for each
method is the concatenation of the string "gss-nistp384-sha384-" with
the Base64 encoding of the MD5 hash [RFC1321] of the ASN.1 DER
encoding [ISO-IEC-8825-1] of the underlying GSS-API mechanism's OID.
Base64 encoding is described in Section 6.8 of [RFC2045].
5.2.3. gss-nistp521-sha512-*
Each of these methods specifies GSS-API-authenticated Elliptic Curve
Diffie-Hellman key exchange as described in Section 5.1 of this
document with SHA-512 as HASH, and the curve and base point defined
in section 2.6.1 of [SEC2v2] as secp521r1. The method name for each
method is the concatenation of the string "gss-nistp521-sha512-" with
the Base64 encoding of the MD5 hash [RFC1321] of the ASN.1 DER
encoding [ISO-IEC-8825-1] of the underlying GSS-API mechanism's OID.
Base64 encoding is described in Section 6.8 of [RFC2045].
5.2.4. gss-curve25519-sha256-*
Each of these methods specifies GSS-API-authenticated Elliptic Curve
Diffie-Hellman key exchange as described in Section 5.1 of this
document with SHA-256 as HASH, and the X25519 function defined in
section 5 of [RFC7748]. The method name for each method is the
concatenation of the string "gss-curve25519-sha256-" with the Base64
encoding of the MD5 hash [RFC1321] of the ASN.1 DER encoding
[ISO-IEC-8825-1] of the underlying GSS-API mechanism's OID. Base64
encoding is described in Section 6.8 of [RFC2045].
5.2.5. gss-curve448-sha512-* Family method refences
Each of these methods specifies GSS-API-authenticated Elliptic Curve +------------------------+----------+---------------+---------------+
Diffie-Hellman key exchange as described in Section 5.1 of this | Family Name prefix | Hash | Parameters / | Definition |
document with SHA-512 as HASH, and the X448 function defined in | | Function | Function Name | |
section 5 of [RFC7748]. The method name for each method is the +------------------------+----------+---------------+---------------+
concatenation of the string "gss-curve448-sha512-" with the Base64 | gss-nistp256-sha256- | SHA-256 | secp256r1 | Section 2.4.2 |
encoding of the MD5 hash [RFC1321] of the ASN.1 DER encoding | | | | of [SEC2v2] |
[ISO-IEC-8825-1] of the underlying GSS-API mechanism's OID. Base64 | gss-nistp384-sha384- | SHA-384 | secp384r1 | Section 2.5.1 |
encoding is described in Section 6.8 of [RFC2045]. | | | | of [SEC2v2] |
| gss-nistp521-sha512- | SHA-512 | secp521r1 | Section 2.6.1 |
| | | | of [SEC2v2] |
| gss-curve25519-sha256- | SHA-256 | X22519 | Section 5 of |
| | | | [RFC7748] |
| gss-curve448-sha512- | SHA-512 | X448 | Section 5 of |
| | | | [RFC7748] |
+------------------------+----------+---------------+---------------+
6. IANA Considerations 6. IANA Considerations
This document augments the SSH Key Exchange Method Names in This document augments the SSH Key Exchange Method Names in
[RFC4462]. [RFC4462].
IANA is requested to update the SSH Protocol Parameters IANA is requested to update the SSH Protocol Parameters
[IANA-KEX-NAMES] registry with the following entries: [IANA-KEX-NAMES] registry with the following entries:
+--------------------------+------------+------------------------+ +--------------------------+------------+------------------------+
skipping to change at page 14, line 4 skipping to change at page 10, line 11
Except for the use of a different secure hash function and larger DH Except for the use of a different secure hash function and larger DH
groups, no significant changes has been made to the protocol groups, no significant changes has been made to the protocol
described by [RFC4462]; therefore all the original Security described by [RFC4462]; therefore all the original Security
Considerations apply. Considerations apply.
7.2. New Elliptic Curve DH mechanisms 7.2. New Elliptic Curve DH mechanisms
Although a new cryptographic primitive is used with these methods the Although a new cryptographic primitive is used with these methods the
actual key exchange closely follows the key exchange defined in actual key exchange closely follows the key exchange defined in
[RFC5656]; therefore all the original Security Considerations as well [RFC5656]; therefore all the original Security Considerations as well
as those expressed in [RFC5656] apply. as those expressed in [RFC5656] apply.
7.3. GSSAPI Delegation 7.3. GSSAPI Delegation
Some GSSAPI mechanisms can optionally delegate credentials to the Some GSSAPI mechanisms can optionally delegate credentials to the
target host by setting the deleg_ret_flag. In this case extra care target host by setting the deleg_ret_flag. In this case extra care
must be taken to ensure that the acceptor being authenticated matches must be taken to ensure that the acceptor being authenticated matches
the target the user intended. Some mechanisms implementations (like the target the user intended. Some mechanisms implementations (like
commonly used krb5 libraries) may use insecure DNS resolution to commonly used krb5 libraries) may use insecure DNS resolution to
canonicalize the target name; in these cases spoofing a DNS response canonicalize the target name; in these cases spoofing a DNS response
that points to an attacker-controlled machine may results in the user that points to an attacker-controlled machine may results in the user
silently delegating credentials to the attacker, who can then silently delegating credentials to the attacker, who can then
impersonate the user at will. impersonate the user at will.
8. References 8. References
8.1. Normative References 8.1. Normative References
[ANSI-X9-62-2005]
American National Standards Institute, "Public Key
Cryptography for the Financial Services Industry, The
Elliptic Curve Digital Signature Algorithm (ECDSA)", ANSI
Standard X9.62, 2005.
[I-D.ietf-curdle-ssh-curves] [I-D.ietf-curdle-ssh-curves]
Adamantiadis, A., Josefsson, S., and M. Baushke, "Secure Adamantiadis, A., Josefsson, S., and M. Baushke, "Secure
Shell (SSH) Key Exchange Method using Curve25519 and Shell (SSH) Key Exchange Method using Curve25519 and
Curve448", draft-ietf-curdle-ssh-curves-07 (work in Curve448", draft-ietf-curdle-ssh-curves-07 (work in
progress), January 2018. progress), January 2018.
[RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
DOI 10.17487/RFC1321, April 1992, DOI 10.17487/RFC1321, April 1992,
<https://www.rfc-editor.org/info/rfc1321>. <https://www.rfc-editor.org/info/rfc1321>.
skipping to change at page 15, line 10 skipping to change at page 11, line 10
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP) [RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP)
Diffie-Hellman groups for Internet Key Exchange (IKE)", Diffie-Hellman groups for Internet Key Exchange (IKE)",
RFC 3526, DOI 10.17487/RFC3526, May 2003, RFC 3526, DOI 10.17487/RFC3526, May 2003,
<https://www.rfc-editor.org/info/rfc3526>. <https://www.rfc-editor.org/info/rfc3526>.
[RFC4253] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253,
January 2006, <https://www.rfc-editor.org/info/rfc4253>.
[RFC4462] Hutzelman, J., Salowey, J., Galbraith, J., and V. Welch, [RFC4462] Hutzelman, J., Salowey, J., Galbraith, J., and V. Welch,
"Generic Security Service Application Program Interface "Generic Security Service Application Program Interface
(GSS-API) Authentication and Key Exchange for the Secure (GSS-API) Authentication and Key Exchange for the Secure
Shell (SSH) Protocol", RFC 4462, DOI 10.17487/RFC4462, May Shell (SSH) Protocol", RFC 4462, DOI 10.17487/RFC4462, May
2006, <https://www.rfc-editor.org/info/rfc4462>. 2006, <https://www.rfc-editor.org/info/rfc4462>.
[RFC5656] Stebila, D. and J. Green, "Elliptic Curve Algorithm [RFC5656] Stebila, D. and J. Green, "Elliptic Curve Algorithm
Integration in the Secure Shell Transport Layer", Integration in the Secure Shell Transport Layer",
RFC 5656, DOI 10.17487/RFC5656, December 2009, RFC 5656, DOI 10.17487/RFC5656, December 2009,
<https://www.rfc-editor.org/info/rfc5656>. <https://www.rfc-editor.org/info/rfc5656>.
[RFC7546] Kaduk, B., "Structure of the Generic Security Service [RFC7546] Kaduk, B., "Structure of the Generic Security Service
(GSS) Negotiation Loop", RFC 7546, DOI 10.17487/RFC7546, (GSS) Negotiation Loop", RFC 7546, DOI 10.17487/RFC7546,
May 2015, <https://www.rfc-editor.org/info/rfc7546>. May 2015, <https://www.rfc-editor.org/info/rfc7546>.
[RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
for Security", RFC 7748, DOI 10.17487/RFC7748, January for Security", RFC 7748, DOI 10.17487/RFC7748, January
2016, <https://www.rfc-editor.org/info/rfc7748>. 2016, <https://www.rfc-editor.org/info/rfc7748>.
[SEC1v2] Certicom Research, "SEC 1: Elliptic Curve Cryptography",
Standards for Efficient Cryptography SEC 1, Version 2.0,
2009.
[SEC2v2] Certicom Research, "SEC 2: Recommended Elliptic Curve [SEC2v2] Certicom Research, "SEC 2: Recommended Elliptic Curve
Domain Parameters", Standards for Efficient Domain Parameters", Standards for Efficient
Cryptography SEC 2, 2010. Cryptography SEC 2, Version 2.0, 2010.
8.2. Informative References 8.2. Informative References
[IANA-KEX-NAMES] [IANA-KEX-NAMES]
Internet Assigned Numbers Authority, "Secure Shell (SSH) Internet Assigned Numbers Authority, "Secure Shell (SSH)
Protocol Parameters: Key Exchange Method Names", June Protocol Parameters: Key Exchange Method Names", June
2005, <https://www.iana.org/assignments/ssh-parameters/ 2005, <https://www.iana.org/assignments/ssh-parameters/
ssh-parameters.xhtml#ssh-parameters-16>. ssh-parameters.xhtml#ssh-parameters-16>.
[ISO-IEC-8825-1] [ISO-IEC-8825-1]
skipping to change at page 16, line 18 skipping to change at page 12, line 18
of Cryptographic Algorithms and Key Lengths", NIST Special of Cryptographic Algorithms and Key Lengths", NIST Special
Publication 800-131A Revision 1, November 2015, Publication 800-131A Revision 1, November 2015,
<http://nvlpubs.nist.gov/nistpubs/SpecialPublications/ <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/
NIST.SP.800-131Ar1.pdf>. NIST.SP.800-131Ar1.pdf>.
[RFC6194] Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security [RFC6194] Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security
Considerations for the SHA-0 and SHA-1 Message-Digest Considerations for the SHA-0 and SHA-1 Message-Digest
Algorithms", RFC 6194, DOI 10.17487/RFC6194, March 2011, Algorithms", RFC 6194, DOI 10.17487/RFC6194, March 2011,
<https://www.rfc-editor.org/info/rfc6194>. <https://www.rfc-editor.org/info/rfc6194>.
[RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms
(SHA and SHA-based HMAC and HKDF)", RFC 6234,
DOI 10.17487/RFC6234, May 2011,
<https://www.rfc-editor.org/info/rfc6234>.
[RFC8268] Baushke, M., "More Modular Exponentiation (MODP) Diffie- [RFC8268] Baushke, M., "More Modular Exponentiation (MODP) Diffie-
Hellman (DH) Key Exchange (KEX) Groups for Secure Shell Hellman (DH) Key Exchange (KEX) Groups for Secure Shell
(SSH)", RFC 8268, DOI 10.17487/RFC8268, December 2017, (SSH)", RFC 8268, DOI 10.17487/RFC8268, December 2017,
<https://www.rfc-editor.org/info/rfc8268>. <https://www.rfc-editor.org/info/rfc8268>.
Authors' Addresses Authors' Addresses
Simo Sorce Simo Sorce
Red Hat, Inc. Red Hat, Inc.
140 Broadway 140 Broadway
24th Floor 24th Floor
New York, NY 10025 New York, NY 10025
USA USA
Email: simo@redhat.com Email: simo@redhat.com
Hubert Kario Hubert Kario
Red Hat, Inc. Red Hat, Inc.
Purkynova 99/71 Purkynova 115
Brno 612 45 Brno 612 00
Czech Republic Czech Republic
Email: hkario@redhat.com Email: hkario@redhat.com
 End of changes. 41 change blocks. 
377 lines changed or deleted 170 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/