Deprecating RC4 in Secure Shell (SSH)

Deprecating RC4 in Secure Shell (SSH) cyberstorm.mu


          Mauritius


        
        logan@cyberstorm.mu


    
    Security
    curdle
    
      This document deprecates RC4 in Secure Shell (SSH).  Therefore, this
   document formally moves RFC 4345 to Historic status.
      
    
    
      
        Status of This Memo
        
            This memo documents an Internet Best Current Practice.
        
        
            This document is a product of the Internet Engineering Task Force
            (IETF).  It represents the consensus of the IETF community.  It has
            received public review and has been approved for publication by
            the Internet Engineering Steering Group (IESG).  Further information
            on BCPs is available in Section 2 of RFC 7841.
        
        
            Information about the current status of this document, any
            errata, and how to provide feedback on it may be obtained at
            .
        
      
      
        Copyright Notice
        
            Copyright (c) 2020 IETF Trust and the persons identified as the
            document authors. All rights reserved.
        
        
            This document is subject to BCP 78 and the IETF Trust's Legal
            Provisions Relating to IETF Documents
            () in effect on the date of
            publication of this document. Please review these documents
            carefully, as they describe your rights and restrictions with
            respect to this document. Code Components extracted from this
            document must include Simplified BSD License text as described in
            Section 4.e of the Trust Legal Provisions and are provided without
            warranty as described in the Simplified BSD License.
        
      
    
    
      
        Table of Contents
        
          
            .  Introduction
            
              
                .  Requirements Language
              
            
          
          
            .  Updates to RFC 4253
          
          
            .  IANA Considerations
          
          
            .  Security Considerations
          
          
            .  References
            
              
                .  Normative References
              
              
                .  Informative References
              
            
          
          
            Acknowledgements
          
          
            Author's Address


  
    
      Introduction
      The usage of RC4 suites (also designated as "arcfour") for SSH is
      specified in  and . 
      specifies the allocation of the "arcfour" cipher for SSH.  specifies and allocates
     the "arcfour128" and "arcfour256" ciphers for SSH. 
     RC4 encryption has known weaknesses  ; therefore,
     this document starts the deprecation process for their use in Secure Shell
     (SSH) . Accordingly,  is 
     updated to note the deprecation of the RC4 ciphers, and  is moved to Historic status, as all ciphers
      it specifies MUST NOT be used.  
      
        Requirements Language
        
    The key words "MUST", "MUST NOT",
    "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT",
    "RECOMMENDED", "NOT RECOMMENDED",
    "MAY", and "OPTIONAL" in this document are
    to be interpreted as described in BCP 14 
           
    when, and only when, they appear in all capitals, as shown here.
        
      
    
    
      Updates to RFC 4253
      
 is updated to prohibit arcfour's use in SSH.
 allocates the
"arcfour" cipher by defining a list of defined ciphers in which the "arcfour"
cipher appears as optional, as shown in .

      
        
          
            arcfour
            
              OPTIONAL
            the ARCFOUR stream cipher with a 128-bit key
          
        
      
      
This document updates the status of the "arcfour" ciphers in the list
found in  by moving it
from OPTIONAL to MUST NOT. 

      
        
          
             arcfour 
            
              MUST NOT 
             the ARCFOUR stream cipher with a 128-bit key
          
        
      
      
 defines the "arcfour" ciphers with
the following text: 

      
   The "arcfour" cipher is the Arcfour stream cipher with 128-bit keys. The
   Arcfour cipher is believed to be compatible with the RC4 cipher .  Arcfour (and RC4) has problems with weak keys, and
   should be used with caution.
      
This document updates  by replacing the text above with the following text:

      
  The "arcfour" cipher is the Arcfour stream cipher with 128-bit keys.
   The Arcfour cipher is compatible with the RC4 cipher
   .  Arcfour (and RC4) has known weaknesses   and
   MUST NOT be used.

    
    
      IANA Considerations
      The IANA has updated the "Encryption Algorithm Names"
      subregistry in the "Secure Shell (SSH) Protocol Parameters" registry . The registration procedure is IETF
      review, which is achieved by this document. The registry has been
      updated as follows:
      
        
          
            Encryption Algorithm Name
            Reference
            Note
          
        
        
          
            arcfour
            RFC 8758
            HISTORIC
          
          
            arcfour128 
            RFC 8758
            HISTORIC
          
          
            arcfour256 
            RFC 8758
            HISTORIC
          
        
      
    
    
      Security Considerations
      This document only prohibits the use of RC4 in SSH; it introduces no
   new security considerations.
    
  
  
    
      References
      
        Normative References
        
          
            Key words for use in RFCs to Indicate Requirement Levels
            
              
            
            
            
              In many standards track documents several words are used to signify the requirements in the specification.  These words are often capitalized. This document defines these words as they should be interpreted in IETF documents.  This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.
            
          
          
          
          
        
        
          
            Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words
            
              
            
            
            
              RFC 2119 specifies common key words that may be used in protocol  specifications.  This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the  defined special meanings.
            
          
          
          
          
        
      
      
        Informative References
        
          
            Secure Shell (SSH) Protocol Parameters
            
          
        
        
          
            The Secure Shell (SSH) Transport Layer Protocol
            
              
            
            
              
            
            
            
              The Secure Shell (SSH) is a protocol for secure remote login and other secure network services over an insecure network.
              This document describes the SSH transport layer protocol, which typically runs on top of TCP/IP.  The protocol can be used as a basis for a number of secure network services.  It provides strong encryption, server authentication, and integrity protection.  It may also provide compression.
              Key exchange method, public key algorithm, symmetric encryption algorithm, message authentication algorithm, and hash algorithm are all negotiated.
              This document also describes the Diffie-Hellman key exchange method and the minimal set of algorithms that are needed to implement the SSH transport layer protocol.  [STANDARDS-TRACK]
            
          
          
          
        
        
          
            Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol
            
              
            
            
            
              This document specifies methods of using the Arcfour cipher in the Secure Shell (SSH) protocol that mitigate the weakness of the cipher's key-scheduling algorithm.  [STANDARDS-TRACK]
            
          
          
          
        
        
          
            Prohibiting RC4 Cipher Suites
            
              
            
            
            
              This document requires that Transport Layer Security (TLS) clients and servers never negotiate the use of RC4 cipher suites when they establish connections.  This applies to all TLS versions.  This document updates RFCs 5246, 4346, and 2246.
            
          
          
          
        
        
          
            Deprecate Triple-DES (3DES) and RC4 in Kerberos
            
              
            
            
              
            
            
            
              The triple-DES (3DES) and RC4 encryption types are steadily weakening in cryptographic strength, and the deprecation process should begin for their use in Kerberos.  Accordingly, RFC 4757 has been moved to Historic status, as none of the encryption types it specifies should be used, and RFC 3961 has been updated to note the deprecation of the triple-DES encryption types.  RFC 4120 is likewise updated to remove the recommendation to implement triple-DES encryption and checksum types.
            
          
          
          
          
        
        
          
            Applied Cryptography Second Edition: Protocols, Algorithms, and Source in Code in C
            
            
              
            
            
          
        
      
    
    
      Acknowledgements
      The author would like to thank ,
      , and .
    
    
      Author's Address
      
        cyberstorm.mu
        
          
            
            
            
            
            Mauritius
          
          
          logan@cyberstorm.mu

Encryption Algorithm Name	Reference	Note
arcfour	RFC 8758	HISTORIC
arcfour128	RFC 8758	HISTORIC
arcfour256	RFC 8758	HISTORIC