draft-ietf-curdle-rsa-sha2-05.txt | draft-ietf-curdle-rsa-sha2-06.txt | |||
---|---|---|---|---|
Internet-Draft D. Bider | Internet-Draft D. Bider | |||
Updates: 4252, 4253 (if approved) Bitvise Limited | Updates: 4252, 4253 (if approved) Bitvise Limited | |||
Intended status: Standards Track April 9, 2017 | Intended status: Standards Track April 24, 2017 | |||
Expires: October 9, 2017 | Expires: October 24, 2017 | |||
Use of RSA Keys with SHA-2 256 and 512 in Secure Shell (SSH) | Use of RSA Keys with SHA-2 256 and 512 in Secure Shell (SSH) | |||
draft-ietf-curdle-rsa-sha2-05.txt | draft-ietf-curdle-rsa-sha2-06.txt | |||
Abstract | Abstract | |||
This memo updates [RFC4252] and [RFC4253] to define an algorithm name, | This memo updates RFC 4252 and RFC 4253 to define an algorithm name, | |||
public key format, and signature format for use of RSA keys with SHA-2 | public key format, and signature format for use of RSA keys with SHA-2 | |||
hashing for server and client authentication in SSH connections. | hashing for server and client authentication in SSH connections. | |||
Status | Status | |||
This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
Internet-Drafts are working documents of the Internet Engineering Task | Internet-Drafts are working documents of the Internet Engineering Task | |||
Force (IETF), its areas, and its working groups. Note that other | Force (IETF), its areas, and its working groups. Note that other | |||
skipping to change at page 6, line 31 ¶ | skipping to change at page 6, line 31 ¶ | |||
better received than one that is abrupt and incompatible. It advises | better received than one that is abrupt and incompatible. It advises | |||
that SSH implementations add support for new RSA signature algorithms | that SSH implementations add support for new RSA signature algorithms | |||
along with SSH_MSG_EXT_INFO and the "server-sig-algs" extension to | along with SSH_MSG_EXT_INFO and the "server-sig-algs" extension to | |||
allow coexistence of new deployments with older versions that support | allow coexistence of new deployments with older versions that support | |||
only "ssh-rsa". Nevertheless, implementations SHOULD start to disable | only "ssh-rsa". Nevertheless, implementations SHOULD start to disable | |||
"ssh-rsa" in their default configurations as soon as they have reason | "ssh-rsa" in their default configurations as soon as they have reason | |||
to believe that new RSA signature algorithms have been widely adopted. | to believe that new RSA signature algorithms have been widely adopted. | |||
5.3. PKCS#1 v1.5 Padding and Signature Verification | 5.3. PKCS#1 v1.5 Padding and Signature Verification | |||
This document prescribes use of PKCS#1 v1.5 signature padding because: | This document prescribes RSASSA-PKCS1-v1_5 signature padding because: | |||
(1) PSS is not universally available to all SSH implementations; | (1) RSASSA-PSS is not universally available to all implementations; | |||
(2) PKCS#1 v1.5 is widely supported in existing SSH implementations; | (2) PKCS#1 v1.5 is widely supported in existing SSH implementations; | |||
(3) PKCS#1 v1.5 is not known to be insecure for use in this scheme, | (3) PKCS#1 v1.5 is not known to be insecure for use in this scheme. | |||
assuming reasonable implementation. | ||||
Implementers are advised that a signature with PKCS#1 v1.5 padding | Implementers are advised that a signature with PKCS#1 v1.5 padding | |||
MUST NOT be verified by applying the RSA key to the signature, and | MUST NOT be verified by applying the RSA key to the signature, and | |||
then parsing the output to extract the hash. This may give an attacker | then parsing the output to extract the hash. This may give an attacker | |||
opportunities to exploit flaws in the parsing and vary the encoding. | opportunities to exploit flaws in the parsing and vary the encoding. | |||
Implementations SHOULD apply PKCS#1 v1.5 padding to the expected hash, | Implementations SHOULD apply PKCS#1 v1.5 padding to the expected hash, | |||
THEN compare the encoded bytes with the output of the RSA operation. | THEN compare the encoded bytes with the output of the RSA operation. | |||
6. Why no DSA? | 6. Why no DSA? | |||
skipping to change at page 7, line 29 ¶ | skipping to change at page 7, line 29 ¶ | |||
[RFC4251] Lehtinen, S. and C. Lonvick, Ed., "The Secure Shell (SSH) | [RFC4251] Lehtinen, S. and C. Lonvick, Ed., "The Secure Shell (SSH) | |||
Protocol Architecture", RFC 4251, January 2006. | Protocol Architecture", RFC 4251, January 2006. | |||
[RFC4252] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) | [RFC4252] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) | |||
Authentication Protocol", RFC 4252, January 2006. | Authentication Protocol", RFC 4252, January 2006. | |||
[RFC4253] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) | [RFC4253] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) | |||
Transport Layer Protocol", RFC 4253, January 2006. | Transport Layer Protocol", RFC 4253, January 2006. | |||
[RFC8017] Moriarty, K., Kaliski, B., Jonsson, J. and Rusch, A., | ||||
"PKCS #1: RSA Cryptography Specifications Version 2.2", | ||||
RFC 8017, November 2016. | ||||
7.2. Informative References | 7.2. Informative References | |||
[800-131A] National Institute of Standards and Technology (NIST), | [800-131A] National Institute of Standards and Technology (NIST), | |||
"Transitions: Recommendation for Transitioning the Use of | "Transitions: Recommendation for Transitioning the Use of | |||
Cryptographic Algorithms and Key Lengths", NIST Special | Cryptographic Algorithms and Key Lengths", NIST Special | |||
Publication 800-131A, January 2011, <http://csrc.nist.gov/ | Publication 800-131A, January 2011, <http://csrc.nist.gov/ | |||
publications/nistpubs/800-131A/sp800-131A.pdf>. | publications/nistpubs/800-131A/sp800-131A.pdf>. | |||
[RFC4250] Lehtinen, S. and C. Lonvick, Ed., "The Secure Shell (SSH) | [RFC4250] Lehtinen, S. and C. Lonvick, Ed., "The Secure Shell (SSH) | |||
Protocol Assigned Numbers", RFC 4250, January 2006. | Protocol Assigned Numbers", RFC 4250, January 2006. | |||
[RFC6979] Pornin, T., "Deterministic Usage of the Digital | [RFC6979] Pornin, T., "Deterministic Usage of the Digital | |||
Signature Algorithm (DSA) and Elliptic Curve Digital | Signature Algorithm (DSA) and Elliptic Curve Digital | |||
Signature Algorithm (ECDSA)", RFC 6979, August 2013. | Signature Algorithm (ECDSA)", RFC 6979, August 2013. | |||
[RFC8017] Moriarty, K., Kaliski, B., Jonsson, J. and Rusch, A., | ||||
"PKCS #1: RSA Cryptography Specifications Version 2.2", | ||||
RFC 8017, November 2016. | ||||
[EXT-INFO] Bider, D., "Extension Negotiation in Secure Shell (SSH)", | [EXT-INFO] Bider, D., "Extension Negotiation in Secure Shell (SSH)", | |||
draft-ietf-curdle-ssh-ext-info-04.txt, April 2017, | draft-ietf-curdle-ssh-ext-info-05.txt, April 2017, | |||
<https://tools.ietf.org/html/ | <https://tools.ietf.org/html/ | |||
draft-ietf-curdle-ssh-ext-info-04>. | draft-ietf-curdle-ssh-ext-info-05>. | |||
[IANA-PKA] "Secure Shell (SSH) Protocol Parameters", | [IANA-PKA] "Secure Shell (SSH) Protocol Parameters", | |||
<https://www.iana.org/assignments/ssh-parameters/ | <https://www.iana.org/assignments/ssh-parameters/ | |||
ssh-parameters.xhtml#ssh-parameters-19>. | ssh-parameters.xhtml#ssh-parameters-19>. | |||
Author's Address | Author's Address | |||
Denis Bider | Denis Bider | |||
Bitvise Limited | Bitvise Limited | |||
Suites 41/42, Victoria House | Suites 41/42, Victoria House | |||
End of changes. 10 change blocks. | ||||
14 lines changed or deleted | 13 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |