draft-ietf-curdle-rsa-sha2-09.txt   draft-ietf-curdle-rsa-sha2-10.txt 
Internet-Draft D. Bider Internet-Draft D. Bider
Updates: 4252, 4253 (if approved) Bitvise Limited Updates: 4252, 4253 (if approved) Bitvise Limited
Intended status: Standards Track June 19, 2017 Intended status: Standards Track August 22, 2017
Expires: December 19, 2017 Expires: February 22, 2018
Use of RSA Keys with SHA-2 256 and 512 in Secure Shell (SSH) Use of RSA Keys with SHA-2 256 and 512 in Secure Shell (SSH)
draft-ietf-curdle-rsa-sha2-09.txt draft-ietf-curdle-rsa-sha2-10.txt
Abstract Abstract
This memo updates RFC 4252 and RFC 4253 to define new public key This memo updates RFC 4252 and RFC 4253 to define new public key
algorithms for use of RSA keys with SHA-2 hashing for server and algorithms for use of RSA keys with SHA-2 hashing for server and
client authentication in SSH connections. client authentication in SSH connections.
Status Status
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 6, line 20 skipping to change at page 7, line 5
(2) PKCS#1 v1.5 is widely supported in existing SSH implementations; (2) PKCS#1 v1.5 is widely supported in existing SSH implementations;
(3) PKCS#1 v1.5 is not known to be insecure for use in this scheme. (3) PKCS#1 v1.5 is not known to be insecure for use in this scheme.
Implementers are advised that a signature with PKCS#1 v1.5 padding Implementers are advised that a signature with PKCS#1 v1.5 padding
MUST NOT be verified by applying the RSA key to the signature, and MUST NOT be verified by applying the RSA key to the signature, and
then parsing the output to extract the hash. This may give an attacker then parsing the output to extract the hash. This may give an attacker
opportunities to exploit flaws in the parsing and vary the encoding. opportunities to exploit flaws in the parsing and vary the encoding.
Verifiers MUST instead apply PKCS#1 v1.5 padding to the expected hash, Verifiers MUST instead apply PKCS#1 v1.5 padding to the expected hash,
then compare the encoded bytes with the output of the RSA operation. then compare the encoded bytes with the output of the RSA operation.
6. Why no DSA? 6. References
A draft version of this memo also defined an algorithm name for use of
2048-bit and 3072-bit DSA keys with a 256-bit subgroup and SHA-2 256
hashing. It is possible to implement DSA securely by generating "k"
deterministically as per [RFC6979]. However, a plurality of reviewers
were concerned that implementers would continue to use libraries that
generate "k" randomly. This is vulnerable to biased "k" generation,
and extremely vulnerable to "k" reuse. This document therefore
disrecommends DSA, in favor of RSA and elliptic curve cryptography.
7. References
7.1. Normative References 6.1. Normative References
[SHS] National Institute of Standards and Technology (NIST), [SHS] National Institute of Standards and Technology (NIST),
United States of America, "Secure Hash Standard (SHS)", United States of America, "Secure Hash Standard (SHS)",
FIPS Publication 180-4, August 2015, FIPS Publication 180-4, August 2015,
<http://dx.doi.org/10.6028/NIST.FIPS.180-4>. <http://dx.doi.org/10.6028/NIST.FIPS.180-4>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4251] Lehtinen, S. and C. Lonvick, Ed., "The Secure Shell (SSH) [RFC4251] Lehtinen, S. and C. Lonvick, Ed., "The Secure Shell (SSH)
Protocol Architecture", RFC 4251, January 2006. Protocol Architecture", RFC 4251, January 2006.
[RFC4252] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) [RFC4252] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
Authentication Protocol", RFC 4252, January 2006. Authentication Protocol", RFC 4252, January 2006.
[RFC4253] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) [RFC4253] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
Transport Layer Protocol", RFC 4253, January 2006. Transport Layer Protocol", RFC 4253, January 2006.
7.2. Informative References 6.2. Informative References
[800-131A] National Institute of Standards and Technology (NIST), [800-131A] National Institute of Standards and Technology (NIST),
"Transitions: Recommendation for Transitioning the Use of "Transitions: Recommendation for Transitioning the Use of
Cryptographic Algorithms and Key Lengths", NIST Special Cryptographic Algorithms and Key Lengths", NIST Special
Publication 800-131A, January 2011, <http://csrc.nist.gov/ Publication 800-131A, January 2011, <http://csrc.nist.gov/
publications/nistpubs/800-131A/sp800-131A.pdf>. publications/nistpubs/800-131A/sp800-131A.pdf>.
[RFC4250] Lehtinen, S. and C. Lonvick, Ed., "The Secure Shell (SSH) [RFC4250] Lehtinen, S. and C. Lonvick, Ed., "The Secure Shell (SSH)
Protocol Assigned Numbers", RFC 4250, January 2006. Protocol Assigned Numbers", RFC 4250, January 2006.
[RFC6979] Pornin, T., "Deterministic Usage of the Digital [RFC6979] Pornin, T., "Deterministic Usage of the Digital
Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (DSA) and Elliptic Curve Digital
Signature Algorithm (ECDSA)", RFC 6979, August 2013. Signature Algorithm (ECDSA)", RFC 6979, August 2013.
[RFC8017] Moriarty, K., Kaliski, B., Jonsson, J. and Rusch, A., [RFC8017] Moriarty, K., Kaliski, B., Jonsson, J. and Rusch, A.,
"PKCS #1: RSA Cryptography Specifications Version 2.2", "PKCS #1: RSA Cryptography Specifications Version 2.2",
RFC 8017, November 2016. RFC 8017, November 2016.
[EXT-INFO] Bider, D., "Extension Negotiation in Secure Shell (SSH)", [EXT-INFO] Bider, D., "Extension Negotiation in Secure Shell (SSH)",
draft-ietf-curdle-ssh-ext-info-10.txt, June 2017, draft-ietf-curdle-ssh-ext-info-12.txt, August 2017,
<https://tools.ietf.org/html/ <https://tools.ietf.org/html/
draft-ietf-curdle-ssh-ext-info-10>. draft-ietf-curdle-ssh-ext-info-12>.
[IANA-PKA] "Secure Shell (SSH) Protocol Parameters", [IANA-PKA] "Secure Shell (SSH) Protocol Parameters",
<https://www.iana.org/assignments/ssh-parameters/ <https://www.iana.org/assignments/ssh-parameters/
ssh-parameters.xhtml#ssh-parameters-19>. ssh-parameters.xhtml#ssh-parameters-19>.
Author's Address Author's Address
Denis Bider Denis Bider
Bitvise Limited Bitvise Limited
Suites 41/42, Victoria House 4105 Lombardy Court
26 Main Street Colleyville, Texas 76034
GI United States of America
Phone: +506 8315 6519 Email: ietf-ssh3@denisbider.com
EMail: ietf-ssh3@denisbider.com
URI: https://www.bitvise.com/ URI: https://www.bitvise.com/
Acknowledgments Acknowledgments
Thanks to Jon Bright, Niels Moeller, Stephen Farrell, Mark D. Baushke, Thanks to Jon Bright, Niels Moeller, Stephen Farrell, Mark D. Baushke,
Jeffrey Hutzelman, Hanno Boeck, Peter Gutmann, Damien Miller, Mat Jeffrey Hutzelman, Hanno Boeck, Peter Gutmann, Damien Miller, Mat
Berchtold, and Roumen Petrov for reviews, comments, and suggestions. Berchtold, Roumen Petrov, Daniel Migault, and Eric Rescorla for reviews,
comments, and suggestions.
 End of changes. 10 change blocks. 
24 lines changed or deleted 12 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/