Generic Security Service Application
Program Interface (GSS-API) Key Exchange with SHA-2
Red Hat, Inc.
140 Broadway, 24th Floor
New York
NY
10025
United States of America
simo@redhat.com
Red Hat, Inc.
Purkynova 115
Brno
612 00
Czech Republic
hkario@redhat.com
Security
Internet Engineering Task Force
SSH
This document specifies additions and amendments to RFC 4462.
It defines a new key exchange method that uses SHA-2 for integrity and
deprecates weak Diffie-Hellman (DH) groups. The purpose of this specification is to
modernize the cryptographic primitives used by Generic Security Service (GSS) key exchanges.
Introduction
Secure Shell (SSH) Generic Security Service Application Program Interface (GSS-API)
methods
allow the use of GSS-API
for authentication and key exchange
in SSH. defines three exchange methods all based on DH groups and
SHA-1. This document updates with new methods intended to support
environments that desire to use the SHA-2 cryptographic hash functions.
Rationale
Due to security concerns with SHA-1 and with modular exponentiation (MODP) groups with less than 2048 bits ,
we propose the use of hashes based on SHA-2
with DH group14, group15,
group16, group17, and group18 . Additionally, we
add support for key exchange based on Elliptic Curve Diffie-Hellman with
the NIST P-256, P-384, and P-521 , as well as the
X25519 and X448 curves.
Following the practice of , only SHA-256 and
SHA-512 hashes are used for DH groups. For NIST curves, the same
curve-to-hashing algorithm pairing used in is
adopted for consistency.
Document Conventions
The key words "MUST", "MUST NOT",
"REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT",
"RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14
when, and only when, they appear in all capitals, as shown here.
New Diffie-Hellman Key Exchange Methods
This document adopts the same naming convention defined in to define families of methods that
cover any
GSS-API mechanism used with a specific Diffie-Hellman group and
SHA-2 hash combination.
New Key Exchange Algorithms
Key Exchange Method Name |
Implementation Recommendations |
gss-group14-sha256-* |
SHOULD/RECOMMENDED |
gss-group15-sha512-* |
MAY/OPTIONAL |
gss-group16-sha512-* |
SHOULD/RECOMMENDED |
gss-group17-sha512-* |
MAY/OPTIONAL |
gss-group18-sha512-* |
MAY/OPTIONAL |
Each key exchange method prefix is registered by this document.
The IESG is the change controller of all these key exchange methods;
this does NOT imply that the IESG is considered to be in control of
the corresponding GSS-API mechanism.
Each method in any family of methods ()
specifies GSS-API-authenticated Diffie-Hellman key exchanges as
described in . The method name for each method () is the
concatenation of the family name prefix with the base64 encoding of
the MD5 hash of the ASN.1 DER encoding
of the corresponding GSS-API
mechanism's OID. Base64 encoding is described in
.
Family Method References
Family Name Prefix |
Hash Function |
Group |
Reference |
gss-group14-sha256- |
SHA-256 |
2048-bit MODP |
|
gss-group15-sha512- |
SHA-512 |
3072-bit MODP |
|
gss-group16-sha512- |
SHA-512 |
4096-bit MODP |
|
gss-group17-sha512- |
SHA-512 |
6144-bit MODP |
|
gss-group18-sha512- |
SHA-512 |
8192-bit MODP |
|
New Elliptic Curve Diffie-Hellman Key Exchange Methods
In , new SSH key exchange algorithms based on
elliptic curve cryptography are introduced. We reuse much of
to define GSS-API-authenticated Elliptic Curve Diffie-Hellman (ECDH) key exchanges.
Additionally, we also utilize the curves defined in to complement the three classic
NIST-defined curves required by .
Generic GSS-API Key Exchange with ECDH
This section reuses much of the scheme defined in
and combines it with the scheme defined in
; in particular, all checks and
verification steps prescribed in
apply
here as well.
The key-agreement schemes "ECDHE-Curve25519" and "ECDHE-Curve448" perform
the Diffie-Hellman protocol using the functions X25519 and X448,
respectively. Implementations MUST compute these functions using
the algorithms described in . When they do
so, implementations MUST check whether the computed Diffie-Hellman
shared secret is the all-zero value and abort if so, as described in
. Alternative implementations of these functions
SHOULD abort when either the client or the server input
forces the shared secret to one of a small set of values, as
described in Sections and of .
This section defers to as the source of
information on GSS-API context establishment operations, Section
being the most relevant. All security considerations described in
apply here, too.
The parties each generate an ephemeral key pair, according to
Section 3.2.1 of
. Keys are verified upon
receipt by the parties according to Section 3.2.3.1 of
.
For NIST curves, the keys use the uncompressed point representation
and MUST be converted using the algorithm in Section 2.3.4 of
. If the conversion fails or the point is
transmitted using the compressed representation, the key exchange MUST
fail.
A GSS context is established according to
; the client initiates the establishment
using GSS_Init_sec_context(), and the server responds to it using
GSS_Accept_sec_context(). For the negotiation, the client MUST set
mutual_req_flag and integ_req_flag to "true". In addition,
deleg_req_flag MAY be set to "true" to request access delegation, if
requested by the user. Since the key exchange process authenticates
only the host, the setting of anon_req_flag is immaterial to this
process. If the client does not support the "gssapi-keyex" user
authentication method described in
, or does not intend to use that method in
conjunction with the GSS-API context established during key exchange,
then anon_req_flag SHOULD be set to "true". Otherwise,
this flag MAY
be set to "true" if the client wishes to hide its identity.
This key exchange process will exchange only a single message token
once the context has been established; therefore, the
replay_det_req_flag and sequence_req_flag SHOULD be set to "false".
The client MUST include its public key with the first message it
sends to the server during this process; if the server receives
more than one key or none at all, the key exchange MUST fail.
During GSS context establishment, multiple tokens may be exchanged
by the client and the server. When the GSS context is established
(major_status is GSS_S_COMPLETE), the parties check that
mutual_state and integ_avail are both "true". If not, the key
exchange MUST fail.
Once a party receives the peer's public key, it proceeds to compute
a shared secret K. For NIST curves, the computation is done according
to Section 3.3.1 of , and the resulting value
z is converted to the octet string K using the conversion defined
in Section 2.3.5 of . For curve25519 and
curve448, the algorithms in are
used instead.
To verify the integrity of the handshake, peers use the hash
function defined by the selected key exchange method to calculate H:
H = hash(V_C || V_S || I_C || I_S || K_S || Q_C || Q_S || K).
The server uses the GSS_GetMIC() call with H as the payload
to generate a Message Integrity Code (MIC).
The GSS_VerifyMIC() call is used by the client to
verify the MIC.
If any GSS_Init_sec_context() or GSS_Accept_sec_context() returns
a major_status other than GSS_S_COMPLETE or GSS_S_CONTINUE_NEEDED, or
any other GSS-API call returns a major_status other than
GSS_S_COMPLETE, the key exchange MUST fail. The same recommendations
expressed in are followed with
regard to error reporting.
The following is an overview of the key exchange process:
Verifies received key.
(Optional) <------------- SSH_MSG_KEXGSS_HOSTKEY
(Loop)
| Calls GSS_Accept_sec_context().
| <------------ SSH_MSG_KEXGSS_CONTINUE
| Calls GSS_Init_sec_context().
| SSH_MSG_KEXGSS_CONTINUE ------------>
Calls GSS_Accept_sec_context().
Generates ephemeral key pair.
Computes shared secret.
Computes hash H.
Calls GSS_GetMIC( H ) = MIC.
<------------ SSH_MSG_KEXGSS_COMPLETE
Verifies received key.
Computes shared secret.
Computes hash H.
Calls GSS_VerifyMIC( MIC, H ).]]>
This is implemented with the following messages:
The client sends:
byte SSH_MSG_KEXGSS_INIT
string output_token (from GSS_Init_sec_context())
string Q_C, client's ephemeral public key octet string
The server may respond with:
byte SSH_MSG_KEXGSS_HOSTKEY
string server public host key and certificates (K_S)
The server sends:
byte SSH_MSG_KEXGSS_CONTINUE
string output_token (from GSS_Accept_sec_context())
Each time the client receives the message described above, it makes
another call to GSS_Init_sec_context().
The client sends:
byte SSH_MSG_KEXGSS_CONTINUE
string output_token (from GSS_Init_sec_context())
As the final message, the server sends the following if an
output_token is produced:
byte SSH_MSG_KEXGSS_COMPLETE
string Q_S, server's ephemeral public key octet string
string mic_token (MIC of H)
boolean TRUE
string output_token (from GSS_Accept_sec_context())
If no output_token is produced, the server sends:
byte SSH_MSG_KEXGSS_COMPLETE
string Q_S, server's ephemeral public key octet string
string mic_token (MIC of H)
boolean FALSE
The hash H is computed as the HASH hash of the
concatenation of the following:
string V_C, the client's version string (CR, NL excluded)
string V_S, server's version string (CR, NL excluded)
string I_C, payload of the client's SSH_MSG_KEXINIT
string I_S, payload of the server's SSH_MSG_KEXINIT
string K_S, server's public host key
string Q_C, client's ephemeral public key octet string
string Q_S, server's ephemeral public key octet string
mpint K, shared secret
This value is called the "exchange hash", and it is used to
authenticate the key exchange. The exchange hash SHOULD be kept
secret. If no SSH_MSG_KEXGSS_HOSTKEY message has been sent by the
server or received by the client, then the empty string is used in
place of K_S when computing the exchange hash.
Since this key exchange method does not require the host key to
be used for any encryption operations, the SSH_MSG_KEXGSS_HOSTKEY
message is OPTIONAL. If the "null" host key algorithm described in
is used, this message MUST
NOT be sent.
If the client receives an SSH_MSG_KEXGSS_CONTINUE message after
a call to GSS_Init_sec_context() has returned a major_status code
of GSS_S_COMPLETE, a protocol error has occurred, and the key
exchange MUST fail.
If the client receives an SSH_MSG_KEXGSS_COMPLETE message and a
call to GSS_Init_sec_context() does not result in a major_status
code of GSS_S_COMPLETE, a protocol error has occurred, and the key
exchange MUST fail.
ECDH Key Exchange Methods
New Key Exchange Methods
Key Exchange Method Name |
Implementation Recommendations |
gss-nistp256-sha256-* |
SHOULD/RECOMMENDED |
gss-nistp384-sha384-* |
MAY/OPTIONAL |
gss-nistp521-sha512-* |
MAY/OPTIONAL |
gss-curve25519-sha256-* |
SHOULD/RECOMMENDED |
gss-curve448-sha512-* |
MAY/OPTIONAL |
Each key exchange method prefix is registered by this document.
The IESG is the change controller of all these key exchange methods;
this does NOT imply that the IESG is considered to be in control of
the corresponding GSS-API mechanism.
Each method in any family of methods ()
specifies GSS-API-authenticated Elliptic Curve Diffie-Hellman key
exchanges as described in . The method name for each method () is the
concatenation of the family method name with the base64 encoding of
the MD5 hash of the ASN.1 DER encoding
of the corresponding GSS-API
mechanism's OID. Base64 encoding is described in
.
Family Method References
Family Name Prefix |
Hash Function |
Parameters / Function Name |
Definition |
gss-nistp256-sha256- |
SHA-256 |
secp256r1 |
Section 2.4.2 of |
gss-nistp384-sha384- |
SHA-384 |
secp384r1 |
Section 2.5.1 of |
gss-nistp521-sha512- |
SHA-512 |
secp521r1 |
Section 2.6.1 of |
gss-curve25519-sha256- |
SHA-256 |
X22519 |
|
gss-curve448-sha512- |
SHA-512 |
X448 |
|
Deprecated Algorithms
Because they have small key lengths and are no longer strong in
the face of brute-force attacks, the algorithms in the following
table are considered deprecated and SHOULD NOT be used.
Deprecated Algorithms
Key Exchange Method Name |
Implementation Recommendations |
gss-group1-sha1-* |
SHOULD NOT |
gss-group14-sha1-* |
SHOULD NOT |
gss-gex-sha1-* |
SHOULD NOT |
IANA Considerations
This document augments the SSH key exchange message names
that were defined in (see and ); IANA has listed this
document as reference for those entries in the "SSH Protocol Parameters" registry.
In addition, IANA has updated the registry to include the SSH key
exchange message names described in Sections and
.
Additions/Changes to the Key Exchange Method Names Registry
Key Exchange Method Name |
Reference |
gss-group1-sha1-* |
RFC 8732 |
gss-group14-sha1-* |
RFC 8732 |
gss-gex-sha1-* |
RFC 8732 |
gss-group14-sha256-* |
RFC 8732 |
gss-group15-sha512-* |
RFC 8732 |
gss-group16-sha512-* |
RFC 8732 |
gss-group17-sha512-* |
RFC 8732 |
gss-group18-sha512-* |
RFC 8732 |
gss-nistp256-sha256-* |
RFC 8732 |
gss-nistp384-sha384-* |
RFC 8732 |
gss-nistp521-sha512-* |
RFC 8732 |
gss-curve25519-sha256-* |
RFC 8732 |
gss-curve448-sha512-* |
RFC 8732 |
Security Considerations
New Finite Field DH Mechanisms
Except for the use of a different secure hash function and larger
DH groups, no significant changes have been made to the protocol
described by ; therefore, all the original
security considerations apply.
New Elliptic Curve DH Mechanisms
Although a new cryptographic primitive is used with these methods,
the actual key exchange closely follows the key exchange defined in
; therefore, all the original security
considerations, as well as those expressed in ,
apply.
GSS-API Delegation
Some GSS-API mechanisms can act on a request to delegate credentials
to the target host when the deleg_req_flag is set. In this case, extra
care must be taken to ensure that the acceptor being authenticated
matches the target the user intended. Some mechanism implementations
(such as commonly used krb5 libraries) may use insecure DNS resolution to
canonicalize the target name; in these cases, spoofing a DNS response
that points to an attacker-controlled machine may result in the user
silently delegating credentials to the attacker, who can then
impersonate the user at will.
References
Normative References
Secure Shell (SSH) Key Exchange Method Using Curve25519 and
Curve448
SEC 1: Elliptic Curve Cryptography
Standards for Efficient Cryptography Group
SEC 2: Recommended Elliptic Curve Domain Parameters
Standards for Elliptic Cryptography Group
Informative References
Information technology -- ASN.1 encoding rules: Specification of Basic Encoding Rules
(BER), Canonical Encoding Rules (CER) and Distinguished Encoding
Rules (DER)
ITU-T
Transitioning of the Use of Cryptographic Algorithms and Key Lengths
National Institute of Standards and Technology
Secure Shell (SSH) Protocol Parameters: Key Exchange Method Names
IANA