[To+ Ron, Alexandre, mosh-devel, Simon] question on rsa2048-sha256 KeX for SSH
Summary:
Is anyone actively using rsa2048-sha256 for a Ssecure Shell Key
exchange per RFC 4432.
The Security Area Director Benjamin Kaduk has concerns regarding
this Key Exchange Algorithm (see messagess below).
The IETF Draft
https://datatracker.ietf.org/doc/draft-ietf-curdle-ssh-kex-sha2/
is presently in Last Call.
This draft is in the process of suggesting "MUST NOT" for
rsa1024-sha1.
The question on the table is if the same rating should be appled to
rsa2048-sha256 or if RFC 4432 should itself be moved to historical,
or if this is still a useful key exchange being actively used.
Ben desires data and it is my suggestion that the supporters for the
implementations that provide for rsa2048-sha256 may information on
this topic.
Comments welcome.
Hi Ben & Peter,
To Peter's question, my straw poll was explicitly about the *-sha1 Key
Exchanges which did not include the rsa2048-sha256 kex.
If I go to https://ssh-comparison.quendi.de/comparison/kex.html
I see that rsa2048-sha256 is supported by the following implementations:
AsyncSSH (maintained by Ron Frederick)
libassh (maintained by Alexandre Becoulet)
Mobile SSH (aka Mosh via mosh.org and <mosh-devel@mit.edu>)
(original paper authors
Keith Winstein <kei...@mit.edu>,
Hari Balakrishnan <h...@mit.edu>)
PuTTY (maintained by Simon Tatham)
There may be other implementations that are not in the comparison chart,
but I think this may be a good start.
I have added both Ron, Alexandre, mosh-devel@mit.edu, and Simon to the
TO line for this message.
Thank you for your participation in this thread.
Be safe, stay healthy,
-- Mark
------- original messages -------
Date: Wed, 10 Feb 2021 20:25:51 -0800
From: Benjamin Kaduk <ka...@mit.edu>
To: cur...@ietf.org
Archived-At:
<https://mailarchive.ietf.org/arch/msg/curdle/uo-OEckOhU8CKCzwwws6kKNsM2s>
Subject: [Curdle] RSA key transport for SSH (RFC 4432) and forward secrecy
While reviewing draft-ietf-curdle-ssh-kex-sha2, I followed many of the
references, which included RFC 4432, which defines the "rsa1024-sha1"
(getting deprecated for SHA-1 usage) and "rsa2048-sha256" (which is not)
key exchange methods. While the specific construction is claimed to still
produce contributory behavior in practice (due to the client-contributed
key only ever being used in combination with the hash of server-provided
data), it seems to still be the case that if the RSA private key is
revealed, the session key is revealed, which is mostly the standard
non-forward-secret behavior.
Things are perhaps better if you buy into the theory that "it may be a
transient key generated solely for this SSH connection, or it may be
re-used for several connections" is supposed to prevent indefinite reuse of
the RSA keypair, which seems ... not very reassuring.
While it's not clear to me that there's specific reason to (say) move the
whole RFC to Historic status or claim that it is obsoleted by some
more-modern key-exchange method, it does seem likely to me that we could
get IETF consensus that actually using rsa2048-sha256 is generally a bad
idea. (Or maybe we could get consensus to move it to Historic.) Perhaps
an RFC 2026 Applicability Statement would be an appropriate tool for this
case?
But most likely the best place to start would be to ask how widely it's
implemented and if it's known to be in use anywhere...does anyone have
data?
Thanks,
Ben
_______________________________________________
Curdle mailing list
cur...@ietf.org
https://www.ietf.org/mailman/listinfo/curdle
------- message 2 -------
From: Peter Gutmann <pgut...@cs.auckland.ac.nz>
To: Benjamin Kaduk <ka...@mit.edu>, "cur...@ietf.org" <cur...@ietf.org>
Date: Thu, 11 Feb 2021 04:47:07 +0000
Archived-At:
<https://mailarchive.ietf.org/arch/msg/curdle/vwS-A4E04Mg1A8avNfWqaXtZli0>
Subject: Re: [Curdle] RSA key transport for SSH (RFC 4432) and forward
secrecy
Benjamin Kaduk <ka...@mit.edu> writes:
>But most likely the best place to start would be to ask how widely it's
>implemented and if it's known to be in use anywhere...does anyone have data?
We could start with Mark Baushke's KEX straw poll from a month ago, I think
pretty much everyone voted RSA a MUST NOT which would indicate that no-one's
going to miss it.
Peter.
_______________________________________________
Curdle mailing list
cur...@ietf.org
https://www.ietf.org/mailman/listinfo/curdle
------- end of original messages -------
_______________________________________________
mosh-devel mailing list
mosh-devel@mit.edu
http://mailman.mit.edu/mailman/listinfo/mosh-devel
