Difference between revisions of "RFC8732"
Line 12: | Line 12: | ||
'''Abstract''' | '''Abstract''' | ||
− | This document specifies additions and amendments to RFC 4462. It | + | This document specifies additions and amendments to [[RFC4462|RFC 4462]]. It |
defines a new key exchange method that uses SHA-2 for integrity and | defines a new key exchange method that uses SHA-2 for integrity and | ||
deprecates weak Diffie-Hellman (DH) groups. The purpose of this | deprecates weak Diffie-Hellman (DH) groups. The purpose of this | ||
Line 26: | Line 26: | ||
received public review and has been approved for publication by the | received public review and has been approved for publication by the | ||
Internet Engineering Steering Group (IESG). Further information on | Internet Engineering Steering Group (IESG). Further information on | ||
− | Internet Standards is available in Section 2 of RFC 7841. | + | Internet Standards is available in Section 2 of [[RFC7841|RFC 7841]]. |
Information about the current status of this document, any errata, | Information about the current status of this document, any errata, | ||
Line 37: | Line 37: | ||
document authors. All rights reserved. | document authors. All rights reserved. | ||
− | This document is subject to BCP 78 and the IETF Trust's Legal | + | This document is subject to [[BCP78|BCP 78]] and the IETF Trust's Legal |
Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | ||
(https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | ||
Line 68: | Line 68: | ||
Secure Shell (SSH) Generic Security Service Application Program | Secure Shell (SSH) Generic Security Service Application Program | ||
− | Interface (GSS-API) methods | + | Interface (GSS-API) methods [[RFC4462]] allow the use of GSS-API |
− | + | [[RFC2743]] for authentication and key exchange in SSH. [[RFC4462]] | |
defines three exchange methods all based on DH groups and SHA-1. | defines three exchange methods all based on DH groups and SHA-1. | ||
− | This document updates | + | This document updates [[RFC4462]] with new methods intended to support |
environments that desire to use the SHA-2 cryptographic hash | environments that desire to use the SHA-2 cryptographic hash | ||
functions. | functions. | ||
Line 77: | Line 77: | ||
== Rationale == | == Rationale == | ||
− | Due to security concerns with SHA-1 | + | Due to security concerns with SHA-1 [[RFC6194]] and with modular |
exponentiation (MODP) groups with less than 2048 bits | exponentiation (MODP) groups with less than 2048 bits | ||
[NIST-SP-800-131Ar2], we propose the use of hashes based on SHA-2 | [NIST-SP-800-131Ar2], we propose the use of hashes based on SHA-2 | ||
− | + | [[RFC6234]] with DH group14, group15, group16, group17, and group18 | |
− | + | [[RFC3526]]. Additionally, we add support for key exchange based on | |
Elliptic Curve Diffie-Hellman with the NIST P-256, P-384, and P-521 | Elliptic Curve Diffie-Hellman with the NIST P-256, P-384, and P-521 | ||
− | [SEC2v2], as well as the X25519 and X448 | + | [SEC2v2], as well as the X25519 and X448 [[RFC7748]] curves. Following |
− | the practice of | + | the practice of [[RFC8268]], only SHA-256 and SHA-512 hashes are used |
for DH groups. For NIST curves, the same curve-to-hashing algorithm | for DH groups. For NIST curves, the same curve-to-hashing algorithm | ||
− | pairing used in | + | pairing used in [[RFC5656]] is adopted for consistency. |
== Document Conventions == | == Document Conventions == | ||
Line 93: | Line 93: | ||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | ||
"OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in | ||
− | BCP 14 | + | [[BCP14|BCP 14]] [[RFC2119]] [[RFC8174]] when, and only when, they appear in all |
capitals, as shown here. | capitals, as shown here. | ||
== New Diffie-Hellman Key Exchange Methods == | == New Diffie-Hellman Key Exchange Methods == | ||
− | This document adopts the same naming convention defined in | + | This document adopts the same naming convention defined in [[RFC4462]] |
to define families of methods that cover any GSS-API mechanism used | to define families of methods that cover any GSS-API mechanism used | ||
with a specific Diffie-Hellman group and SHA-2 hash combination. | with a specific Diffie-Hellman group and SHA-2 hash combination. | ||
Line 125: | Line 125: | ||
Each method in any family of methods (Table 2) specifies GSS-API- | Each method in any family of methods (Table 2) specifies GSS-API- | ||
authenticated Diffie-Hellman key exchanges as described in | authenticated Diffie-Hellman key exchanges as described in | ||
− | Section 2.1 of | + | Section 2.1 of [[RFC4462]]. The method name for each method (Table 1) |
is the concatenation of the family name prefix with the base64 | is the concatenation of the family name prefix with the base64 | ||
− | encoding of the MD5 hash | + | encoding of the MD5 hash [[RFC1321]] of the ASN.1 DER encoding |
[ISO-IEC-8825-1] of the corresponding GSS-API mechanism's OID. | [ISO-IEC-8825-1] of the corresponding GSS-API mechanism's OID. | ||
− | Base64 encoding is described in Section 4 of | + | Base64 encoding is described in Section 4 of [[RFC4648]]. |
+---------------------+---------------+----------+--------------+ | +---------------------+---------------+----------+--------------+ | ||
Line 135: | Line 135: | ||
+=====================+===============+==========+==============+ | +=====================+===============+==========+==============+ | ||
| gss-group14-sha256- | SHA-256 | 2048-bit | Section 3 of | | | gss-group14-sha256- | SHA-256 | 2048-bit | Section 3 of | | ||
− | | | | MODP | | + | | | | MODP | [[RFC3526]] | |
+---------------------+---------------+----------+--------------+ | +---------------------+---------------+----------+--------------+ | ||
| gss-group15-sha512- | SHA-512 | 3072-bit | Section 4 of | | | gss-group15-sha512- | SHA-512 | 3072-bit | Section 4 of | | ||
− | | | | MODP | | + | | | | MODP | [[RFC3526]] | |
+---------------------+---------------+----------+--------------+ | +---------------------+---------------+----------+--------------+ | ||
| gss-group16-sha512- | SHA-512 | 4096-bit | Section 5 of | | | gss-group16-sha512- | SHA-512 | 4096-bit | Section 5 of | | ||
− | | | | MODP | | + | | | | MODP | [[RFC3526]] | |
+---------------------+---------------+----------+--------------+ | +---------------------+---------------+----------+--------------+ | ||
| gss-group17-sha512- | SHA-512 | 6144-bit | Section 6 of | | | gss-group17-sha512- | SHA-512 | 6144-bit | Section 6 of | | ||
− | | | | MODP | | + | | | | MODP | [[RFC3526]] | |
+---------------------+---------------+----------+--------------+ | +---------------------+---------------+----------+--------------+ | ||
| gss-group18-sha512- | SHA-512 | 8192-bit | Section 7 of | | | gss-group18-sha512- | SHA-512 | 8192-bit | Section 7 of | | ||
− | | | | MODP | | + | | | | MODP | [[RFC3526]] | |
+---------------------+---------------+----------+--------------+ | +---------------------+---------------+----------+--------------+ | ||
Line 154: | Line 154: | ||
== New Elliptic Curve Diffie-Hellman Key Exchange Methods == | == New Elliptic Curve Diffie-Hellman Key Exchange Methods == | ||
− | In | + | In [[RFC5656]], new SSH key exchange algorithms based on elliptic curve |
− | cryptography are introduced. We reuse much of Section 4 of | + | cryptography are introduced. We reuse much of Section 4 of [[RFC5656]] |
to define GSS-API-authenticated Elliptic Curve Diffie-Hellman (ECDH) | to define GSS-API-authenticated Elliptic Curve Diffie-Hellman (ECDH) | ||
key exchanges. | key exchanges. | ||
− | Additionally, we also utilize the curves defined in | + | Additionally, we also utilize the curves defined in [[RFC8731]] to |
complement the three classic NIST-defined curves required by | complement the three classic NIST-defined curves required by | ||
− | + | [[RFC5656]]. | |
=== Generic GSS-API Key Exchange with ECDH === | === Generic GSS-API Key Exchange with ECDH === | ||
This section reuses much of the scheme defined in Section 2.1 of | This section reuses much of the scheme defined in Section 2.1 of | ||
− | + | [[RFC4462]] and combines it with the scheme defined in Section 4 of | |
− | + | [[RFC5656]]; in particular, all checks and verification steps | |
− | prescribed in Section 4 of | + | prescribed in Section 4 of [[RFC5656]] apply here as well. |
The key-agreement schemes "ECDHE-Curve25519" and "ECDHE-Curve448" | The key-agreement schemes "ECDHE-Curve25519" and "ECDHE-Curve448" | ||
perform the Diffie-Hellman protocol using the functions X25519 and | perform the Diffie-Hellman protocol using the functions X25519 and | ||
X448, respectively. Implementations MUST compute these functions | X448, respectively. Implementations MUST compute these functions | ||
− | using the algorithms described in | + | using the algorithms described in [[RFC7748]]. When they do so, |
implementations MUST check whether the computed Diffie-Hellman shared | implementations MUST check whether the computed Diffie-Hellman shared | ||
secret is the all-zero value and abort if so, as described in | secret is the all-zero value and abort if so, as described in | ||
− | Section 6 of | + | Section 6 of [[RFC7748]]. Alternative implementations of these |
functions SHOULD abort when either the client or the server input | functions SHOULD abort when either the client or the server input | ||
forces the shared secret to one of a small set of values, as | forces the shared secret to one of a small set of values, as | ||
− | described in Sections 6 and 7 of | + | described in Sections 6 and 7 of [[RFC7748]]. |
− | This section defers to | + | This section defers to [[RFC7546]] as the source of information on GSS- |
API context establishment operations, Section 3 being the most | API context establishment operations, Section 3 being the most | ||
− | relevant. All security considerations described in | + | relevant. All security considerations described in [[RFC7546]] apply |
here, too. | here, too. | ||
Line 195: | Line 195: | ||
the compressed representation, the key exchange MUST fail. | the compressed representation, the key exchange MUST fail. | ||
− | A GSS context is established according to Section 4 of | + | A GSS context is established according to Section 4 of [[RFC5656]]; the |
client initiates the establishment using GSS_Init_sec_context(), and | client initiates the establishment using GSS_Init_sec_context(), and | ||
the server responds to it using GSS_Accept_sec_context(). For the | the server responds to it using GSS_Accept_sec_context(). For the | ||
Line 204: | Line 204: | ||
anon_req_flag is immaterial to this process. If the client does not | anon_req_flag is immaterial to this process. If the client does not | ||
support the "gssapi-keyex" user authentication method described in | support the "gssapi-keyex" user authentication method described in | ||
− | Section 4 of | + | Section 4 of [[RFC4462]], or does not intend to use that method in |
conjunction with the GSS-API context established during key exchange, | conjunction with the GSS-API context established during key exchange, | ||
then anon_req_flag SHOULD be set to "true". Otherwise, this flag MAY | then anon_req_flag SHOULD be set to "true". Otherwise, this flag MAY | ||
Line 226: | Line 226: | ||
to the octet string K using the conversion defined in Section 2.3.5 | to the octet string K using the conversion defined in Section 2.3.5 | ||
of [SEC1v2]. For curve25519 and curve448, the algorithms in | of [SEC1v2]. For curve25519 and curve448, the algorithms in | ||
− | Section 6 of | + | Section 6 of [[RFC7748]] are used instead. |
To verify the integrity of the handshake, peers use the hash function | To verify the integrity of the handshake, peers use the hash function | ||
Line 241: | Line 241: | ||
any other GSS-API call returns a major_status other than | any other GSS-API call returns a major_status other than | ||
GSS_S_COMPLETE, the key exchange MUST fail. The same recommendations | GSS_S_COMPLETE, the key exchange MUST fail. The same recommendations | ||
− | expressed in Section 2.1 of | + | expressed in Section 2.1 of [[RFC4462]] are followed with regard to |
error reporting. | error reporting. | ||
Line 336: | Line 336: | ||
used for any encryption operations, the SSH_MSG_KEXGSS_HOSTKEY | used for any encryption operations, the SSH_MSG_KEXGSS_HOSTKEY | ||
message is OPTIONAL. If the "null" host key algorithm described in | message is OPTIONAL. If the "null" host key algorithm described in | ||
− | Section 5 of | + | Section 5 of [[RFC4462]] is used, this message MUST NOT be sent. |
If the client receives an SSH_MSG_KEXGSS_CONTINUE message after a | If the client receives an SSH_MSG_KEXGSS_CONTINUE message after a | ||
Line 375: | Line 375: | ||
described in Section 5.1. The method name for each method (Table 3) | described in Section 5.1. The method name for each method (Table 3) | ||
is the concatenation of the family method name with the base64 | is the concatenation of the family method name with the base64 | ||
− | encoding of the MD5 hash | + | encoding of the MD5 hash [[RFC1321]] of the ASN.1 DER encoding |
[ISO-IEC-8825-1] of the corresponding GSS-API mechanism's OID. | [ISO-IEC-8825-1] of the corresponding GSS-API mechanism's OID. | ||
− | Base64 encoding is described in Section 4 of | + | Base64 encoding is described in Section 4 of [[RFC4648]]. |
+------------------------+----------+---------------+---------------+ | +------------------------+----------+---------------+---------------+ | ||
Line 397: | Line 397: | ||
| gss-curve25519-sha256- | SHA-256 | X22519 | Section 5 | | | gss-curve25519-sha256- | SHA-256 | X22519 | Section 5 | | ||
| | | | of | | | | | | of | | ||
− | | | | | | + | | | | | [[RFC7748]] | |
+------------------------+----------+---------------+---------------+ | +------------------------+----------+---------------+---------------+ | ||
| gss-curve448-sha512- | SHA-512 | X448 | Section 5 | | | gss-curve448-sha512- | SHA-512 | X448 | Section 5 | | ||
| | | | of | | | | | | of | | ||
− | | | | | | + | | | | | [[RFC7748]] | |
+------------------------+----------+---------------+---------------+ | +------------------------+----------+---------------+---------------+ | ||
Line 427: | Line 427: | ||
This document augments the SSH key exchange message names that were | This document augments the SSH key exchange message names that were | ||
− | defined in | + | defined in [[RFC4462]] (see and Section 6); IANA has listed this |
document as reference for those entries in the "SSH Protocol | document as reference for those entries in the "SSH Protocol | ||
Parameters" [IANA-KEX-NAMES] registry. | Parameters" [IANA-KEX-NAMES] registry. | ||
Line 437: | Line 437: | ||
| Key Exchange Method Name | Reference | | | Key Exchange Method Name | Reference | | ||
+==========================+===========+ | +==========================+===========+ | ||
− | | gss-group1-sha1-* | RFC 8732 | | + | | gss-group1-sha1-* | [[RFC8732|RFC 8732]] | |
+--------------------------+-----------+ | +--------------------------+-----------+ | ||
− | | gss-group14-sha1-* | RFC 8732 | | + | | gss-group14-sha1-* | [[RFC8732|RFC 8732]] | |
+--------------------------+-----------+ | +--------------------------+-----------+ | ||
− | | gss-gex-sha1-* | RFC 8732 | | + | | gss-gex-sha1-* | [[RFC8732|RFC 8732]] | |
+--------------------------+-----------+ | +--------------------------+-----------+ | ||
− | | gss-group14-sha256-* | RFC 8732 | | + | | gss-group14-sha256-* | [[RFC8732|RFC 8732]] | |
+--------------------------+-----------+ | +--------------------------+-----------+ | ||
− | | gss-group15-sha512-* | RFC 8732 | | + | | gss-group15-sha512-* | [[RFC8732|RFC 8732]] | |
+--------------------------+-----------+ | +--------------------------+-----------+ | ||
− | | gss-group16-sha512-* | RFC 8732 | | + | | gss-group16-sha512-* | [[RFC8732|RFC 8732]] | |
+--------------------------+-----------+ | +--------------------------+-----------+ | ||
− | | gss-group17-sha512-* | RFC 8732 | | + | | gss-group17-sha512-* | [[RFC8732|RFC 8732]] | |
+--------------------------+-----------+ | +--------------------------+-----------+ | ||
− | | gss-group18-sha512-* | RFC 8732 | | + | | gss-group18-sha512-* | [[RFC8732|RFC 8732]] | |
+--------------------------+-----------+ | +--------------------------+-----------+ | ||
− | | gss-nistp256-sha256-* | RFC 8732 | | + | | gss-nistp256-sha256-* | [[RFC8732|RFC 8732]] | |
+--------------------------+-----------+ | +--------------------------+-----------+ | ||
− | | gss-nistp384-sha384-* | RFC 8732 | | + | | gss-nistp384-sha384-* | [[RFC8732|RFC 8732]] | |
+--------------------------+-----------+ | +--------------------------+-----------+ | ||
− | | gss-nistp521-sha512-* | RFC 8732 | | + | | gss-nistp521-sha512-* | [[RFC8732|RFC 8732]] | |
+--------------------------+-----------+ | +--------------------------+-----------+ | ||
− | | gss-curve25519-sha256-* | RFC 8732 | | + | | gss-curve25519-sha256-* | [[RFC8732|RFC 8732]] | |
+--------------------------+-----------+ | +--------------------------+-----------+ | ||
− | | gss-curve448-sha512-* | RFC 8732 | | + | | gss-curve448-sha512-* | [[RFC8732|RFC 8732]] | |
+--------------------------+-----------+ | +--------------------------+-----------+ | ||
Line 473: | Line 473: | ||
Except for the use of a different secure hash function and larger DH | Except for the use of a different secure hash function and larger DH | ||
groups, no significant changes have been made to the protocol | groups, no significant changes have been made to the protocol | ||
− | described by | + | described by [[RFC4462]]; therefore, all the original security |
considerations apply. | considerations apply. | ||
Line 480: | Line 480: | ||
Although a new cryptographic primitive is used with these methods, | Although a new cryptographic primitive is used with these methods, | ||
the actual key exchange closely follows the key exchange defined in | the actual key exchange closely follows the key exchange defined in | ||
− | + | [[RFC5656]]; therefore, all the original security considerations, as | |
− | well as those expressed in | + | well as those expressed in [[RFC5656]], apply. |
=== GSS-API Delegation === | === GSS-API Delegation === | ||
Line 499: | Line 499: | ||
=== Normative References === | === Normative References === | ||
− | + | [[RFC1321]] Rivest, R., "The MD5 Message-Digest Algorithm", [[RFC1321|RFC 1321]], | |
DOI 10.17487/RFC1321, April 1992, | DOI 10.17487/RFC1321, April 1992, | ||
<https://www.rfc-editor.org/info/rfc1321>. | <https://www.rfc-editor.org/info/rfc1321>. | ||
− | + | [[RFC2119]] Bradner, S., "Key words for use in RFCs to Indicate | |
− | Requirement Levels", BCP 14, RFC 2119, | + | Requirement Levels", [[BCP14|BCP 14]], [[RFC2119|RFC 2119]], |
DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | ||
<https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | ||
− | + | [[RFC2743]] Linn, J., "Generic Security Service Application Program | |
− | Interface Version 2, Update 1", RFC 2743, | + | Interface Version 2, Update 1", [[RFC2743|RFC 2743]], |
DOI 10.17487/RFC2743, January 2000, | DOI 10.17487/RFC2743, January 2000, | ||
<https://www.rfc-editor.org/info/rfc2743>. | <https://www.rfc-editor.org/info/rfc2743>. | ||
− | + | [[RFC3526]] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP) | |
Diffie-Hellman groups for Internet Key Exchange (IKE)", | Diffie-Hellman groups for Internet Key Exchange (IKE)", | ||
− | RFC 3526, DOI 10.17487/RFC3526, May 2003, | + | [[RFC3526|RFC 3526]], DOI 10.17487/RFC3526, May 2003, |
<https://www.rfc-editor.org/info/rfc3526>. | <https://www.rfc-editor.org/info/rfc3526>. | ||
− | + | [[RFC4462]] Hutzelman, J., Salowey, J., Galbraith, J., and V. Welch, | |
"Generic Security Service Application Program Interface | "Generic Security Service Application Program Interface | ||
(GSS-API) Authentication and Key Exchange for the Secure | (GSS-API) Authentication and Key Exchange for the Secure | ||
− | Shell (SSH) Protocol", RFC 4462, DOI 10.17487/RFC4462, May | + | Shell (SSH) Protocol", [[RFC4462|RFC 4462]], DOI 10.17487/RFC4462, May |
2006, <https://www.rfc-editor.org/info/rfc4462>. | 2006, <https://www.rfc-editor.org/info/rfc4462>. | ||
− | + | [[RFC4648]] Josefsson, S., "The Base16, Base32, and Base64 Data | |
− | Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, | + | Encodings", [[RFC4648|RFC 4648]], DOI 10.17487/RFC4648, October 2006, |
<https://www.rfc-editor.org/info/rfc4648>. | <https://www.rfc-editor.org/info/rfc4648>. | ||
− | + | [[RFC5656]] Stebila, D. and J. Green, "Elliptic Curve Algorithm | |
Integration in the Secure Shell Transport Layer", | Integration in the Secure Shell Transport Layer", | ||
− | RFC 5656, DOI 10.17487/RFC5656, December 2009, | + | [[RFC5656|RFC 5656]], DOI 10.17487/RFC5656, December 2009, |
<https://www.rfc-editor.org/info/rfc5656>. | <https://www.rfc-editor.org/info/rfc5656>. | ||
− | + | [[RFC7546]] Kaduk, B., "Structure of the Generic Security Service | |
− | (GSS) Negotiation Loop", RFC 7546, DOI 10.17487/RFC7546, | + | (GSS) Negotiation Loop", [[RFC7546|RFC 7546]], DOI 10.17487/RFC7546, |
May 2015, <https://www.rfc-editor.org/info/rfc7546>. | May 2015, <https://www.rfc-editor.org/info/rfc7546>. | ||
− | + | [[RFC7748]] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves | |
− | for Security", RFC 7748, DOI 10.17487/RFC7748, January | + | for Security", [[RFC7748|RFC 7748]], DOI 10.17487/RFC7748, January |
2016, <https://www.rfc-editor.org/info/rfc7748>. | 2016, <https://www.rfc-editor.org/info/rfc7748>. | ||
− | + | [[RFC8174]] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |
− | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | + | 2119 Key Words", [[BCP14|BCP 14]], [[RFC8174|RFC 8174]], DOI 10.17487/RFC8174, |
May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | ||
− | + | [[RFC8731]] Adamantiadis, A., Josefsson, S., and M. Baushke, "Secure | |
Shell (SSH) Key Exchange Method Using Curve25519 and | Shell (SSH) Key Exchange Method Using Curve25519 and | ||
− | Curve448", RFC 8731, DOI 10.17487/RFC8731, February 2020, | + | Curve448", [[RFC8731|RFC 8731]], DOI 10.17487/RFC8731, February 2020, |
<https://www.rfc-editor.org/info/rfc8731>. | <https://www.rfc-editor.org/info/rfc8731>. | ||
Line 581: | Line 581: | ||
NIST.SP.800-131Ar2.pdf>. | NIST.SP.800-131Ar2.pdf>. | ||
− | + | [[RFC6194]] Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security | |
Considerations for the SHA-0 and SHA-1 Message-Digest | Considerations for the SHA-0 and SHA-1 Message-Digest | ||
− | Algorithms", RFC 6194, DOI 10.17487/RFC6194, March 2011, | + | Algorithms", [[RFC6194|RFC 6194]], DOI 10.17487/RFC6194, March 2011, |
<https://www.rfc-editor.org/info/rfc6194>. | <https://www.rfc-editor.org/info/rfc6194>. | ||
− | + | [[RFC6234]] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms | |
− | (SHA and SHA-based HMAC and HKDF)", RFC 6234, | + | (SHA and SHA-based HMAC and HKDF)", [[RFC6234|RFC 6234]], |
DOI 10.17487/RFC6234, May 2011, | DOI 10.17487/RFC6234, May 2011, | ||
<https://www.rfc-editor.org/info/rfc6234>. | <https://www.rfc-editor.org/info/rfc6234>. | ||
− | + | [[RFC8268]] Baushke, M., "More Modular Exponentiation (MODP) Diffie- | |
Hellman (DH) Key Exchange (KEX) Groups for Secure Shell | Hellman (DH) Key Exchange (KEX) Groups for Secure Shell | ||
− | (SSH)", RFC 8268, DOI 10.17487/RFC8268, December 2017, | + | (SSH)", [[RFC8268|RFC 8268]], DOI 10.17487/RFC8268, December 2017, |
<https://www.rfc-editor.org/info/rfc8268>. | <https://www.rfc-editor.org/info/rfc8268>. | ||
Latest revision as of 10:56, 30 October 2020
Internet Engineering Task Force (IETF) S. Sorce Request for Comments: 8732 H. Kario Updates: 4462 Red Hat, Inc. Category: Standards Track February 2020 ISSN: 2070-1721
Generic Security Service Application Program Interface (GSS-API) Key Exchange with SHA-2
Abstract
This document specifies additions and amendments to RFC 4462. It defines a new key exchange method that uses SHA-2 for integrity and deprecates weak Diffie-Hellman (DH) groups. The purpose of this specification is to modernize the cryptographic primitives used by Generic Security Service (GSS) key exchanges.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8732.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
1. Introduction 2. Rationale 3. Document Conventions 4. New Diffie-Hellman Key Exchange Methods 5. New Elliptic Curve Diffie-Hellman Key Exchange Methods
5.1. Generic GSS-API Key Exchange with ECDH 5.2. ECDH Key Exchange Methods
6. Deprecated Algorithms 7. IANA Considerations 8. Security Considerations
8.1. New Finite Field DH Mechanisms 8.2. New Elliptic Curve DH Mechanisms 8.3. GSS-API Delegation
9. References
9.1. Normative References 9.2. Informative References
Authors' Addresses
Contents
Introduction
Secure Shell (SSH) Generic Security Service Application Program Interface (GSS-API) methods RFC4462 allow the use of GSS-API RFC2743 for authentication and key exchange in SSH. RFC4462 defines three exchange methods all based on DH groups and SHA-1. This document updates RFC4462 with new methods intended to support environments that desire to use the SHA-2 cryptographic hash functions.
Rationale
Due to security concerns with SHA-1 RFC6194 and with modular exponentiation (MODP) groups with less than 2048 bits [NIST-SP-800-131Ar2], we propose the use of hashes based on SHA-2 RFC6234 with DH group14, group15, group16, group17, and group18 RFC3526. Additionally, we add support for key exchange based on Elliptic Curve Diffie-Hellman with the NIST P-256, P-384, and P-521 [SEC2v2], as well as the X25519 and X448 RFC7748 curves. Following the practice of RFC8268, only SHA-256 and SHA-512 hashes are used for DH groups. For NIST curves, the same curve-to-hashing algorithm pairing used in RFC5656 is adopted for consistency.
Document Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 RFC2119 RFC8174 when, and only when, they appear in all capitals, as shown here.
New Diffie-Hellman Key Exchange Methods
This document adopts the same naming convention defined in RFC4462 to define families of methods that cover any GSS-API mechanism used with a specific Diffie-Hellman group and SHA-2 hash combination.
+--------------------------+--------------------------------+ | Key Exchange Method Name | Implementation Recommendations | +==========================+================================+ | gss-group14-sha256-* | SHOULD/RECOMMENDED | +--------------------------+--------------------------------+ | gss-group15-sha512-* | MAY/OPTIONAL | +--------------------------+--------------------------------+ | gss-group16-sha512-* | SHOULD/RECOMMENDED | +--------------------------+--------------------------------+ | gss-group17-sha512-* | MAY/OPTIONAL | +--------------------------+--------------------------------+ | gss-group18-sha512-* | MAY/OPTIONAL | +--------------------------+--------------------------------+
Table 1: New Key Exchange Algorithms
Each key exchange method prefix is registered by this document. The IESG is the change controller of all these key exchange methods; this does NOT imply that the IESG is considered to be in control of the corresponding GSS-API mechanism.
Each method in any family of methods (Table 2) specifies GSS-API- authenticated Diffie-Hellman key exchanges as described in Section 2.1 of RFC4462. The method name for each method (Table 1) is the concatenation of the family name prefix with the base64 encoding of the MD5 hash RFC1321 of the ASN.1 DER encoding [ISO-IEC-8825-1] of the corresponding GSS-API mechanism's OID. Base64 encoding is described in Section 4 of RFC4648.
+---------------------+---------------+----------+--------------+ | Family Name Prefix | Hash Function | Group | Reference | +=====================+===============+==========+==============+ | gss-group14-sha256- | SHA-256 | 2048-bit | Section 3 of | | | | MODP | RFC3526 | +---------------------+---------------+----------+--------------+ | gss-group15-sha512- | SHA-512 | 3072-bit | Section 4 of | | | | MODP | RFC3526 | +---------------------+---------------+----------+--------------+ | gss-group16-sha512- | SHA-512 | 4096-bit | Section 5 of | | | | MODP | RFC3526 | +---------------------+---------------+----------+--------------+ | gss-group17-sha512- | SHA-512 | 6144-bit | Section 6 of | | | | MODP | RFC3526 | +---------------------+---------------+----------+--------------+ | gss-group18-sha512- | SHA-512 | 8192-bit | Section 7 of | | | | MODP | RFC3526 | +---------------------+---------------+----------+--------------+
Table 2: Family Method References
New Elliptic Curve Diffie-Hellman Key Exchange Methods
In RFC5656, new SSH key exchange algorithms based on elliptic curve cryptography are introduced. We reuse much of Section 4 of RFC5656 to define GSS-API-authenticated Elliptic Curve Diffie-Hellman (ECDH) key exchanges.
Additionally, we also utilize the curves defined in RFC8731 to complement the three classic NIST-defined curves required by RFC5656.
Generic GSS-API Key Exchange with ECDH
This section reuses much of the scheme defined in Section 2.1 of RFC4462 and combines it with the scheme defined in Section 4 of RFC5656; in particular, all checks and verification steps prescribed in Section 4 of RFC5656 apply here as well.
The key-agreement schemes "ECDHE-Curve25519" and "ECDHE-Curve448" perform the Diffie-Hellman protocol using the functions X25519 and X448, respectively. Implementations MUST compute these functions using the algorithms described in RFC7748. When they do so, implementations MUST check whether the computed Diffie-Hellman shared secret is the all-zero value and abort if so, as described in Section 6 of RFC7748. Alternative implementations of these functions SHOULD abort when either the client or the server input forces the shared secret to one of a small set of values, as described in Sections 6 and 7 of RFC7748.
This section defers to RFC7546 as the source of information on GSS- API context establishment operations, Section 3 being the most relevant. All security considerations described in RFC7546 apply here, too.
The parties each generate an ephemeral key pair, according to Section 3.2.1 of [SEC1v2]. Keys are verified upon receipt by the parties according to Section 3.2.3.1 of [SEC1v2].
For NIST curves, the keys use the uncompressed point representation and MUST be converted using the algorithm in Section 2.3.4 of [SEC1v2]. If the conversion fails or the point is transmitted using the compressed representation, the key exchange MUST fail.
A GSS context is established according to Section 4 of RFC5656; the client initiates the establishment using GSS_Init_sec_context(), and the server responds to it using GSS_Accept_sec_context(). For the negotiation, the client MUST set mutual_req_flag and integ_req_flag to "true". In addition, deleg_req_flag MAY be set to "true" to request access delegation, if requested by the user. Since the key exchange process authenticates only the host, the setting of anon_req_flag is immaterial to this process. If the client does not support the "gssapi-keyex" user authentication method described in Section 4 of RFC4462, or does not intend to use that method in conjunction with the GSS-API context established during key exchange, then anon_req_flag SHOULD be set to "true". Otherwise, this flag MAY be set to "true" if the client wishes to hide its identity. This key exchange process will exchange only a single message token once the context has been established; therefore, the replay_det_req_flag and sequence_req_flag SHOULD be set to "false".
The client MUST include its public key with the first message it sends to the server during this process; if the server receives more than one key or none at all, the key exchange MUST fail.
During GSS context establishment, multiple tokens may be exchanged by the client and the server. When the GSS context is established (major_status is GSS_S_COMPLETE), the parties check that mutual_state and integ_avail are both "true". If not, the key exchange MUST fail.
Once a party receives the peer's public key, it proceeds to compute a shared secret K. For NIST curves, the computation is done according to Section 3.3.1 of [SEC1v2], and the resulting value z is converted to the octet string K using the conversion defined in Section 2.3.5 of [SEC1v2]. For curve25519 and curve448, the algorithms in Section 6 of RFC7748 are used instead.
To verify the integrity of the handshake, peers use the hash function defined by the selected key exchange method to calculate H:
H = hash(V_C || V_S || I_C || I_S || K_S || Q_C || Q_S || K).
The server uses the GSS_GetMIC() call with H as the payload to generate a Message Integrity Code (MIC). The GSS_VerifyMIC() call is used by the client to verify the MIC.
If any GSS_Init_sec_context() or GSS_Accept_sec_context() returns a major_status other than GSS_S_COMPLETE or GSS_S_CONTINUE_NEEDED, or any other GSS-API call returns a major_status other than GSS_S_COMPLETE, the key exchange MUST fail. The same recommendations expressed in Section 2.1 of RFC4462 are followed with regard to error reporting.
The following is an overview of the key exchange process:
Client Server ------ ------ Generates ephemeral key pair. Calls GSS_Init_sec_context(). SSH_MSG_KEXGSS_INIT --------------->
Verifies received key.
(Optional) <------------- SSH_MSG_KEXGSS_HOSTKEY
(Loop) | Calls GSS_Accept_sec_context(). | <------------ SSH_MSG_KEXGSS_CONTINUE | Calls GSS_Init_sec_context(). | SSH_MSG_KEXGSS_CONTINUE ------------>
Calls GSS_Accept_sec_context(). Generates ephemeral key pair. Computes shared secret. Computes hash H. Calls GSS_GetMIC( H ) = MIC. <------------ SSH_MSG_KEXGSS_COMPLETE
Verifies received key. Computes shared secret. Computes hash H. Calls GSS_VerifyMIC( MIC, H ).
This is implemented with the following messages:
The client sends:
byte SSH_MSG_KEXGSS_INIT string output_token (from GSS_Init_sec_context()) string Q_C, client's ephemeral public key octet string
The server may respond with:
byte SSH_MSG_KEXGSS_HOSTKEY string server public host key and certificates (K_S)
The server sends:
byte SSH_MSG_KEXGSS_CONTINUE string output_token (from GSS_Accept_sec_context())
Each time the client receives the message described above, it makes another call to GSS_Init_sec_context().
The client sends:
byte SSH_MSG_KEXGSS_CONTINUE string output_token (from GSS_Init_sec_context())
As the final message, the server sends the following if an output_token is produced:
byte SSH_MSG_KEXGSS_COMPLETE string Q_S, server's ephemeral public key octet string string mic_token (MIC of H) boolean TRUE string output_token (from GSS_Accept_sec_context())
If no output_token is produced, the server sends:
byte SSH_MSG_KEXGSS_COMPLETE string Q_S, server's ephemeral public key octet string string mic_token (MIC of H) boolean FALSE
The hash H is computed as the HASH hash of the concatenation of the following:
string V_C, the client's version string (CR, NL excluded) string V_S, server's version string (CR, NL excluded) string I_C, payload of the client's SSH_MSG_KEXINIT string I_S, payload of the server's SSH_MSG_KEXINIT string K_S, server's public host key string Q_C, client's ephemeral public key octet string string Q_S, server's ephemeral public key octet string mpint K, shared secret
This value is called the "exchange hash", and it is used to authenticate the key exchange. The exchange hash SHOULD be kept secret. If no SSH_MSG_KEXGSS_HOSTKEY message has been sent by the server or received by the client, then the empty string is used in place of K_S when computing the exchange hash.
Since this key exchange method does not require the host key to be used for any encryption operations, the SSH_MSG_KEXGSS_HOSTKEY message is OPTIONAL. If the "null" host key algorithm described in Section 5 of RFC4462 is used, this message MUST NOT be sent.
If the client receives an SSH_MSG_KEXGSS_CONTINUE message after a call to GSS_Init_sec_context() has returned a major_status code of GSS_S_COMPLETE, a protocol error has occurred, and the key exchange MUST fail.
If the client receives an SSH_MSG_KEXGSS_COMPLETE message and a call to GSS_Init_sec_context() does not result in a major_status code of GSS_S_COMPLETE, a protocol error has occurred, and the key exchange MUST fail.
ECDH Key Exchange Methods
+--------------------------+--------------------------------+ | Key Exchange Method Name | Implementation Recommendations | +==========================+================================+ | gss-nistp256-sha256-* | SHOULD/RECOMMENDED | +--------------------------+--------------------------------+ | gss-nistp384-sha384-* | MAY/OPTIONAL | +--------------------------+--------------------------------+ | gss-nistp521-sha512-* | MAY/OPTIONAL | +--------------------------+--------------------------------+ | gss-curve25519-sha256-* | SHOULD/RECOMMENDED | +--------------------------+--------------------------------+ | gss-curve448-sha512-* | MAY/OPTIONAL | +--------------------------+--------------------------------+
Table 3: New Key Exchange Methods
Each key exchange method prefix is registered by this document. The IESG is the change controller of all these key exchange methods; this does NOT imply that the IESG is considered to be in control of the corresponding GSS-API mechanism.
Each method in any family of methods (Table 4) specifies GSS-API- authenticated Elliptic Curve Diffie-Hellman key exchanges as described in Section 5.1. The method name for each method (Table 3) is the concatenation of the family method name with the base64 encoding of the MD5 hash RFC1321 of the ASN.1 DER encoding [ISO-IEC-8825-1] of the corresponding GSS-API mechanism's OID. Base64 encoding is described in Section 4 of RFC4648.
+------------------------+----------+---------------+---------------+ | Family Name Prefix | Hash | Parameters / | Definition | | | Function | Function Name | | +========================+==========+===============+===============+ | gss-nistp256-sha256- | SHA-256 | secp256r1 | Section | | | | | 2.4.2 of | | | | | [SEC2v2] | +------------------------+----------+---------------+---------------+ | gss-nistp384-sha384- | SHA-384 | secp384r1 | Section | | | | | 2.5.1 of | | | | | [SEC2v2] | +------------------------+----------+---------------+---------------+ | gss-nistp521-sha512- | SHA-512 | secp521r1 | Section | | | | | 2.6.1 of | | | | | [SEC2v2] | +------------------------+----------+---------------+---------------+ | gss-curve25519-sha256- | SHA-256 | X22519 | Section 5 | | | | | of | | | | | RFC7748 | +------------------------+----------+---------------+---------------+ | gss-curve448-sha512- | SHA-512 | X448 | Section 5 | | | | | of | | | | | RFC7748 | +------------------------+----------+---------------+---------------+
Table 4: Family Method References
Deprecated Algorithms
Because they have small key lengths and are no longer strong in the face of brute-force attacks, the algorithms in the following table are considered deprecated and SHOULD NOT be used.
+--------------------------+--------------------------------+ | Key Exchange Method Name | Implementation Recommendations | +==========================+================================+ | gss-group1-sha1-* | SHOULD NOT | +--------------------------+--------------------------------+ | gss-group14-sha1-* | SHOULD NOT | +--------------------------+--------------------------------+ | gss-gex-sha1-* | SHOULD NOT | +--------------------------+--------------------------------+
Table 5: Deprecated Algorithms
IANA Considerations
This document augments the SSH key exchange message names that were defined in RFC4462 (see and Section 6); IANA has listed this document as reference for those entries in the "SSH Protocol Parameters" [IANA-KEX-NAMES] registry.
In addition, IANA has updated the registry to include the SSH key exchange message names described in Sections 4 and 5.
+--------------------------+-----------+ | Key Exchange Method Name | Reference | +==========================+===========+ | gss-group1-sha1-* | RFC 8732 | +--------------------------+-----------+ | gss-group14-sha1-* | RFC 8732 | +--------------------------+-----------+ | gss-gex-sha1-* | RFC 8732 | +--------------------------+-----------+ | gss-group14-sha256-* | RFC 8732 | +--------------------------+-----------+ | gss-group15-sha512-* | RFC 8732 | +--------------------------+-----------+ | gss-group16-sha512-* | RFC 8732 | +--------------------------+-----------+ | gss-group17-sha512-* | RFC 8732 | +--------------------------+-----------+ | gss-group18-sha512-* | RFC 8732 | +--------------------------+-----------+ | gss-nistp256-sha256-* | RFC 8732 | +--------------------------+-----------+ | gss-nistp384-sha384-* | RFC 8732 | +--------------------------+-----------+ | gss-nistp521-sha512-* | RFC 8732 | +--------------------------+-----------+ | gss-curve25519-sha256-* | RFC 8732 | +--------------------------+-----------+ | gss-curve448-sha512-* | RFC 8732 | +--------------------------+-----------+
Table 6: Additions/Changes to the Key Exchange Method Names Registry
Security Considerations
New Finite Field DH Mechanisms
Except for the use of a different secure hash function and larger DH groups, no significant changes have been made to the protocol described by RFC4462; therefore, all the original security considerations apply.
New Elliptic Curve DH Mechanisms
Although a new cryptographic primitive is used with these methods, the actual key exchange closely follows the key exchange defined in RFC5656; therefore, all the original security considerations, as well as those expressed in RFC5656, apply.
GSS-API Delegation
Some GSS-API mechanisms can act on a request to delegate credentials to the target host when the deleg_req_flag is set. In this case, extra care must be taken to ensure that the acceptor being authenticated matches the target the user intended. Some mechanism implementations (such as commonly used krb5 libraries) may use insecure DNS resolution to canonicalize the target name; in these cases, spoofing a DNS response that points to an attacker-controlled machine may result in the user silently delegating credentials to the attacker, who can then impersonate the user at will.
References
Normative References
RFC1321 Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
DOI 10.17487/RFC1321, April 1992, <https://www.rfc-editor.org/info/rfc1321>.
RFC2119 Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>.
RFC2743 Linn, J., "Generic Security Service Application Program
Interface Version 2, Update 1", RFC 2743, DOI 10.17487/RFC2743, January 2000, <https://www.rfc-editor.org/info/rfc2743>.
RFC3526 Kivinen, T. and M. Kojo, "More Modular Exponential (MODP)
Diffie-Hellman groups for Internet Key Exchange (IKE)", RFC 3526, DOI 10.17487/RFC3526, May 2003, <https://www.rfc-editor.org/info/rfc3526>.
RFC4462 Hutzelman, J., Salowey, J., Galbraith, J., and V. Welch,
"Generic Security Service Application Program Interface (GSS-API) Authentication and Key Exchange for the Secure Shell (SSH) Protocol", RFC 4462, DOI 10.17487/RFC4462, May 2006, <https://www.rfc-editor.org/info/rfc4462>.
RFC4648 Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, <https://www.rfc-editor.org/info/rfc4648>.
RFC5656 Stebila, D. and J. Green, "Elliptic Curve Algorithm
Integration in the Secure Shell Transport Layer", RFC 5656, DOI 10.17487/RFC5656, December 2009, <https://www.rfc-editor.org/info/rfc5656>.
RFC7546 Kaduk, B., "Structure of the Generic Security Service
(GSS) Negotiation Loop", RFC 7546, DOI 10.17487/RFC7546, May 2015, <https://www.rfc-editor.org/info/rfc7546>.
RFC7748 Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
for Security", RFC 7748, DOI 10.17487/RFC7748, January 2016, <https://www.rfc-editor.org/info/rfc7748>.
RFC8174 Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>.
RFC8731 Adamantiadis, A., Josefsson, S., and M. Baushke, "Secure
Shell (SSH) Key Exchange Method Using Curve25519 and Curve448", RFC 8731, DOI 10.17487/RFC8731, February 2020, <https://www.rfc-editor.org/info/rfc8731>.
[SEC1v2] Standards for Efficient Cryptography Group, "SEC 1:
Elliptic Curve Cryptography", Version 2.0, May 2009.
[SEC2v2] Standards for Elliptic Cryptography Group, "SEC 2:
Recommended Elliptic Curve Domain Parameters", Version 2.0, January 2010.
Informative References
[IANA-KEX-NAMES]
IANA, "Secure Shell (SSH) Protocol Parameters: Key Exchange Method Names", <https://www.iana.org/assignments/ssh-parameters/>.
[ISO-IEC-8825-1]
ITU-T, "Information technology -- ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)", ISO/IEC 8825-1:2015, ITU-T Recommendation X.690, November 2015, <http://standards.iso.org/ittf/PubliclyAvailableStandards/ c068345_ISO_IEC_8825-1_2015.zip>.
[NIST-SP-800-131Ar2]
National Institute of Standards and Technology, "Transitioning of the Use of Cryptographic Algorithms and Key Lengths", DOI 10.6028/NIST.SP.800-131Ar2, NIST Special Publication 800-131A Revision 2, November 2015, <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/ NIST.SP.800-131Ar2.pdf>.
RFC6194 Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security
Considerations for the SHA-0 and SHA-1 Message-Digest Algorithms", RFC 6194, DOI 10.17487/RFC6194, March 2011, <https://www.rfc-editor.org/info/rfc6194>.
RFC6234 Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms
(SHA and SHA-based HMAC and HKDF)", RFC 6234, DOI 10.17487/RFC6234, May 2011, <https://www.rfc-editor.org/info/rfc6234>.
RFC8268 Baushke, M., "More Modular Exponentiation (MODP) Diffie-
Hellman (DH) Key Exchange (KEX) Groups for Secure Shell (SSH)", RFC 8268, DOI 10.17487/RFC8268, December 2017, <https://www.rfc-editor.org/info/rfc8268>.
Authors' Addresses
Simo Sorce Red Hat, Inc. 140 Broadway, 24th Floor New York, NY 10025 United States of America
Email: [email protected]
Hubert Kario Red Hat, Inc. Purkynova 115 612 00 Brno Czech Republic
Email: [email protected]