Red Hat, Inc.

140 Broadway, 24th Floor New York NY 10025 United States of America simo@redhat.com

Red Hat, Inc.

Purkynova 115 Brno 612 00 Czech Republic hkario@redhat.com

Security Internet Engineering Task Force SSH This document specifies additions and amendments to RFC 4462. It defines a new key exchange method that uses SHA-2 for integrity and deprecates weak Diffie-Hellman (DH) groups. The purpose of this specification is to modernize the cryptographic primitives used by Generic Security Service (GSS) key exchanges.

Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at .

Copyright Notice Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents () in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

Table of Contents

• .  Introduction
• .  Rationale
• .  Document Conventions
• .  New Diffie-Hellman Key Exchange Methods
• .  New Elliptic Curve Diffie-Hellman Key Exchange Methods
  • .  Generic GSS-API Key Exchange with ECDH
  • .  ECDH Key Exchange Methods
• .  Deprecated Algorithms
• .  IANA Considerations
• .  Security Considerations
  • .  New Finite Field DH Mechanisms
  • .  New Elliptic Curve DH Mechanisms
  • .  GSS-API Delegation
• .  References
  • .  Normative References
  • .  Informative References
• Authors' Addresses

Introduction Secure Shell (SSH) Generic Security Service Application Program Interface (GSS-API) methods allow the use of GSS-API for authentication and key exchange in SSH. defines three exchange methods all based on DH groups and SHA-1. This document updates with new methods intended to support environments that desire to use the SHA-2 cryptographic hash functions.

Rationale Due to security concerns with SHA-1 and with modular exponentiation (MODP) groups with less than 2048 bits , we propose the use of hashes based on SHA-2 with DH group14, group15, group16, group17, and group18 . Additionally, we add support for key exchange based on Elliptic Curve Diffie-Hellman with the NIST P-256, P-384, and P-521 , as well as the X25519 and X448 curves. Following the practice of , only SHA-256 and SHA-512 hashes are used for DH groups. For NIST curves, the same curve-to-hashing algorithm pairing used in is adopted for consistency.

Document Conventions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

New Diffie-Hellman Key Exchange Methods This document adopts the same naming convention defined in to define families of methods that cover any GSS-API mechanism used with a specific Diffie-Hellman group and SHA-2 hash combination. New Key Exchange Algorithms

Key Exchange Method Name	Implementation Recommendations
gss-group14-sha256-*	SHOULD/RECOMMENDED
gss-group15-sha512-*	MAY/OPTIONAL
gss-group16-sha512-*	SHOULD/RECOMMENDED
gss-group17-sha512-*	MAY/OPTIONAL
gss-group18-sha512-*	MAY/OPTIONAL

Each key exchange method prefix is registered by this document. The IESG is the change controller of all these key exchange methods; this does NOT imply that the IESG is considered to be in control of the corresponding GSS-API mechanism. Each method in any family of methods () specifies GSS-API-authenticated Diffie-Hellman key exchanges as described in . The method name for each method () is the concatenation of the family name prefix with the base64 encoding of the MD5 hash of the ASN.1 DER encoding of the corresponding GSS-API mechanism's OID. Base64 encoding is described in . Family Method References

Family Name Prefix	Hash Function	Group	Reference
gss-group14-sha256-	SHA-256	2048-bit MODP
gss-group15-sha512-	SHA-512	3072-bit MODP
gss-group16-sha512-	SHA-512	4096-bit MODP
gss-group17-sha512-	SHA-512	6144-bit MODP
gss-group18-sha512-	SHA-512	8192-bit MODP

New Elliptic Curve Diffie-Hellman Key Exchange Methods In , new SSH key exchange algorithms based on elliptic curve cryptography are introduced. We reuse much of to define GSS-API-authenticated Elliptic Curve Diffie-Hellman (ECDH) key exchanges. Additionally, we also utilize the curves defined in to complement the three classic NIST-defined curves required by .

Generic GSS-API Key Exchange with ECDH This section reuses much of the scheme defined in and combines it with the scheme defined in ; in particular, all checks and verification steps prescribed in apply here as well. The key-agreement schemes "ECDHE-Curve25519" and "ECDHE-Curve448" perform the Diffie-Hellman protocol using the functions X25519 and X448, respectively. Implementations MUST compute these functions using the algorithms described in . When they do so, implementations MUST check whether the computed Diffie-Hellman shared secret is the all-zero value and abort if so, as described in . Alternative implementations of these functions SHOULD abort when either the client or the server input forces the shared secret to one of a small set of values, as described in Sections and of . This section defers to as the source of information on GSS-API context establishment operations, Section being the most relevant. All security considerations described in apply here, too. The parties each generate an ephemeral key pair, according to Section 3.2.1 of . Keys are verified upon receipt by the parties according to Section 3.2.3.1 of . For NIST curves, the keys use the uncompressed point representation and MUST be converted using the algorithm in Section 2.3.4 of . If the conversion fails or the point is transmitted using the compressed representation, the key exchange MUST fail. A GSS context is established according to ; the client initiates the establishment using GSS_Init_sec_context(), and the server responds to it using GSS_Accept_sec_context(). For the negotiation, the client MUST set mutual_req_flag and integ_req_flag to "true". In addition, deleg_req_flag MAY be set to "true" to request access delegation, if requested by the user. Since the key exchange process authenticates only the host, the setting of anon_req_flag is immaterial to this process. If the client does not support the "gssapi-keyex" user authentication method described in , or does not intend to use that method in conjunction with the GSS-API context established during key exchange, then anon_req_flag SHOULD be set to "true". Otherwise, this flag MAY be set to "true" if the client wishes to hide its identity. This key exchange process will exchange only a single message token once the context has been established; therefore, the replay_det_req_flag and sequence_req_flag SHOULD be set to "false". The client MUST include its public key with the first message it sends to the server during this process; if the server receives more than one key or none at all, the key exchange MUST fail. During GSS context establishment, multiple tokens may be exchanged by the client and the server. When the GSS context is established (major_status is GSS_S_COMPLETE), the parties check that mutual_state and integ_avail are both "true". If not, the key exchange MUST fail. Once a party receives the peer's public key, it proceeds to compute a shared secret K. For NIST curves, the computation is done according to Section 3.3.1 of , and the resulting value z is converted to the octet string K using the conversion defined in Section 2.3.5 of . For curve25519 and curve448, the algorithms in are used instead. To verify the integrity of the handshake, peers use the hash function defined by the selected key exchange method to calculate H: H = hash(V_C || V_S || I_C || I_S || K_S || Q_C || Q_S || K). The server uses the GSS_GetMIC() call with H as the payload to generate a Message Integrity Code (MIC). The GSS_VerifyMIC() call is used by the client to verify the MIC. If any GSS_Init_sec_context() or GSS_Accept_sec_context() returns a major_status other than GSS_S_COMPLETE or GSS_S_CONTINUE_NEEDED, or any other GSS-API call returns a major_status other than GSS_S_COMPLETE, the key exchange MUST fail. The same recommendations expressed in are followed with regard to error reporting. The following is an overview of the key exchange process: Client Server ------ ------ Generates ephemeral key pair. Calls GSS_Init_sec_context(). SSH_MSG_KEXGSS_INIT ---------------> Verifies received key. (Optional) <------------- SSH_MSG_KEXGSS_HOSTKEY (Loop) | Calls GSS_Accept_sec_context(). | <------------ SSH_MSG_KEXGSS_CONTINUE | Calls GSS_Init_sec_context(). | SSH_MSG_KEXGSS_CONTINUE ------------> Calls GSS_Accept_sec_context(). Generates ephemeral key pair. Computes shared secret. Computes hash H. Calls GSS_GetMIC( H ) = MIC. <------------ SSH_MSG_KEXGSS_COMPLETE Verifies received key. Computes shared secret. Computes hash H. Calls GSS_VerifyMIC( MIC, H ). This is implemented with the following messages: The client sends: byte SSH_MSG_KEXGSS_INIT string output_token (from GSS_Init_sec_context()) string Q_C, client's ephemeral public key octet string The server may respond with: byte SSH_MSG_KEXGSS_HOSTKEY string server public host key and certificates (K_S) The server sends: byte SSH_MSG_KEXGSS_CONTINUE string output_token (from GSS_Accept_sec_context()) Each time the client receives the message described above, it makes another call to GSS_Init_sec_context(). The client sends: byte SSH_MSG_KEXGSS_CONTINUE string output_token (from GSS_Init_sec_context()) As the final message, the server sends the following if an output_token is produced: byte SSH_MSG_KEXGSS_COMPLETE string Q_S, server's ephemeral public key octet string string mic_token (MIC of H) boolean TRUE string output_token (from GSS_Accept_sec_context()) If no output_token is produced, the server sends: byte SSH_MSG_KEXGSS_COMPLETE string Q_S, server's ephemeral public key octet string string mic_token (MIC of H) boolean FALSE The hash H is computed as the HASH hash of the concatenation of the following: string V_C, the client's version string (CR, NL excluded) string V_S, server's version string (CR, NL excluded) string I_C, payload of the client's SSH_MSG_KEXINIT string I_S, payload of the server's SSH_MSG_KEXINIT string K_S, server's public host key string Q_C, client's ephemeral public key octet string string Q_S, server's ephemeral public key octet string mpint K, shared secret This value is called the "exchange hash", and it is used to authenticate the key exchange. The exchange hash SHOULD be kept secret. If no SSH_MSG_KEXGSS_HOSTKEY message has been sent by the server or received by the client, then the empty string is used in place of K_S when computing the exchange hash. Since this key exchange method does not require the host key to be used for any encryption operations, the SSH_MSG_KEXGSS_HOSTKEY message is OPTIONAL. If the "null" host key algorithm described in is used, this message MUST NOT be sent. If the client receives an SSH_MSG_KEXGSS_CONTINUE message after a call to GSS_Init_sec_context() has returned a major_status code of GSS_S_COMPLETE, a protocol error has occurred, and the key exchange MUST fail. If the client receives an SSH_MSG_KEXGSS_COMPLETE message and a call to GSS_Init_sec_context() does not result in a major_status code of GSS_S_COMPLETE, a protocol error has occurred, and the key exchange MUST fail.

ECDH Key Exchange Methods New Key Exchange Methods

Key Exchange Method Name	Implementation Recommendations
gss-nistp256-sha256-*	SHOULD/RECOMMENDED
gss-nistp384-sha384-*	MAY/OPTIONAL
gss-nistp521-sha512-*	MAY/OPTIONAL
gss-curve25519-sha256-*	SHOULD/RECOMMENDED
gss-curve448-sha512-*	MAY/OPTIONAL

Each key exchange method prefix is registered by this document. The IESG is the change controller of all these key exchange methods; this does NOT imply that the IESG is considered to be in control of the corresponding GSS-API mechanism. Each method in any family of methods () specifies GSS-API-authenticated Elliptic Curve Diffie-Hellman key exchanges as described in . The method name for each method () is the concatenation of the family method name with the base64 encoding of the MD5 hash of the ASN.1 DER encoding of the corresponding GSS-API mechanism's OID. Base64 encoding is described in . Family Method References

Family Name Prefix	Hash Function	Parameters / Function Name	Definition
gss-nistp256-sha256-	SHA-256	secp256r1	Section 2.4.2 of
gss-nistp384-sha384-	SHA-384	secp384r1	Section 2.5.1 of
gss-nistp521-sha512-	SHA-512	secp521r1	Section 2.6.1 of
gss-curve25519-sha256-	SHA-256	X22519
gss-curve448-sha512-	SHA-512	X448

Deprecated Algorithms Because they have small key lengths and are no longer strong in the face of brute-force attacks, the algorithms in the following table are considered deprecated and SHOULD NOT be used. Deprecated Algorithms

Key Exchange Method Name	Implementation Recommendations
gss-group1-sha1-*	SHOULD NOT
gss-group14-sha1-*	SHOULD NOT
gss-gex-sha1-*	SHOULD NOT

IANA Considerations This document augments the SSH key exchange message names that were defined in (see and ); IANA has listed this document as reference for those entries in the "SSH Protocol Parameters" registry. In addition, IANA has updated the registry to include the SSH key exchange message names described in Sections and . Additions/Changes to the Key Exchange Method Names Registry

Key Exchange Method Name	Reference
gss-group1-sha1-*	RFC 8732
gss-group14-sha1-*	RFC 8732
gss-gex-sha1-*	RFC 8732
gss-group14-sha256-*	RFC 8732
gss-group15-sha512-*	RFC 8732
gss-group16-sha512-*	RFC 8732
gss-group17-sha512-*	RFC 8732
gss-group18-sha512-*	RFC 8732
gss-nistp256-sha256-*	RFC 8732
gss-nistp384-sha384-*	RFC 8732
gss-nistp521-sha512-*	RFC 8732
gss-curve25519-sha256-*	RFC 8732
gss-curve448-sha512-*	RFC 8732

Security Considerations

New Finite Field DH Mechanisms Except for the use of a different secure hash function and larger DH groups, no significant changes have been made to the protocol described by ; therefore, all the original security considerations apply.

New Elliptic Curve DH Mechanisms Although a new cryptographic primitive is used with these methods, the actual key exchange closely follows the key exchange defined in ; therefore, all the original security considerations, as well as those expressed in , apply.

GSS-API Delegation Some GSS-API mechanisms can act on a request to delegate credentials to the target host when the deleg_req_flag is set. In this case, extra care must be taken to ensure that the acceptor being authenticated matches the target the user intended. Some mechanism implementations (such as commonly used krb5 libraries) may use insecure DNS resolution to canonicalize the target name; in these cases, spoofing a DNS response that points to an attacker-controlled machine may result in the user silently delegating credentials to the attacker, who can then impersonate the user at will.

References Normative References This document describes the MD5 message-digest algorithm. The algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. This memo provides information for the Internet community. It does not specify an Internet standard. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. This memo obsoletes [STANDARDS-TRACK] This document defines new Modular Exponential (MODP) Groups for the Internet Key Exchange (IKE) protocol. It documents the well known and used 1536 bit group 5, and also defines new 2048, 3072, 4096, 6144, and 8192 bit Diffie-Hellman groups numbered starting at 14. The selection of the primes for theses groups follows the criteria established by Richard Schroeppel. [STANDARDS-TRACK] The Secure Shell protocol (SSH) is a protocol for secure remote login and other secure network services over an insecure network. The Generic Security Service Application Program Interface (GSS-API) provides security services to callers in a mechanism-independent fashion. This memo describes methods for using the GSS-API for authentication and key exchange in SSH. It defines an SSH user authentication method that uses a specified GSS-API mechanism to authenticate a user, and a family of SSH key exchange methods that use GSS-API to authenticate a Diffie-Hellman key exchange. This memo also defines a new host public key algorithm that can be used when no operations are needed using a host's public key, and a new user authentication method that allows an authorization name to be used in conjunction with any authentication that has already occurred as a side-effect of GSS-API-based key exchange. [STANDARDS-TRACK] This document describes the commonly used base 64, base 32, and base 16 encoding schemes. It also discusses the use of line-feeds in encoded data, use of padding in encoded data, use of non-alphabet characters in encoded data, use of different encoding alphabets, and canonical encodings. [STANDARDS-TRACK] This document describes algorithms based on Elliptic Curve Cryptography (ECC) for use within the Secure Shell (SSH) transport protocol. In particular, it specifies Elliptic Curve Diffie-Hellman (ECDH) key agreement, Elliptic Curve Menezes-Qu-Vanstone (ECMQV) key agreement, and Elliptic Curve Digital Signature Algorithm (ECDSA) for use in the SSH Transport Layer protocol. [STANDARDS-TRACK] This document specifies the generic structure of the negotiation loop to establish a Generic Security Service (GSS) security context between initiator and acceptor. The control flow of the loop is indicated for both parties, including error conditions, and indications are given for where application-specific behavior must be specified. This memo specifies two elliptic curves over prime fields that offer a high level of practical security in cryptographic applications, including Transport Layer Security (TLS). These curves are intended to operate at the ~128-bit and ~224-bit security level, respectively, and are generated deterministically based on a list of required properties. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Standards for Efficient Cryptography Group Standards for Elliptic Cryptography Group Informative References IANA ITU-T National Institute of Standards and Technology This document includes security considerations for the SHA-0 and SHA-1 message digest algorithm. This document is not an Internet Standards Track specification; it is published for informational purposes. Federal Information Processing Standard, FIPS This document defines added Modular Exponentiation (MODP) groups for the Secure Shell (SSH) protocol using SHA-2 hashes. This document updates RFC 4250. This document updates RFC 4253 by correcting an error regarding checking the Peer's DH Public Key.

Authors' Addresses Red Hat, Inc.

140 Broadway, 24th Floor New York NY 10025 United States of America simo@redhat.com

Red Hat, Inc.

Purkynova 115 Brno 612 00 Czech Republic hkario@redhat.com