draft-ietf-curdle-gss-keyex-sha2-08.txt   draft-ietf-curdle-gss-keyex-sha2-09.txt 
Internet Engineering Task Force S. Sorce Internet Engineering Task Force S. Sorce
Internet-Draft H. Kario Internet-Draft H. Kario
Updates: 4462 (if approved) Red Hat, Inc. Updates: 4462 (if approved) Red Hat, Inc.
Intended status: Standards Track Jan 2, 2019 Intended status: Standards Track Jun 11, 2019
Expires: July 6, 2019 Expires: December 13, 2019
GSS-API Key Exchange with SHA2 GSS-API Key Exchange with SHA2
draft-ietf-curdle-gss-keyex-sha2-08 draft-ietf-curdle-gss-keyex-sha2-09
Abstract Abstract
This document specifies additions and amendments to RFC4462. It This document specifies additions and amendments to RFC4462. It
defines a new key exchange method that uses SHA-2 for integrity and defines a new key exchange method that uses SHA-2 for integrity and
deprecates weak DH groups. The purpose of this specification is to deprecates weak DH groups. The purpose of this specification is to
modernize the cryptographic primitives used by GSS Key Exchanges. modernize the cryptographic primitives used by GSS Key Exchanges.
Status of This Memo Status of This Memo
skipping to change at page 1, line 34 skipping to change at page 1, line 34
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 6, 2019. This Internet-Draft will expire on December 13, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 14 skipping to change at page 2, line 14
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . 2
3. Document Conventions . . . . . . . . . . . . . . . . . . . . 2 3. Document Conventions . . . . . . . . . . . . . . . . . . . . 2
4. New Diffie-Hellman Key Exchange methods . . . . . . . . . . . 3 4. New Diffie-Hellman Key Exchange methods . . . . . . . . . . . 3
5. New Elliptic Curve Diffie-Hellman Key Exchange methods . . . 4 5. New Elliptic Curve Diffie-Hellman Key Exchange methods . . . 4
5.1. Generic GSS-API Key Exchange with ECDH . . . . . . . . . 4 5.1. Generic GSS-API Key Exchange with ECDH . . . . . . . . . 4
5.2. ECDH Key Exchange Methods . . . . . . . . . . . . . . . . 8 5.2. ECDH Key Exchange Methods . . . . . . . . . . . . . . . . 8
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 6. Deprecated Algorithms . . . . . . . . . . . . . . . . . . . . 9
7. Security Considerations . . . . . . . . . . . . . . . . . . . 9 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
7.1. New Finite Field DH mechanisms . . . . . . . . . . . . . 9 8. Security Considerations . . . . . . . . . . . . . . . . . . . 10
7.2. New Elliptic Curve DH mechanisms . . . . . . . . . . . . 10 8.1. New Finite Field DH mechanisms . . . . . . . . . . . . . 10
7.3. GSSAPI Delegation . . . . . . . . . . . . . . . . . . . . 10 8.2. New Elliptic Curve DH mechanisms . . . . . . . . . . . . 10
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 8.3. GSSAPI Delegation . . . . . . . . . . . . . . . . . . . . 10
8.1. Normative References . . . . . . . . . . . . . . . . . . 10 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
8.2. Informative References . . . . . . . . . . . . . . . . . 11 9.1. Normative References . . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 9.2. Informative References . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction 1. Introduction
SSH GSS-API Methods [RFC4462] allows the use of GSSAPI for SSH GSS-API Methods [RFC4462] allows the use of GSSAPI for
authentication and key exchange in SSH. It defines three exchange authentication and key exchange in SSH. It defines three exchange
methods all based on DH groups and SHA-1. This document updates methods all based on DH groups and SHA-1. This document updates
RFC4462 with new methods intended to support environments that desire RFC4462 with new methods intended to support environments that desire
to use the SHA-2 cryptographic hash functions. to use the SHA-2 cryptographic hash functions.
2. Rationale 2. Rationale
Due to security concerns with SHA-1 [RFC6194] and with MODP groups Due to security concerns with SHA-1 [RFC6194] and with MODP groups
with less than 2048 bits [NIST-SP-800-131Ar1] we propose the use of with less than 2048 bits [NIST-SP-800-131Ar1] we propose the use of
the SHA-2 [RFC6234] based hashes with DH group14, group15, group16, the SHA-2 [RFC6234] based hashes with DH group14, group15, group16,
group17 and group18 [RFC3526]. Additionally we add support for key group17 and group18 [RFC3526]. Additionally we add support for key
exchange based on Elliptic Curve Diffie Hellman with the NIST P-256, exchange based on Elliptic Curve Diffie Hellman with the NIST P-256,
P-384 and P-521 as well as the X25519 and X448 curves. Following the P-384 and P-521 as well as the X25519 and X448 curves. Following the
rationale of [RFC8268] only SHA-256 and SHA-512 hashes are used for practice of [RFC8268] only SHA-256 and SHA-512 hashes are used for DH
DH groups. For NIST curves the same curve-to-hashing algorithm groups. For NIST curves the same curve-to-hashing algorithm pairing
pairing used in [RFC5656] is adopted for consistency. used in [RFC5656] is adopted for consistency.
3. Document Conventions 3. Document Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
document are to be interpreted as described in RFC 2119 [RFC2119]. "OPTIONAL" in this document are to be interpreted as described in BCP
14 >RFC2119 [RFC2119] RFC8174 [RFC8174] when, and only when, they
appear in all capitals, as shown here.
4. New Diffie-Hellman Key Exchange methods 4. New Diffie-Hellman Key Exchange methods
This document adopts the same naming convention defined in [RFC4462] This document adopts the same naming convention defined in [RFC4462]
to define families of methods that cover any GSS-API mechanism used to define families of methods that cover any GSS-API mechanism used
with a specific Diffie-Hellman group and SHA-2 Hash combination. with a specific Diffie-Hellman group and SHA-2 Hash combination.
The following new key exchange algorithms are defined: The following new key exchange algorithms are defined:
+--------------------------+--------------------------------+ +--------------------------+--------------------------------+
skipping to change at page 3, line 31 skipping to change at page 3, line 31
+--------------------------+--------------------------------+ +--------------------------+--------------------------------+
Each key exchange method is implicitly registered by this document. Each key exchange method is implicitly registered by this document.
The IESG is considered to be the owner of all these key exchange The IESG is considered to be the owner of all these key exchange
methods; this does NOT imply that the IESG is considered to be the methods; this does NOT imply that the IESG is considered to be the
owner of the underlying GSS-API mechanism. owner of the underlying GSS-API mechanism.
Each method in any family of methods specifies GSS-API-authenticated Each method in any family of methods specifies GSS-API-authenticated
Diffie-Hellman key exchanges as described in Section 2.1 of Diffie-Hellman key exchanges as described in Section 2.1 of
[RFC4462]. The method name for each method is the concatenation of [RFC4462]. The method name for each method is the concatenation of
the family method name with the Base64 encoding of the MD5 hash the family name prefix with the Base64 encoding of the MD5 hash
[RFC1321] of the ASN.1 DER encoding [ISO-IEC-8825-1] of the [RFC1321] of the ASN.1 DER encoding [ISO-IEC-8825-1] of the
underlying GSS-API mechanism's OID. Base64 encoding is described in underlying GSS-API mechanism's OID. Base64 encoding is described in
Section 6.8 of [RFC2045]. Section 6.8 of [RFC2045].
Family method refences Family method refences
+---------------------+-------------+-------------+-----------------+ +---------------------+-------------+-------------+-----------------+
| Family Name prefix | Hash | Group | Reference | | Family Name prefix | Hash | Group | Reference |
| | Function | | | | | Function | | |
+---------------------+-------------+-------------+-----------------+ +---------------------+-------------+-------------+-----------------+
skipping to change at page 4, line 8 skipping to change at page 4, line 8
| | | MODP | [RFC3526] | | | | MODP | [RFC3526] |
| gss-group17-sha512- | SHA-512 | 6144-bit | Section 6 of | | gss-group17-sha512- | SHA-512 | 6144-bit | Section 6 of |
| | | MODP | [RFC3526] | | | | MODP | [RFC3526] |
| gss-group18-sha512- | SHA-512 | 8192-bit | Section 7 of | | gss-group18-sha512- | SHA-512 | 8192-bit | Section 7 of |
| | | MODP | [RFC3526] | | | | MODP | [RFC3526] |
+---------------------+-------------+-------------+-----------------+ +---------------------+-------------+-------------+-----------------+
5. New Elliptic Curve Diffie-Hellman Key Exchange methods 5. New Elliptic Curve Diffie-Hellman Key Exchange methods
In [RFC5656] new SSH key exchange algorithms based on Elliptic Curve In [RFC5656] new SSH key exchange algorithms based on Elliptic Curve
Cryptography are introduced. We reuse much of section 4 to define Cryptography are introduced. We reuse much of section 4 of [RFC5656]
GSS-API-authenticated ECDH Key Exchanges. to define GSS-API-authenticated ECDH Key Exchanges.
Additionally we utilize also the curves defined in Additionally we utilize also the curves defined in
[I-D.ietf-curdle-ssh-curves] to complement the 3 classic NIST defined [I-D.ietf-curdle-ssh-curves] to complement the 3 classic NIST defined
curves required by [RFC5656]. curves required by [RFC5656].
5.1. Generic GSS-API Key Exchange with ECDH 5.1. Generic GSS-API Key Exchange with ECDH
This section reuses much of the scheme defined in Section 2.1 of This section reuses much of the scheme defined in Section 2.1 of
[RFC4462] and combines it with the scheme defined in Section 4 of [RFC4462] and combines it with the scheme defined in Section 4 of
[RFC5656]; in particular, all checks and verification steps [RFC5656]; in particular, all checks and verification steps
skipping to change at page 4, line 41 skipping to change at page 4, line 41
This section defers to [RFC7546] as the source of information on GSS- This section defers to [RFC7546] as the source of information on GSS-
API context establishment operations, Section 3 being the most API context establishment operations, Section 3 being the most
relevant. All Security Considerations described in [RFC7546] apply relevant. All Security Considerations described in [RFC7546] apply
here too. here too.
The parties generate each an ephemeral key pair, according to The parties generate each an ephemeral key pair, according to
Section 3.2.1 of [SEC1v2]. Keys are verified upon receipt by the Section 3.2.1 of [SEC1v2]. Keys are verified upon receipt by the
parties according to Section 3.2.3.1 of [SEC1v2]. parties according to Section 3.2.3.1 of [SEC1v2].
For NIST Curves keys use uncompressed point representation and must For NIST Curves the keys use the uncompressed point representation
be converted using the algorithm in Section 2.3.4 of [SEC1v2]. If and must be converted using the algorithm in Section 2.3.4 of
the conversion fails or the point is trasmitted using compressed [SEC1v2]. If the conversion fails or the point is trasmitted using
representation, the key exchange MUST fail. the compressed representation, the key exchange MUST fail.
A GSS Context is established according to Section 4 of [RFC5656]; The A GSS Context is established according to Section 4 of [RFC5656]; The
client initiates the establishment using GSS_Init_sec_context() and client initiates the establishment using GSS_Init_sec_context() and
the server completes it using GSS_Accept_sec_context(). For the the server responds to it using GSS_Accept_sec_context(). For the
negotiation, the client MUST set mutual_req_flag and integ_req_flag negotiation, the client MUST set mutual_req_flag and integ_req_flag
to "true". In addition, deleg_req_flag MAY be set to "true" to to "true". In addition, deleg_req_flag MAY be set to "true" to
request access delegation, if requested by the user. Since the key request access delegation, if requested by the user. Since the key
exchange process authenticates only the host, the setting of exchange process authenticates only the host, the setting of
anon_req_flag is immaterial to this process. If the client does not anon_req_flag is immaterial to this process. If the client does not
support the "gssapi-keyex" user authentication method described in support the "gssapi-keyex" user authentication method described in
Section 4 of [RFC4462], or does not intend to use that method in Section 4 of [RFC4462], or does not intend to use that method in
conjunction with the GSS-API context established during key exchange, conjunction with the GSS-API context established during key exchange,
then anon_req_flag SHOULD be set to "true". Otherwise, this flag MAY then anon_req_flag SHOULD be set to "true". Otherwise, this flag MAY
be set to true if the client wishes to hide its identity. This key be set to true if the client wishes to hide its identity. This key
exchange process will exchange only a single token once the context exchange process will exchange only a single message token once the
has been established, therefore the replay_det_req_flag and context has been established, therefore the replay_det_req_flag and
sequence_req_flag SHOULD be set to "false". sequence_req_flag SHOULD be set to "false".
The client MUST include its public key with the first message it The client MUST include its public key with the first message it
sends to the server during this process; if the server receives more sends to the server during this process; if the server receives more
than one key or none at all, the key exchange MUST fail. than one key or none at all, the key exchange MUST fail.
During GSS Context estalishment multiple tokens may be exchanged by During GSS Context estalishment multiple tokens may be exchanged by
the client and the server. When the GSS Context is established the client and the server. When the GSS Context is established
(major_status is GSS_S_COMPLETE) the parties check that mutual_state (major_status is GSS_S_COMPLETE) the parties check that mutual_state
and integ_avail are both "true". If not the key exchange MUST fail. and integ_avail are both "true". If not the key exchange MUST fail.
Once a party receives the peer's public key it proceeds to compute a Once a party receives the peer's public key it proceeds to compute a
shared secret K. For NIST Curves the computation is done according shared secret K. For NIST Curves the computation is done according
to Section 3.3.1 of [SEC1v2] and the resulting value z is converted to Section 3.3.1 of [SEC1v2] and the resulting value z is converted
to the octet string K using the conversion defined in Section 2.3.5 to the octet string K using the conversion defined in Section 2.3.5
of [SEC1v2]. For curve25519 and curve448 the algorithm in Section 6 of [SEC1v2]. For curve25519 and curve448 the algorithms in Section 6
of [RFC7748] is used instead. of [RFC7748] are used instead.
To verify the integrity of the handshake, peers use the Hash Function To verify the integrity of the handshake, peers use the Hash Function
defined by the selected Key Exchange method to calculate H: defined by the selected Key Exchange method to calculate H:
H = hash(V_C || V_S || I_C || I_S || K_S || Q_C || Q_S || K). H = hash(V_C || V_S || I_C || I_S || K_S || Q_C || Q_S || K).
The GSS_GetMIC() call is used by the server with H as the payload and The GSS_GetMIC() call is used by the server with H as the payload and
generates a MIC. The GSS_VerifyMIC() call is used by the client to generates a MIC. The GSS_VerifyMIC() call is used by the client to
verify the MIC. verify the MIC.
skipping to change at page 9, line 23 skipping to change at page 9, line 23
| gss-nistp384-sha384- | SHA-384 | secp384r1 | Section 2.5.1 | | gss-nistp384-sha384- | SHA-384 | secp384r1 | Section 2.5.1 |
| | | | of [SEC2v2] | | | | | of [SEC2v2] |
| gss-nistp521-sha512- | SHA-512 | secp521r1 | Section 2.6.1 | | gss-nistp521-sha512- | SHA-512 | secp521r1 | Section 2.6.1 |
| | | | of [SEC2v2] | | | | | of [SEC2v2] |
| gss-curve25519-sha256- | SHA-256 | X22519 | Section 5 of | | gss-curve25519-sha256- | SHA-256 | X22519 | Section 5 of |
| | | | [RFC7748] | | | | | [RFC7748] |
| gss-curve448-sha512- | SHA-512 | X448 | Section 5 of | | gss-curve448-sha512- | SHA-512 | X448 | Section 5 of |
| | | | [RFC7748] | | | | | [RFC7748] |
+------------------------+----------+---------------+---------------+ +------------------------+----------+---------------+---------------+
6. IANA Considerations 6. Deprecated Algorithms
Because they have small key lengths and are no longer strong in the
face of brute-force attacks, the algorithms in the following table
are considered deprecated and SHOULD NOT be used.
Deprecated Algorithms
+--------------------------+--------------------------------+
| Key Exchange Method Name | Implementation Recommendations |
+--------------------------+--------------------------------+
| gss-group1-sha1-* | SHOULD NOT |
| gss-group14-sha1-* | SHOULD NOT |
| gss-gex-sha1-* | SHOULD NOT |
+--------------------------+--------------------------------+
7. IANA Considerations
This document augments the SSH Key Exchange Method Names in This document augments the SSH Key Exchange Method Names in
[RFC4462]. [RFC4462].
IANA is requested to update the SSH Protocol Parameters IANA is requested to update the SSH Protocol Parameters
[IANA-KEX-NAMES] registry with the following entries: [IANA-KEX-NAMES] registry with the following entries:
+--------------------------+------------+------------------------+ +--------------------------+------------+
| Key Exchange Method Name | Reference | Implementation Support | | Key Exchange Method Name | Reference |
+--------------------------+------------+------------------------+ +--------------------------+------------+
| gss-group14-sha256-* | This draft | SHOULD | | gss-group1-sha1-* | This draft |
| gss-group15-sha512-* | This draft | MAY | | gss-group14-sha1-* | This draft |
| gss-group16-sha512-* | This draft | SHOULD | | gss-gex-sha1-* | This draft |
| gss-group17-sha512-* | This draft | MAY | | gss-group14-sha256-* | This draft |
| gss-group18-sha512-* | This draft | MAY | | gss-group15-sha512-* | This draft |
| gss-nistp256-sha256-* | This draft | SHOULD | | gss-group16-sha512-* | This draft |
| gss-nistp384-sha384-* | This draft | MAY | | gss-group17-sha512-* | This draft |
| gss-nistp521-sha512-* | This draft | MAY | | gss-group18-sha512-* | This draft |
| gss-curve25519-sha256-* | This draft | SHOULD | | gss-nistp256-sha256-* | This draft |
| gss-curve448-sha512-* | This draft | MAY | | gss-nistp384-sha384-* | This draft |
+--------------------------+------------+------------------------+ | gss-nistp521-sha512-* | This draft |
| gss-curve25519-sha256-* | This draft |
| gss-curve448-sha512-* | This draft |
+--------------------------+------------+
7. Security Considerations 8. Security Considerations
7.1. New Finite Field DH mechanisms 8.1. New Finite Field DH mechanisms
Except for the use of a different secure hash function and larger DH Except for the use of a different secure hash function and larger DH
groups, no significant changes has been made to the protocol groups, no significant changes has been made to the protocol
described by [RFC4462]; therefore all the original Security described by [RFC4462]; therefore all the original Security
Considerations apply. Considerations apply.
7.2. New Elliptic Curve DH mechanisms 8.2. New Elliptic Curve DH mechanisms
Although a new cryptographic primitive is used with these methods the Although a new cryptographic primitive is used with these methods the
actual key exchange closely follows the key exchange defined in actual key exchange closely follows the key exchange defined in
[RFC5656]; therefore all the original Security Considerations as well [RFC5656]; therefore all the original Security Considerations as well
as those expressed in [RFC5656] apply. as those expressed in [RFC5656] apply.
7.3. GSSAPI Delegation 8.3. GSSAPI Delegation
Some GSSAPI mechanisms can optionally delegate credentials to the Some GSSAPI mechanisms can act on a request to delegate credentials
target host by setting the deleg_ret_flag. In this case extra care to the target host when the deleg_req_flag is set. In this case,
must be taken to ensure that the acceptor being authenticated matches extra care must be taken to ensure that the acceptor being
the target the user intended. Some mechanisms implementations (like authenticated matches the target the user intended. Some mechanisms
commonly used krb5 libraries) may use insecure DNS resolution to implementations (like commonly used krb5 libraries) may use insecure
canonicalize the target name; in these cases spoofing a DNS response DNS resolution to canonicalize the target name; in these cases
that points to an attacker-controlled machine may results in the user spoofing a DNS response that points to an attacker-controlled machine
silently delegating credentials to the attacker, who can then may results in the user silently delegating credentials to the
impersonate the user at will. attacker, who can then impersonate the user at will.
8. References 9. References
8.1. Normative References 9.1. Normative References
[I-D.ietf-curdle-ssh-curves] [I-D.ietf-curdle-ssh-curves]
Adamantiadis, A., Josefsson, S., and M. Baushke, "Secure Adamantiadis, A., Josefsson, S., and M. Baushke, "Secure
Shell (SSH) Key Exchange Method using Curve25519 and Shell (SSH) Key Exchange Method using Curve25519 and
Curve448", draft-ietf-curdle-ssh-curves-08 (work in Curve448", draft-ietf-curdle-ssh-curves-08 (work in
progress), June 2018. progress), June 2018.
[RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
DOI 10.17487/RFC1321, April 1992, DOI 10.17487/RFC1321, April 1992,
<https://www.rfc-editor.org/info/rfc1321>. <https://www.rfc-editor.org/info/rfc1321>.
skipping to change at page 11, line 29 skipping to change at page 12, line 5
<https://www.rfc-editor.org/info/rfc5656>. <https://www.rfc-editor.org/info/rfc5656>.
[RFC7546] Kaduk, B., "Structure of the Generic Security Service [RFC7546] Kaduk, B., "Structure of the Generic Security Service
(GSS) Negotiation Loop", RFC 7546, DOI 10.17487/RFC7546, (GSS) Negotiation Loop", RFC 7546, DOI 10.17487/RFC7546,
May 2015, <https://www.rfc-editor.org/info/rfc7546>. May 2015, <https://www.rfc-editor.org/info/rfc7546>.
[RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
for Security", RFC 7748, DOI 10.17487/RFC7748, January for Security", RFC 7748, DOI 10.17487/RFC7748, January
2016, <https://www.rfc-editor.org/info/rfc7748>. 2016, <https://www.rfc-editor.org/info/rfc7748>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[SEC1v2] Certicom Research, "SEC 1: Elliptic Curve Cryptography", [SEC1v2] Certicom Research, "SEC 1: Elliptic Curve Cryptography",
Standards for Efficient Cryptography SEC 1, Version 2.0, Standards for Efficient Cryptography SEC 1, Version 2.0,
2009. 2009.
[SEC2v2] Certicom Research, "SEC 2: Recommended Elliptic Curve [SEC2v2] Certicom Research, "SEC 2: Recommended Elliptic Curve
Domain Parameters", Standards for Efficient Domain Parameters", Standards for Efficient
Cryptography SEC 2, Version 2.0, 2010. Cryptography SEC 2, Version 2.0, 2010.
8.2. Informative References 9.2. Informative References
[IANA-KEX-NAMES] [IANA-KEX-NAMES]
Internet Assigned Numbers Authority, "Secure Shell (SSH) Internet Assigned Numbers Authority, "Secure Shell (SSH)
Protocol Parameters: Key Exchange Method Names", June Protocol Parameters: Key Exchange Method Names", June
2005, <https://www.iana.org/assignments/ssh-parameters/ 2005, <https://www.iana.org/assignments/ssh-parameters/
ssh-parameters.xhtml#ssh-parameters-16>. ssh-parameters.xhtml#ssh-parameters-16>.
[ISO-IEC-8825-1] [ISO-IEC-8825-1]
International Organization for Standardization / International Organization for Standardization /
International Electrotechnical Commission, "ASN.1 encoding International Electrotechnical Commission, "ASN.1 encoding
 End of changes. 23 change blocks. 
61 lines changed or deleted 87 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/