draft-ietf-curdle-rsa-sha2-05.txt   draft-ietf-curdle-rsa-sha2-06.txt 
Internet-Draft D. Bider Internet-Draft D. Bider
Updates: 4252, 4253 (if approved) Bitvise Limited Updates: 4252, 4253 (if approved) Bitvise Limited
Intended status: Standards Track April 9, 2017 Intended status: Standards Track April 24, 2017
Expires: October 9, 2017 Expires: October 24, 2017
Use of RSA Keys with SHA-2 256 and 512 in Secure Shell (SSH) Use of RSA Keys with SHA-2 256 and 512 in Secure Shell (SSH)
draft-ietf-curdle-rsa-sha2-05.txt draft-ietf-curdle-rsa-sha2-06.txt
Abstract Abstract
This memo updates [RFC4252] and [RFC4253] to define an algorithm name, This memo updates RFC 4252 and RFC 4253 to define an algorithm name,
public key format, and signature format for use of RSA keys with SHA-2 public key format, and signature format for use of RSA keys with SHA-2
hashing for server and client authentication in SSH connections. hashing for server and client authentication in SSH connections.
Status Status
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups. Note that other Force (IETF), its areas, and its working groups. Note that other
skipping to change at page 6, line 31 skipping to change at page 6, line 31
better received than one that is abrupt and incompatible. It advises better received than one that is abrupt and incompatible. It advises
that SSH implementations add support for new RSA signature algorithms that SSH implementations add support for new RSA signature algorithms
along with SSH_MSG_EXT_INFO and the "server-sig-algs" extension to along with SSH_MSG_EXT_INFO and the "server-sig-algs" extension to
allow coexistence of new deployments with older versions that support allow coexistence of new deployments with older versions that support
only "ssh-rsa". Nevertheless, implementations SHOULD start to disable only "ssh-rsa". Nevertheless, implementations SHOULD start to disable
"ssh-rsa" in their default configurations as soon as they have reason "ssh-rsa" in their default configurations as soon as they have reason
to believe that new RSA signature algorithms have been widely adopted. to believe that new RSA signature algorithms have been widely adopted.
5.3. PKCS#1 v1.5 Padding and Signature Verification 5.3. PKCS#1 v1.5 Padding and Signature Verification
This document prescribes use of PKCS#1 v1.5 signature padding because: This document prescribes RSASSA-PKCS1-v1_5 signature padding because:
(1) PSS is not universally available to all SSH implementations; (1) RSASSA-PSS is not universally available to all implementations;
(2) PKCS#1 v1.5 is widely supported in existing SSH implementations; (2) PKCS#1 v1.5 is widely supported in existing SSH implementations;
(3) PKCS#1 v1.5 is not known to be insecure for use in this scheme, (3) PKCS#1 v1.5 is not known to be insecure for use in this scheme.
assuming reasonable implementation.
Implementers are advised that a signature with PKCS#1 v1.5 padding Implementers are advised that a signature with PKCS#1 v1.5 padding
MUST NOT be verified by applying the RSA key to the signature, and MUST NOT be verified by applying the RSA key to the signature, and
then parsing the output to extract the hash. This may give an attacker then parsing the output to extract the hash. This may give an attacker
opportunities to exploit flaws in the parsing and vary the encoding. opportunities to exploit flaws in the parsing and vary the encoding.
Implementations SHOULD apply PKCS#1 v1.5 padding to the expected hash, Implementations SHOULD apply PKCS#1 v1.5 padding to the expected hash,
THEN compare the encoded bytes with the output of the RSA operation. THEN compare the encoded bytes with the output of the RSA operation.
6. Why no DSA? 6. Why no DSA?
skipping to change at page 7, line 29 skipping to change at page 7, line 29
[RFC4251] Lehtinen, S. and C. Lonvick, Ed., "The Secure Shell (SSH) [RFC4251] Lehtinen, S. and C. Lonvick, Ed., "The Secure Shell (SSH)
Protocol Architecture", RFC 4251, January 2006. Protocol Architecture", RFC 4251, January 2006.
[RFC4252] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) [RFC4252] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
Authentication Protocol", RFC 4252, January 2006. Authentication Protocol", RFC 4252, January 2006.
[RFC4253] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) [RFC4253] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
Transport Layer Protocol", RFC 4253, January 2006. Transport Layer Protocol", RFC 4253, January 2006.
[RFC8017] Moriarty, K., Kaliski, B., Jonsson, J. and Rusch, A.,
"PKCS #1: RSA Cryptography Specifications Version 2.2",
RFC 8017, November 2016.
7.2. Informative References 7.2. Informative References
[800-131A] National Institute of Standards and Technology (NIST), [800-131A] National Institute of Standards and Technology (NIST),
"Transitions: Recommendation for Transitioning the Use of "Transitions: Recommendation for Transitioning the Use of
Cryptographic Algorithms and Key Lengths", NIST Special Cryptographic Algorithms and Key Lengths", NIST Special
Publication 800-131A, January 2011, <http://csrc.nist.gov/ Publication 800-131A, January 2011, <http://csrc.nist.gov/
publications/nistpubs/800-131A/sp800-131A.pdf>. publications/nistpubs/800-131A/sp800-131A.pdf>.
[RFC4250] Lehtinen, S. and C. Lonvick, Ed., "The Secure Shell (SSH) [RFC4250] Lehtinen, S. and C. Lonvick, Ed., "The Secure Shell (SSH)
Protocol Assigned Numbers", RFC 4250, January 2006. Protocol Assigned Numbers", RFC 4250, January 2006.
[RFC6979] Pornin, T., "Deterministic Usage of the Digital [RFC6979] Pornin, T., "Deterministic Usage of the Digital
Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (DSA) and Elliptic Curve Digital
Signature Algorithm (ECDSA)", RFC 6979, August 2013. Signature Algorithm (ECDSA)", RFC 6979, August 2013.
[RFC8017] Moriarty, K., Kaliski, B., Jonsson, J. and Rusch, A.,
"PKCS #1: RSA Cryptography Specifications Version 2.2",
RFC 8017, November 2016.
[EXT-INFO] Bider, D., "Extension Negotiation in Secure Shell (SSH)", [EXT-INFO] Bider, D., "Extension Negotiation in Secure Shell (SSH)",
draft-ietf-curdle-ssh-ext-info-04.txt, April 2017, draft-ietf-curdle-ssh-ext-info-05.txt, April 2017,
<https://tools.ietf.org/html/ <https://tools.ietf.org/html/
draft-ietf-curdle-ssh-ext-info-04>. draft-ietf-curdle-ssh-ext-info-05>.
[IANA-PKA] "Secure Shell (SSH) Protocol Parameters", [IANA-PKA] "Secure Shell (SSH) Protocol Parameters",
<https://www.iana.org/assignments/ssh-parameters/ <https://www.iana.org/assignments/ssh-parameters/
ssh-parameters.xhtml#ssh-parameters-19>. ssh-parameters.xhtml#ssh-parameters-19>.
Author's Address Author's Address
Denis Bider Denis Bider
Bitvise Limited Bitvise Limited
Suites 41/42, Victoria House Suites 41/42, Victoria House
 End of changes. 10 change blocks. 
14 lines changed or deleted 13 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/