draft-ietf-curdle-ssh-modp-dh-sha2-06.txt   draft-ietf-curdle-ssh-modp-dh-sha2-07.txt 
Internet Engineering Task Force M. Baushke Internet Engineering Task Force M. Baushke
Internet-Draft Juniper Networks, Inc. Internet-Draft Juniper Networks, Inc.
Updates: 4250, 4253 (if approved) June 20, 2017 Updates: 4250, 4253 (if approved) June 22, 2017
Intended status: Standards Track Intended status: Standards Track
Expires: December 22, 2017 Expires: December 24, 2017
More Modular Exponential (MODP) Diffie-Hellman (DH) Key Exchange (KEX) More Modular Exponential (MODP) Diffie-Hellman (DH) Key Exchange (KEX)
Groups for Secure Shell (SSH) Groups for Secure Shell (SSH)
draft-ietf-curdle-ssh-modp-dh-sha2-06 draft-ietf-curdle-ssh-modp-dh-sha2-07
Abstract Abstract
This document defines added Modular Exponential (MODP) Groups for the This document defines added Modular Exponential (MODP) Groups for the
Secure Shell (SSH) protocol using SHA-2 hashes. This document Secure Shell (SSH) protocol using SHA-2 hashes. This document
updates RFC 4250. This document updates RFC 4253. updates RFC 4250. This document updates RFC 4253.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 34 skipping to change at page 1, line 34
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 22, 2017. This Internet-Draft will expire on December 24, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 4, line 31 skipping to change at page 4, line 31
that diffie-hellman-group14-sha256 SHOULD be supported to smooth the that diffie-hellman-group14-sha256 SHOULD be supported to smooth the
transition to newer group sizes. transition to newer group sizes.
The group15 through group18 names are the same as those specified in The group15 through group18 names are the same as those specified in
[RFC3526] 3072-bit MODP Group 15, 4096-bit MODP Group 16, 6144-bit [RFC3526] 3072-bit MODP Group 15, 4096-bit MODP Group 16, 6144-bit
MODP Group 17, and 8192-bit MODP Group 18. MODP Group 17, and 8192-bit MODP Group 18.
The SHA512 algorithm is to be used when "sha512" is specified as a The SHA512 algorithm is to be used when "sha512" is specified as a
part of the key exchange method name. part of the key exchange method name.
4. IANA Considerations 4. Checking the Peer's DH Public Key
Section 3 of [RFC4253] contains a small errata. When checking e
(client public key) and f (server public key) values, an incorrect
range is provided. The erroneous text is:
Values of 'e' or 'f' that are not in the range [1, p-1] MUST NOT
be sent or accepted by either side. If this condition is
violated, the key exchange fails.
The errata is that the range should have been an open interval
excluding the end point values. (i.e "(1, p-1)"). This document
amends that document text as follows:
DH Public key values MUST be checked and both conditions:
1 < e < p-1
1 < f < p-1
MUST be true. Values not within these bounds MUST NOT be sent or
accepted by either side. If either one of these condition is
violated, then the key exchange fails.
This simple check ensures:
o The remote peer behaves properly.
o The local system is not forced into the two-element subgroup.
5. IANA Considerations
This document augments the Key Exchange Method Names in [RFC4253] and This document augments the Key Exchange Method Names in [RFC4253] and
[RFC4250]. [RFC4250].
IANA is requested to add to the Key Exchange Method Names algorithm IANA is requested to add to the Key Exchange Method Names algorithm
registry [IANA-KEX] with the following entries: registry [IANA-KEX] with the following entries:
Key Exchange Method Name Reference Key Exchange Method Name Reference
----------------------------- ---------- ----------------------------- ----------
diffie-hellman-group14-sha256 This Draft diffie-hellman-group14-sha256 This Draft
diffie-hellman-group15-sha512 This Draft diffie-hellman-group15-sha512 This Draft
diffie-hellman-group16-sha512 This Draft diffie-hellman-group16-sha512 This Draft
diffie-hellman-group17-sha512 This Draft diffie-hellman-group17-sha512 This Draft
diffie-hellman-group18-sha512 This Draft diffie-hellman-group18-sha512 This Draft
[TO BE REMOVED: This registration should take place at the following [TO BE REMOVED: This registration should take place at the following
location: <http://www.iana.org/assignments/ssh-parameters/ssh- location: <http://www.iana.org/assignments/ssh-parameters/ssh-
parameters.xhtml#ssh-parameters-16>] parameters.xhtml#ssh-parameters-16>]
5. Security Considerations 6. Acknowledgements
Thanks to the following people for review and comments: Denis Bider,
Peter Gutmann, Damien Miller, Niels Moeller, Matt Johnston, Iwamoto
Kouichi, Dave Dugal, Daniel Migault, Anna Johnston, Ron Frederick,
Rich Salz, Travis Finkenauer, Eric Rescorla.
7. Security Considerations
The security considerations of [RFC4253] apply to this document. The security considerations of [RFC4253] apply to this document.
The security considerations of [RFC3526] suggest that MODP group14 The security considerations of [RFC3526] suggest that MODP group14
through group18 have security strengths that range between 110 bits through group18 have security strengths that range between 110 bits
of security through 310 bits of security. They are based on of security through 310 bits of security. They are based on
[RFC3766] Determining Strengths For Public Keys Used For Exchanging [RFC3766] Determining Strengths For Public Keys Used For Exchanging
Symmetric Keys. Care should be taken to use sufficient entropy and/ Symmetric Keys. Care should be taken to use sufficient entropy and/
or DRBG algorithms to maximize the true security strength of the key or DRBG algorithms to maximize the true security strength of the key
exchange and ciphers selected. exchange and ciphers selected.
Using a fixed set of Diffie-Hellman parameters makes them a high Using a fixed set of Diffie-Hellman parameters makes them a high
value target for pre-computation. Generating additional sets of value target for pre-computation. Generating additional sets of
primes to be used, or moving to larger values is a mitigation against primes to be used, or moving to larger values is a mitigation against
this issue. this issue.
6. References 8. References
6.1. Normative References 8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP) [RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP)
Diffie-Hellman groups for Internet Key Exchange (IKE)", Diffie-Hellman groups for Internet Key Exchange (IKE)",
RFC 3526, DOI 10.17487/RFC3526, May 2003, RFC 3526, DOI 10.17487/RFC3526, May 2003,
<http://www.rfc-editor.org/info/rfc3526>. <http://www.rfc-editor.org/info/rfc3526>.
[RFC4250] Lehtinen, S. and C. Lonvick, Ed., "The Secure Shell (SSH) [RFC4250] Lehtinen, S. and C. Lonvick, Ed., "The Secure Shell (SSH)
Protocol Assigned Numbers", RFC 4250, Protocol Assigned Numbers", RFC 4250,
DOI 10.17487/RFC4250, January 2006, DOI 10.17487/RFC4250, January 2006,
<http://www.rfc-editor.org/info/rfc4250>. <http://www.rfc-editor.org/info/rfc4250>.
[RFC4253] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) [RFC4253] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253, Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253,
January 2006, <http://www.rfc-editor.org/info/rfc4253>. January 2006, <http://www.rfc-editor.org/info/rfc4253>.
6.2. Informative References 8.2. Informative References
[IANA-KEX] [IANA-KEX]
Internet Assigned Numbers Authority (IANA), "Secure Shell Internet Assigned Numbers Authority (IANA), "Secure Shell
(SSH) Protocol Parameters: Key Exchange Method Names", (SSH) Protocol Parameters: Key Exchange Method Names",
March 2017, <http://www.iana.org/assignments/ssh- March 2017, <http://www.iana.org/assignments/ssh-
parameters/ssh-parameters.xhtml#ssh-parameters-16>. parameters/ssh-parameters.xhtml#ssh-parameters-16>.
[MFQ-U-OO-815099-15] [MFQ-U-OO-815099-15]
"National Security Agency/Central Security Service", "CNSA "National Security Agency/Central Security Service", "CNSA
Suite and Quantum Computing FAQ", January 2016, Suite and Quantum Computing FAQ", January 2016,
 End of changes. 9 change blocks. 
9 lines changed or deleted 46 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/