draft-ietf-curdle-rsa-sha2-01.txt   draft-ietf-curdle-rsa-sha2-02.txt 
Internet-Draft D. Bider Internet-Draft D. Bider
Updates: 4252, 4253 (if approved) Bitvise Limited Updates: 4252, 4253 (if approved) Bitvise Limited
Intended status: Standards Track August 1, 2016 Intended status: Standards Track September 12, 2016
Expires: February 1, 2017 Expires: February 12, 2017
Use of RSA Keys with SHA-2 256 and 512 in Secure Shell (SSH) Use of RSA Keys with SHA-2 256 and 512 in Secure Shell (SSH)
draft-ietf-curdle-rsa-sha2-01.txt draft-ietf-curdle-rsa-sha2-02.txt
Abstract Abstract
This memo defines an algorithm name, public key format, and signature This memo defines an algorithm name, public key format, and signature
format for use of RSA keys with SHA-2 512 for server and client format for use of RSA keys with SHA-2 512 for server and client
authentication in SSH connections. authentication in SSH connections.
Status Status
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 2, line 29 skipping to change at page 2, line 29
1.1. Requirements Terminology 1.1. Requirements Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. Public Key Algorithms 2. Public Key Algorithms
This memo adopts the style and conventions of [RFC4253] in specifying This memo adopts the style and conventions of [RFC4253] in specifying
how the use of a signature algorithm is indicated in SSH. how use of a signature algorithm is indicated in SSH.
The following new signature algorithms are defined: The following new signature algorithms are defined:
rsa-sha2-256 RECOMMENDED sign Raw RSA key rsa-sha2-256 RECOMMENDED sign Raw RSA key
rsa-sha2-512 OPTIONAL sign Raw RSA key rsa-sha2-512 OPTIONAL sign Raw RSA key
These signature algorithms are suitable for use both in the SSH transport These signature algorithms are suitable for use both in the SSH transport
layer [RFC4253] for server authentication, and in the authentication layer [RFC4253] for server authentication, and in the authentication
layer [RFC4252] for client authentication. layer [RFC4252] for client authentication.
skipping to change at page 4, line 21 skipping to change at page 4, line 21
Servers that accept rsa-sha2-* signatures for client authentication Servers that accept rsa-sha2-* signatures for client authentication
SHOULD implement the extension negotiation mechanism defined in SHOULD implement the extension negotiation mechanism defined in
[SSH-EXT-INFO], including especially the "server-sig-algs" extension. [SSH-EXT-INFO], including especially the "server-sig-algs" extension.
When authenticating with an RSA key against a server that does not When authenticating with an RSA key against a server that does not
implement the "server-sig-algs" extension, clients MAY default to an implement the "server-sig-algs" extension, clients MAY default to an
ssh-rsa signature to avoid authentication penalties. ssh-rsa signature to avoid authentication penalties.
4. IANA Considerations 4. IANA Considerations
This document augments the Public Key Algorithm Names in [RFC4253]
and [RFC4250].
IANA is requested to update the "Secure Shell (SSH) Protocol IANA is requested to update the "Secure Shell (SSH) Protocol
Parameters" registry with the following entry: Parameters" registry, to extend the table Public Key Algorithm Names:
Public Key Algorithm Name Reference Note - To the immediate right of the column Public Key Algorithm Name,
rsa-sha2-256 [this document] Section 2 a new column is to be added, titled Signature Algorithm Name. For
rsa-sha2-512 [this document] Section 2 existing entries, the column Signature Algorithm Name should be
assigned the same value found under Public Key Algorithm Name.
- Immediately following the existing entry for "ssh-rsa", two sibling
entries are to be added:
P. K. Alg. Name Sig. Alg. Name Reference Note
ssh-rsa rsa-sha2-256 [this document] Section 2
ssh-rsa rsa-sha2-512 [this document] Section 2
5. Security Considerations 5. Security Considerations
The security considerations of [RFC4253] apply to this document. The security considerations of [RFC4253] apply to this document.
The National Institute of Standards and Technology (NIST) Special The National Institute of Standards and Technology (NIST) Special
Publication 800-131A [800-131A] disallows the use of RSA and DSA keys Publication 800-131A [800-131A] disallows the use of RSA and DSA keys
shorter than 2048 bits for US government use after 2013. Keys of 2048 shorter than 2048 bits for US government use after 2013. Keys of 2048
bits or larger are considered acceptable. bits or larger are considered acceptable.
The same document disallows the SHA-1 hash function, as used in the The same document disallows the SHA-1 hash function, as used in the
"ssh-rsa" and "ssh-dss" algorithms, for digital signature generation "ssh-rsa" and "ssh-dss" algorithms, for digital signature generation
after 2013. The SHA-2 family of hash functions is seen as acceptable. after 2013. The SHA-2 family of hash functions is seen as acceptable.
6. Why no DSA? 6. Why no DSA?
A draft version of this memo also defined an algorithm name for use of A draft version of this memo also defined an algorithm name for use of
2048-bit and 3072-bit DSA keys with a 256-bit subgroup and SHA-2 256 2048-bit and 3072-bit DSA keys with a 256-bit subgroup and SHA-2 256
hashing. It is possible to implement DSA securely by generating "k" hashing. It is possible to implement DSA securely by generating "k"
deterministically as per [RFC6979]. However, a plurality of reviewers deterministically as per [RFC6979]. However, a plurality of reviewers
were concerned that implementers would not pay heed, and would use were concerned that implementers would continue to use libraries that
cryptographic libraries that continue to generate "k" randomly. This generate "k" randomly. This is vulnerable to biased "k" generation,
is vulnerable to biased "k" generation, and extremely vulnerable to and extremely vulnerable to "k" reuse.
"k" reuse. The relative speed advantage of DSA signing compared to RSA
signing was not perceived to outweigh this shortcoming, especially
since algorithms based on elliptic curves are faster yet.
Due to these disrecommendations, this document abstains from defining This document therefore abstains from defining new algorithm names
an algorithm name for large DSA keys, and recommends RSA instead. for DSA, and recommends RSA where this is preferred over elliptic
curve cryptography.
7. References 7. References
7.1. Normative References 7.1. Normative References
[FIPS-180-4] [FIPS-180-4]
National Institute of Standards and Technology (NIST), National Institute of Standards and Technology (NIST),
United States of America, "Secure Hash Standard (SHS)", United States of America, "Secure Hash Standard (SHS)",
FIPS Publication 180-4, August 2015, FIPS Publication 180-4, August 2015,
<http://dx.doi.org/10.6028/NIST.FIPS.180-4>. <http://dx.doi.org/10.6028/NIST.FIPS.180-4>.
skipping to change at page 5, line 48 skipping to change at page 5, line 51
[RFC4250] Lehtinen, S. and C. Lonvick, Ed., "The Secure Shell (SSH) [RFC4250] Lehtinen, S. and C. Lonvick, Ed., "The Secure Shell (SSH)
Protocol Assigned Numbers", RFC 4250, January 2006. Protocol Assigned Numbers", RFC 4250, January 2006.
[RFC6979] Pornin, T., "Deterministic Usage of the Digital [RFC6979] Pornin, T., "Deterministic Usage of the Digital
Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (DSA) and Elliptic Curve Digital
Signature Algorithm (ECDSA)", RFC 6979, August 2013. Signature Algorithm (ECDSA)", RFC 6979, August 2013.
[SSH-EXT-INFO] [SSH-EXT-INFO]
Bider, D., "Extension Negotiation in Secure Shell (SSH)", Bider, D., "Extension Negotiation in Secure Shell (SSH)",
draft-ietf-curdle-ssh-ext-info-00, March 2016, <https:// draft-ietf-curdle-ssh-ext-info-01, September 2016,
tools.ietf.org/html/draft-ietf-curdle-ssh-ext-info-00>. <https://tools.ietf.org/html/
draft-ietf-curdle-ssh-ext-info-01>.
Author's Address Author's Address
Denis Bider Denis Bider
Bitvise Limited Bitvise Limited
Suites 41/42, Victoria House Suites 41/42, Victoria House
26 Main Street 26 Main Street
GI GI
Phone: +506 8315 6519 Phone: +506 8315 6519
 End of changes. 9 change blocks. 
21 lines changed or deleted 25 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/