| draft-ietf-curdle-rsa-sha2-08.txt | draft-ietf-curdle-rsa-sha2-09.txt | |||
|---|---|---|---|---|
| Internet-Draft D. Bider | Internet-Draft D. Bider | |||
| Updates: 4252, 4253 (if approved) Bitvise Limited | Updates: 4252, 4253 (if approved) Bitvise Limited | |||
| Intended status: Standards Track May 30, 2017 | Intended status: Standards Track June 19, 2017 | |||
| Expires: November 30, 2017 | Expires: December 19, 2017 | |||
| Use of RSA Keys with SHA-2 256 and 512 in Secure Shell (SSH) | Use of RSA Keys with SHA-2 256 and 512 in Secure Shell (SSH) | |||
| draft-ietf-curdle-rsa-sha2-08.txt | draft-ietf-curdle-rsa-sha2-09.txt | |||
| Abstract | Abstract | |||
| This memo updates RFC 4252 and RFC 4253 to define new public key | This memo updates RFC 4252 and RFC 4253 to define new public key | |||
| algorithms for use of RSA keys with SHA-2 hashing for server and | algorithms for use of RSA keys with SHA-2 hashing for server and | |||
| client authentication in SSH connections. | client authentication in SSH connections. | |||
| Status | Status | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| skipping to change at page 3, line 33 ¶ | skipping to change at page 3, line 33 ¶ | |||
| string "ssh-rsa" | string "ssh-rsa" | |||
| mpint e | mpint e | |||
| mpint n | mpint n | |||
| All aspects of the "ssh-rsa" format are kept, including the encoded | All aspects of the "ssh-rsa" format are kept, including the encoded | |||
| string "ssh-rsa". This allows existing RSA keys to be used with the | string "ssh-rsa". This allows existing RSA keys to be used with the | |||
| new public key algorithms, without requiring re-encoding, or affecting | new public key algorithms, without requiring re-encoding, or affecting | |||
| already trusted key fingerprints. | already trusted key fingerprints. | |||
| Signing and verifying using these algorithms is performed according to | Signing and verifying using these algorithms is performed according to | |||
| the RSASSA-PKCS1-v1_5 scheme in [RFC8017] using SHA-2 [SHS] as hash; | the RSASSA-PKCS1-v1_5 scheme in [RFC8017] using SHA-2 [SHS] as hash. | |||
| MGF1 as mask function; and salt length equal to hash size. | ||||
| For the algorithm "rsa-sha2-256", the hash used is SHA-2 256. | For the algorithm "rsa-sha2-256", the hash used is SHA-2 256. | |||
| For the algorithm "rsa-sha2-512", the hash used is SHA-2 512. | For the algorithm "rsa-sha2-512", the hash used is SHA-2 512. | |||
| The resulting signature is encoded as follows: | The resulting signature is encoded as follows: | |||
| string "rsa-sha2-256" / "rsa-sha2-512" | string "rsa-sha2-256" / "rsa-sha2-512" | |||
| string rsa_signature_blob | string rsa_signature_blob | |||
| The value for 'rsa_signature_blob' is encoded as a string containing | The value for 'rsa_signature_blob' is encoded as a string containing | |||
| skipping to change at page 6, line 17 ¶ | skipping to change at page 6, line 17 ¶ | |||
| This document prescribes RSASSA-PKCS1-v1_5 signature padding because: | This document prescribes RSASSA-PKCS1-v1_5 signature padding because: | |||
| (1) RSASSA-PSS is not universally available to all implementations; | (1) RSASSA-PSS is not universally available to all implementations; | |||
| (2) PKCS#1 v1.5 is widely supported in existing SSH implementations; | (2) PKCS#1 v1.5 is widely supported in existing SSH implementations; | |||
| (3) PKCS#1 v1.5 is not known to be insecure for use in this scheme. | (3) PKCS#1 v1.5 is not known to be insecure for use in this scheme. | |||
| Implementers are advised that a signature with PKCS#1 v1.5 padding | Implementers are advised that a signature with PKCS#1 v1.5 padding | |||
| MUST NOT be verified by applying the RSA key to the signature, and | MUST NOT be verified by applying the RSA key to the signature, and | |||
| then parsing the output to extract the hash. This may give an attacker | then parsing the output to extract the hash. This may give an attacker | |||
| opportunities to exploit flaws in the parsing and vary the encoding. | opportunities to exploit flaws in the parsing and vary the encoding. | |||
| Implementations SHOULD apply PKCS#1 v1.5 padding to the expected hash, | Verifiers MUST instead apply PKCS#1 v1.5 padding to the expected hash, | |||
| THEN compare the encoded bytes with the output of the RSA operation. | then compare the encoded bytes with the output of the RSA operation. | |||
| 6. Why no DSA? | 6. Why no DSA? | |||
| A draft version of this memo also defined an algorithm name for use of | A draft version of this memo also defined an algorithm name for use of | |||
| 2048-bit and 3072-bit DSA keys with a 256-bit subgroup and SHA-2 256 | 2048-bit and 3072-bit DSA keys with a 256-bit subgroup and SHA-2 256 | |||
| hashing. It is possible to implement DSA securely by generating "k" | hashing. It is possible to implement DSA securely by generating "k" | |||
| deterministically as per [RFC6979]. However, a plurality of reviewers | deterministically as per [RFC6979]. However, a plurality of reviewers | |||
| were concerned that implementers would continue to use libraries that | were concerned that implementers would continue to use libraries that | |||
| generate "k" randomly. This is vulnerable to biased "k" generation, | generate "k" randomly. This is vulnerable to biased "k" generation, | |||
| and extremely vulnerable to "k" reuse. This document therefore | and extremely vulnerable to "k" reuse. This document therefore | |||
| skipping to change at page 7, line 46 ¶ | skipping to change at page 7, line 46 ¶ | |||
| [RFC6979] Pornin, T., "Deterministic Usage of the Digital | [RFC6979] Pornin, T., "Deterministic Usage of the Digital | |||
| Signature Algorithm (DSA) and Elliptic Curve Digital | Signature Algorithm (DSA) and Elliptic Curve Digital | |||
| Signature Algorithm (ECDSA)", RFC 6979, August 2013. | Signature Algorithm (ECDSA)", RFC 6979, August 2013. | |||
| [RFC8017] Moriarty, K., Kaliski, B., Jonsson, J. and Rusch, A., | [RFC8017] Moriarty, K., Kaliski, B., Jonsson, J. and Rusch, A., | |||
| "PKCS #1: RSA Cryptography Specifications Version 2.2", | "PKCS #1: RSA Cryptography Specifications Version 2.2", | |||
| RFC 8017, November 2016. | RFC 8017, November 2016. | |||
| [EXT-INFO] Bider, D., "Extension Negotiation in Secure Shell (SSH)", | [EXT-INFO] Bider, D., "Extension Negotiation in Secure Shell (SSH)", | |||
| draft-ietf-curdle-ssh-ext-info-08.txt, May 2017, | draft-ietf-curdle-ssh-ext-info-10.txt, June 2017, | |||
| <https://tools.ietf.org/html/ | <https://tools.ietf.org/html/ | |||
| draft-ietf-curdle-ssh-ext-info-08>. | draft-ietf-curdle-ssh-ext-info-10>. | |||
| [IANA-PKA] "Secure Shell (SSH) Protocol Parameters", | [IANA-PKA] "Secure Shell (SSH) Protocol Parameters", | |||
| <https://www.iana.org/assignments/ssh-parameters/ | <https://www.iana.org/assignments/ssh-parameters/ | |||
| ssh-parameters.xhtml#ssh-parameters-19>. | ssh-parameters.xhtml#ssh-parameters-19>. | |||
| Author's Address | Author's Address | |||
| Denis Bider | Denis Bider | |||
| Bitvise Limited | Bitvise Limited | |||
| Suites 41/42, Victoria House | Suites 41/42, Victoria House | |||
| End of changes. 6 change blocks. | ||||
| 9 lines changed or deleted | 8 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||