From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Wed Apr 6 21:38:42 2011 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EF99F3A69A9 for ; Wed, 6 Apr 2011 21:38:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ne-S36gC-p19 for ; Wed, 6 Apr 2011 21:38:41 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:216:3eff:fe67:11]) by core3.amsl.com (Postfix) with ESMTP id 946C13A6979 for ; Wed, 6 Apr 2011 21:38:37 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 9714919CF2B; Thu, 7 Apr 2011 04:40:14 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id E714319CF1E for ; Thu, 7 Apr 2011 04:40:11 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id o0wQ+sxR8ckV for ; Thu, 7 Apr 2011 04:40:11 +0000 (UTC) Received: from skroderider.denisbider.com (skroderider.denisbider.com [66.197.186.181]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.netbsd.org (Postfix) with ESMTPS id 1E6AC19CF16 for ; Thu, 7 Apr 2011 04:40:10 +0000 (UTC) Received: from localhost ([127.0.0.1]) by skroderider.denisbider.com (using TLSv1/SSLv3 with cipher AES128-SHA (128 bits)); Wed, 6 Apr 2011 23:40:34 -0400 Message-ID: <02351C58882E45F9BE44C62542DE4C5B@element> From: "denis bider \(Bitvise\)" To: "Joseph Galbraith" , References: <4D83E810.3030605@vandyke.com> In-Reply-To: <4D83E810.3030605@vandyke.com> Subject: Re: SHA-2 based HMAC algorithm... Date: Wed, 6 Apr 2011 23:40:17 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Windows Mail 6.0.6002.18197 X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6002.18263 Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list Joseph, everyone, I have just attempted to implement: hmac-sha256@ssh.com hmac-sha256-96@ssh.com I can summarize the current state of this algorithm in one word. Awful. I tested our implementation with two others: the Tectia client, and MindTerm. In both cases, I needed to use the command line (sftpg3 for Tectia) or edit the textual host settings file (for MindTerm) because the graphical user interface of both programs has not been updated to support the algorithm. I first assumed that implementations would logically follow the SSH transport RFC precedent, and use a 32-byte key for HMAC-256, just like there's a 20-byte key for SHA-1, and a 16-byte key for MD5. Not so. It turns out that the Tectia client implementation initializes the hmac-sha256@ssh.com algorithm with a 16-byte HMAC key. The MindTerm implementation, on the other hand, uses a 20-byte HMAC key. So, there's just no way that you can be compatible with both implementations of this private algorithm without explicit compatibility hacks from the get-go. I want to implement HMAC-SHA-256 support because clients have requested it. The @ssh.com algorithm is apparently broken, and the choice of both a 16-byte and a 20-byte key seems dubious. Is there a way we can agree on HMAC-SHA-256 with a 32-byte key, call it "hmac-sha256", and register it? Can we agree that this is what we'll do, and implement it? denis ----- Original Message ----- From: "Joseph Galbraith" To: Sent: Friday, March 18, 2011 19:17 Subject: SHA-2 based HMAC algorithm... Is there a SHA-2 based HMAC algorithm specified in any of the recent extension RFCs? I looked but didn't see one. Has anyone implement such a thing as a @domain.name extension? Thanks, Joseph From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Wed Apr 6 22:05:59 2011 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 156EE3A6868 for ; Wed, 6 Apr 2011 22:05:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.57 X-Spam-Level: X-Spam-Status: No, score=-3.57 tagged_above=-999 required=5 tests=[AWL=0.029, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0gjXm6M-zSo7 for ; Wed, 6 Apr 2011 22:05:58 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:216:3eff:fe67:11]) by core3.amsl.com (Postfix) with ESMTP id BA8003A685D for ; Wed, 6 Apr 2011 22:05:57 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 0ACDE19CF3E; Thu, 7 Apr 2011 05:07:39 +0000 (UTC) Delivered-To: ietf-ssh@netbsd.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id B0B8419CF1E for ; Thu, 7 Apr 2011 05:07:37 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Authentication-Results: mail.NetBSD.org (amavisd-new); dkim=pass header.i=pgut001@cs.auckland.ac.nz Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id 1Wpjl1Z98qHi for ; Thu, 7 Apr 2011 05:07:36 +0000 (UTC) Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "mx2.auckland.ac.nz", Issuer "AusCERT Server CA" (not verified)) by mail.netbsd.org (Postfix) with ESMTPS id 95C7119CCE8 for ; Thu, 7 Apr 2011 05:07:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1302152856; x=1333688856; h=from:to:subject:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20 |To:=20galb-list@vandyke.com,=20ietf-ssh2@denisbider.com, =20ietf-ssh@NetBSD.org|Subject:=20Re:=20SHA-2=20based=20H MAC=20algorithm...|In-Reply-To:=20<02351C58882E45F9BE44C6 2542DE4C5B@element>|Message-Id:=20|Date:=20Thu,=2007=20Apr=202011=20 17:07:29=20+1200; bh=vwiFmY7B4GZVNzjJ/av3Mpi10tmRDIKLNWox1nu6YXE=; b=YFzYmVpxRKZrZvqJ2lsD1T1QNxxkSbZ3K4qFxxfDth3FhhbU0+cnfDF+ 5i6kTBb+1GS1LnDoUZnJgBsrmkgnbpw7bCwkSm07Gkr7C/4ARXP2kYaTS +GcBM4WrJBoG7Ds6INM71pZuohgXmQRJEN1OnIE7M9H2D3qiHeWBA8AzD 0=; X-IronPort-AV: E=Sophos;i="4.63,315,1299409200"; d="scan'208";a="55661312" X-Ironport-HAT: APP-SERVERS - $RELAYED X-Ironport-Source: 130.216.33.150 - Outgoing - Outgoing Received: from mf1.fos.auckland.ac.nz ([130.216.33.150]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 07 Apr 2011 17:07:30 +1200 Received: from login01.fos.auckland.ac.nz ([130.216.34.40]) by mf1.fos.auckland.ac.nz with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1Q7hRJ-0001NX-JJ; Thu, 07 Apr 2011 17:07:30 +1200 Received: from pgut001 by login01.fos.auckland.ac.nz with local (Exim 4.69) (envelope-from ) id 1Q7hRJ-0005RN-Te; Thu, 07 Apr 2011 17:07:29 +1200 From: Peter Gutmann To: galb-list@vandyke.com, ietf-ssh2@denisbider.com, ietf-ssh@NetBSD.org Subject: Re: SHA-2 based HMAC algorithm... In-Reply-To: <02351C58882E45F9BE44C62542DE4C5B@element> Message-Id: Date: Thu, 07 Apr 2011 17:07:29 +1200 Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list "denis bider \(Bitvise\)" writes: >Is there a way we can agree on HMAC-SHA-256 with a 32-byte key, call it >"hmac-sha256", and register it? +1. Peter. From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Wed Apr 6 23:39:06 2011 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DDB6C3A6876 for ; Wed, 6 Apr 2011 23:39:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bgvs+N2g521O for ; Wed, 6 Apr 2011 23:39:05 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:216:3eff:fe67:11]) by core3.amsl.com (Postfix) with ESMTP id 736B83A67F3 for ; Wed, 6 Apr 2011 23:39:04 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id E060A19CF4E; Thu, 7 Apr 2011 06:40:45 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id C3CC519CF44 for ; Thu, 7 Apr 2011 06:40:44 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id 7CkC+MgkkFdf for ; Thu, 7 Apr 2011 06:40:44 +0000 (UTC) Received: from exprod7og124.obsmtp.com (exprod7og124.obsmtp.com [64.18.2.26]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.netbsd.org (Postfix) with ESMTPS id 923C319CF35 for ; Thu, 7 Apr 2011 06:40:41 +0000 (UTC) Received: from P-EMHUB02-HQ.jnpr.net ([66.129.224.36]) (using TLSv1) by exprod7ob124.postini.com ([64.18.6.12]) with SMTP ID DSNKTZ1cZyZrcd4tCr7iuEgy9kt4Qu7vaiTn@postini.com; Wed, 06 Apr 2011 23:40:43 PDT Received: from magenta.juniper.net (172.17.27.123) by P-EMHUB02-HQ.jnpr.net (172.24.192.33) with Microsoft SMTP Server (TLS) id 8.2.254.0; Wed, 6 Apr 2011 23:36:34 -0700 Received: from eng-mail01.juniper.net (eng-mail01.juniper.net [172.17.28.114]) by magenta.juniper.net (8.11.3/8.11.3) with ESMTP id p376cIv15230; Wed, 6 Apr 2011 23:38:18 -0700 (PDT) (envelope-from mdb@juniper.net) Received: from eng-mail01.juniper.net (localhost [127.0.0.1]) by eng-mail01.juniper.net (Postfix) with ESMTP id 12E891141B; Wed, 6 Apr 2011 23:38:18 -0700 (PDT) To: "denis bider (Bitvise)" CC: "Joseph Galbraith" , ietf-ssh@NetBSD.org Subject: Re: SHA-2 based HMAC algorithm... In-Reply-To: <02351C58882E45F9BE44C62542DE4C5B@element> References: <4D83E810.3030605@vandyke.com> <02351C58882E45F9BE44C62542DE4C5B@element> Comments: In-reply-to: "denis bider \(Bitvise\)" message dated "Wed, 06 Apr 2011 23:40:17 -0400." From: "Mark D. Baushke" X-Phone: +1 408 745-2952 (Office) X-Mailer: MH-E 8.2; nmh 1.2; GNU Emacs 22.1.1 X-Face: #8D_6URD2G%vC.hzU MIME-Version: 1.0 Content-Type: text/plain Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list > Is there a way we can agree on HMAC-SHA-256 with a 32-byte key, call it > "hmac-sha256", and register it? +1 Yes please. I would like to also see a 64-byte key "hmac-sha512" in the same RFC and IANA proposal as the one for an "hmac-sha256" if there is anyone who thinks we should do them both at the same time. -- Mark From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Thu Apr 7 01:02:38 2011 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2B5DB28C10A for ; Thu, 7 Apr 2011 01:02:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.57 X-Spam-Level: X-Spam-Status: No, score=-3.57 tagged_above=-999 required=5 tests=[AWL=0.029, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4dqSSHEJBweB for ; Thu, 7 Apr 2011 01:02:37 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:216:3eff:fe67:11]) by core3.amsl.com (Postfix) with ESMTP id E6F4728C105 for ; Thu, 7 Apr 2011 01:02:36 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 628C519CE3F; Thu, 7 Apr 2011 08:04:18 +0000 (UTC) Delivered-To: ietf-ssh@netbsd.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 0EAA719CE33 for ; Thu, 7 Apr 2011 08:04:17 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Authentication-Results: mail.NetBSD.org (amavisd-new); dkim=pass header.i=pgut001@cs.auckland.ac.nz Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id fgu6gabKRyqv for ; Thu, 7 Apr 2011 08:04:16 +0000 (UTC) Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "mx2.auckland.ac.nz", Issuer "AusCERT Server CA" (not verified)) by mail.netbsd.org (Postfix) with ESMTPS id A010519CE23 for ; Thu, 7 Apr 2011 08:04:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1302163456; x=1333699456; h=from:to:subject:cc:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20 |To:=20ietf-ssh2@denisbider.com,=20mdb@juniper.net |Subject:=20Re:=20SHA-2=20based=20HMAC=20algorithm...|Cc: =20galb-list@vandyke.com,=20ietf-ssh@NetBSD.org |In-Reply-To:=20<73399.1302158298@eng-mail01.juniper.net> |Message-Id:=20|Date:=20Thu,=2007=20Apr=202011=2020:04:07=20+1200; bh=ibkN0vEpMYj4btfzYN4QJmJbIWkm2u35/rm8zC5c+6w=; b=IyidhlZG+PLpvkmLFD01OoIL3og1lovTQvrLe/+AbHLghAJHn9r5vP04 oMPCYuDADkM+XYZ40zvFIO8iSwia2eiz1lRfKGE0uMY20ISMkVf2MxMA7 c/nNCTkbk4Gc2Oa1cw1hWmhFanSgNkPIbN4cNZ/5QJ0E3QWsG8zyT/lfr 0=; X-IronPort-AV: E=Sophos;i="4.63,315,1299409200"; d="scan'208";a="55679106" X-Ironport-HAT: APP-SERVERS - $RELAYED X-Ironport-Source: 130.216.33.150 - Outgoing - Outgoing Received: from mf1.fos.auckland.ac.nz ([130.216.33.150]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 07 Apr 2011 20:04:08 +1200 Received: from login01.fos.auckland.ac.nz ([130.216.34.40]) by mf1.fos.auckland.ac.nz with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1Q7kCF-0007DD-J3; Thu, 07 Apr 2011 20:04:07 +1200 Received: from pgut001 by login01.fos.auckland.ac.nz with local (Exim 4.69) (envelope-from ) id 1Q7kCF-00064T-QO; Thu, 07 Apr 2011 20:04:07 +1200 From: Peter Gutmann To: ietf-ssh2@denisbider.com, mdb@juniper.net Subject: Re: SHA-2 based HMAC algorithm... Cc: galb-list@vandyke.com, ietf-ssh@NetBSD.org In-Reply-To: <73399.1302158298@eng-mail01.juniper.net> Message-Id: Date: Thu, 07 Apr 2011 20:04:07 +1200 Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list "Mark D. Baushke" writes: >I would like to also see a 64-byte key "hmac-sha512" in the same RFC and IANA >proposal as the one for an "hmac-sha256" if there is anyone who thinks we >should do them both at the same time. One minor naming nit, it would probably be best to use "hmac-sha2-256" or something, since there'll be an "hmac-sha3-256" within the next few years (same for -512). Peter. From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Thu Apr 7 01:08:36 2011 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 588A33A67F3 for ; Thu, 7 Apr 2011 01:08:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uqw-Iqu70YOb for ; Thu, 7 Apr 2011 01:08:35 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:216:3eff:fe67:11]) by core3.amsl.com (Postfix) with ESMTP id B79F43A6971 for ; Thu, 7 Apr 2011 01:08:34 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 7CCF219CF32; Thu, 7 Apr 2011 08:10:18 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 3670F19CF2B for ; Thu, 7 Apr 2011 08:10:17 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id QBnY5XwAfrN9 for ; Thu, 7 Apr 2011 08:10:16 +0000 (UTC) Received: from exprod7og106.obsmtp.com (exprod7og106.obsmtp.com [64.18.2.165]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.netbsd.org (Postfix) with ESMTPS id 30CDF19CF23 for ; Thu, 7 Apr 2011 08:10:16 +0000 (UTC) Received: from P-EMHUB02-HQ.jnpr.net ([66.129.224.36]) (using TLSv1) by exprod7ob106.postini.com ([64.18.6.12]) with SMTP ID DSNKTZ1xZ8WPGCEthzye0iWtGeS0YOQYAQpA@postini.com; Thu, 07 Apr 2011 01:10:16 PDT Received: from magenta.juniper.net (172.17.27.123) by P-EMHUB02-HQ.jnpr.net (172.24.192.33) with Microsoft SMTP Server (TLS) id 8.2.254.0; Thu, 7 Apr 2011 01:03:49 -0700 Received: from eng-mail01.juniper.net (eng-mail01.juniper.net [172.17.28.114]) by magenta.juniper.net (8.11.3/8.11.3) with ESMTP id p3785Xv49650; Thu, 7 Apr 2011 01:05:33 -0700 (PDT) (envelope-from mdb@juniper.net) Received: from eng-mail01.juniper.net (localhost [127.0.0.1]) by eng-mail01.juniper.net (Postfix) with ESMTP id 17EDF1141B; Thu, 7 Apr 2011 01:05:33 -0700 (PDT) To: Peter Gutmann CC: ietf-ssh2@denisbider.com, galb-list@vandyke.com, ietf-ssh@NetBSD.org Subject: Re: SHA-2 based HMAC algorithm... In-Reply-To: References: Comments: In-reply-to: Peter Gutmann message dated "Thu, 07 Apr 2011 20:04:07 +1200." From: "Mark D. Baushke" X-Phone: +1 408 745-2952 (Office) X-Mailer: MH-E 8.2; nmh 1.2; GNU Emacs 22.1.1 X-Face: #8D_6URD2G%vC.hzU MIME-Version: 1.0 Content-Type: text/plain Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list Peter Gutmann writes: > "Mark D. Baushke" writes: > > >I would like to also see a 64-byte key "hmac-sha512" in the same RFC > >and IANA proposal as the one for an "hmac-sha256" if there is anyone > >who thinks we should do them both at the same time. > > One minor naming nit, it would probably be best to use "hmac-sha2-256" or > something, since there'll be an "hmac-sha3-256" within the next few years > (same for -512). Agreed. "hmac-sha2-256" and "hmac-sha2-512" seem like good names to me. -- Mark From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Thu Apr 7 14:08:32 2011 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0102B28C112 for ; Thu, 7 Apr 2011 14:08:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.587 X-Spam-Level: X-Spam-Status: No, score=-106.587 tagged_above=-999 required=5 tests=[AWL=0.012, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mu9Avk1hmVvO for ; Thu, 7 Apr 2011 14:08:31 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:216:3eff:fe67:11]) by core3.amsl.com (Postfix) with ESMTP id 3C8D428C0DB for ; Thu, 7 Apr 2011 14:08:31 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id E4E5F19CFD2; Thu, 7 Apr 2011 21:10:13 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id E899619CEE9 for ; Thu, 7 Apr 2011 21:10:12 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id LcdqGcxW5iin for ; Thu, 7 Apr 2011 21:10:12 +0000 (UTC) Received: from smtp03.srv.cs.cmu.edu (SMTP03.SRV.CS.CMU.EDU [128.2.217.198]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "smtp.srv.cs.cmu.edu", Issuer "USERTrust Legacy Secure Server CA" (not verified)) by mail.netbsd.org (Postfix) with ESMTPS id A269219CEDD for ; Thu, 7 Apr 2011 21:10:11 +0000 (UTC) Received: from [128.2.216.200] (DESTINY.PC.CS.CMU.EDU [128.2.216.200]) (authenticated bits=0) by smtp03.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id p37JPkp4008303 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 7 Apr 2011 15:25:46 -0400 (EDT) Subject: Re: SHA-2 based HMAC algorithm... From: Jeffrey Hutzelman To: "denis bider (Bitvise)" Cc: jhutz@cmu.edu, Joseph Galbraith , ietf-ssh@NetBSD.org In-Reply-To: <02351C58882E45F9BE44C62542DE4C5B@element> References: <4D83E810.3030605@vandyke.com> <02351C58882E45F9BE44C62542DE4C5B@element> Content-Type: text/plain; charset="UTF-8" Date: Thu, 07 Apr 2011 15:25:46 -0400 Message-ID: <1302204346.2583.221.camel@destiny> Mime-Version: 1.0 X-Mailer: Evolution 2.30.3 Content-Transfer-Encoding: 7bit X-Scanned-By: mimedefang-cmuscs on 128.2.217.198 Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list On Wed, 2011-04-06 at 23:40 -0400, denis bider (Bitvise) wrote: > Is there a way we can agree on HMAC-SHA-256 with a 32-byte key, call it > "hmac-sha256", and register it? Sure. Write an internet-draft, get something resembling consensus on this list, and find someone to shepherd and an AD to sponsor it. I can probably help with the last bits. -- Jeff From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Thu Apr 7 17:30:10 2011 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7EC8E28C0EF for ; Thu, 7 Apr 2011 17:30:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2PUhI4wxD7bI for ; Thu, 7 Apr 2011 17:30:07 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:216:3eff:fe67:11]) by core3.amsl.com (Postfix) with ESMTP id EEF9C3A67EB for ; Thu, 7 Apr 2011 17:30:06 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id C422819CF85; Fri, 8 Apr 2011 00:31:48 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 0FFB919CF82 for ; Fri, 8 Apr 2011 00:31:47 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id T1jxYV-I4VvR for ; Fri, 8 Apr 2011 00:31:46 +0000 (UTC) Received: from skroderider.denisbider.com (skroderider.denisbider.com [66.197.186.181]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.netbsd.org (Postfix) with ESMTPS id 558CC19CF7B for ; Fri, 8 Apr 2011 00:31:45 +0000 (UTC) Received: from localhost ([127.0.0.1]) by skroderider.denisbider.com (using TLSv1/SSLv3 with cipher AES128-SHA (128 bits)); Thu, 7 Apr 2011 20:32:01 -0400 Message-ID: <16E55C82463A4A019682B27F0B842C5E@element> From: "denis bider" To: "Jeffrey Hutzelman" , "Joseph Galbraith" , , "Peter Gutmann" Cc: References: <4D83E810.3030605@vandyke.com> <02351C58882E45F9BE44C62542DE4C5B@element> <1302204346.2583.221.camel@destiny> In-Reply-To: <1302204346.2583.221.camel@destiny> Subject: Re: SHA-2 based HMAC algorithm... Date: Thu, 7 Apr 2011 20:31:57 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Windows Mail 6.0.6002.18197 X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6002.18263 Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list I have submitted a draft: http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-00.txt Comments appreciated. denis bider ----- Original Message ----- From: "Jeffrey Hutzelman" To: "denis bider (Bitvise)" Cc: ; "Joseph Galbraith" ; Sent: Thursday, April 07, 2011 15:25 Subject: Re: SHA-2 based HMAC algorithm... On Wed, 2011-04-06 at 23:40 -0400, denis bider (Bitvise) wrote: > Is there a way we can agree on HMAC-SHA-256 with a 32-byte key, call > it > "hmac-sha256", and register it? Sure. Write an internet-draft, get something resembling consensus on this list, and find someone to shepherd and an AD to sponsor it. I can probably help with the last bits. -- Jeff From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Fri Apr 8 05:32:11 2011 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B70953A68C1 for ; Fri, 8 Apr 2011 05:32:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.571 X-Spam-Level: X-Spam-Status: No, score=-3.571 tagged_above=-999 required=5 tests=[AWL=0.028, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id thIYeOoyrQGP for ; Fri, 8 Apr 2011 05:32:10 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:216:3eff:fe67:11]) by core3.amsl.com (Postfix) with ESMTP id BF4153A68C0 for ; Fri, 8 Apr 2011 05:32:09 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 510A719CF13; Fri, 8 Apr 2011 12:33:51 +0000 (UTC) Delivered-To: ietf-ssh@netbsd.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id A5C6819CF08 for ; Fri, 8 Apr 2011 12:33:49 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Authentication-Results: mail.NetBSD.org (amavisd-new); dkim=pass header.i=pgut001@cs.auckland.ac.nz Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id OHjol5OFStLx for ; Fri, 8 Apr 2011 12:33:49 +0000 (UTC) Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "mx2.auckland.ac.nz", Issuer "AusCERT Server CA" (not verified)) by mail.netbsd.org (Postfix) with ESMTPS id 79A8D19CEFD for ; Fri, 8 Apr 2011 12:33:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1302266028; x=1333802028; h=from:to:subject:cc:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20 |To:=20d3@denisbider.com,=20galb-list@vandyke.com,=20jhut z@cmu.edu,=0D=0A=20=20=20=20mdb@juniper.net,=20pgut001@cs .auckland.ac.nz|Subject:=20Re:=20SHA-2=20based=20HMAC=20a lgorithm...|Cc:=20ietf-ssh@NetBSD.org|In-Reply-To:=20<16E 55C82463A4A019682B27F0B842C5E@element>|Message-Id:=20|Date:=20Sat, =2009=20Apr=202011=2000:33:39=20+1200; bh=BrU+yqC2NF4xdhLjO2kHGjozO/LyrxRBTiGOaJeQYyk=; b=EWRsxv3Q2aAJ+l06X2VysOI6eCJJUMrg/IuqIOAoIMbKISAsj0eD4Dti iXbSMcdEwZafqeTVcpJyctArn0HfIoldXRvxeKmpKwSa2ZngRrLy+u4eJ rOoPHbUC/gFp3Ki/hM/g2Zrt+rz+qA4X3S4CTZR5dgWlEBkXEncNaYbj2 4=; X-IronPort-AV: E=Sophos;i="4.63,323,1299409200"; d="scan'208";a="55908553" X-Ironport-HAT: APP-SERVERS - $RELAYED X-Ironport-Source: 130.216.33.150 - Outgoing - Outgoing Received: from mf1.fos.auckland.ac.nz ([130.216.33.150]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 09 Apr 2011 00:33:40 +1200 Received: from login01.fos.auckland.ac.nz ([130.216.34.40]) by mf1.fos.auckland.ac.nz with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1Q8Ase-0004zH-GM; Sat, 09 Apr 2011 00:33:40 +1200 Received: from pgut001 by login01.fos.auckland.ac.nz with local (Exim 4.69) (envelope-from ) id 1Q8Asd-0000ZD-Vl; Sat, 09 Apr 2011 00:33:40 +1200 From: Peter Gutmann To: d3@denisbider.com, galb-list@vandyke.com, jhutz@cmu.edu, mdb@juniper.net, pgut001@cs.auckland.ac.nz Subject: Re: SHA-2 based HMAC algorithm... Cc: ietf-ssh@NetBSD.org In-Reply-To: <16E55C82463A4A019682B27F0B842C5E@element> Message-Id: Date: Sat, 09 Apr 2011 00:33:39 +1200 Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list "denis bider" writes: >I have submitted a draft: > >http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-00.txt > >Comments appreciated. Just one minor nit, you should probably specify in section 2 that lengths are in bytes (e.g. "32 bytes" rather than just "32"), given that there are bit- lengths used in the same sentence. Also, should at least SHA2-256 be a SHOULD? That seems to be the most common SHA2 variant around. Anyone want to do some interop-testing with this? I should be able to add support for it later in the week when (if) I get a free day. Peter. From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Fri Apr 8 07:24:28 2011 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6BCDF28C16F for ; Fri, 8 Apr 2011 07:24:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zkCoGJO4GU0y for ; Fri, 8 Apr 2011 07:24:27 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:216:3eff:fe67:11]) by core3.amsl.com (Postfix) with ESMTP id 5ABDB3A67B2 for ; Fri, 8 Apr 2011 07:24:25 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 54D6B19CF44; Fri, 8 Apr 2011 14:26:07 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 69E7B19CF3D for ; Fri, 8 Apr 2011 14:26:00 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id oniIQnclI7YV for ; Fri, 8 Apr 2011 14:25:59 +0000 (UTC) Received: from exprod7og104.obsmtp.com (exprod7og104.obsmtp.com [64.18.2.161]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.netbsd.org (Postfix) with ESMTPS id EE5E119CF23 for ; Fri, 8 Apr 2011 14:25:57 +0000 (UTC) Received: from P-EMHUB02-HQ.jnpr.net ([66.129.224.36]) (using TLSv1) by exprod7ob104.postini.com ([64.18.6.12]) with SMTP ID DSNKTZ8a7Z3ZcmdiiPAp4k+FMI41y+F9by6n@postini.com; Fri, 08 Apr 2011 07:25:59 PDT Received: from magenta.juniper.net (172.17.27.123) by P-EMHUB02-HQ.jnpr.net (172.24.192.33) with Microsoft SMTP Server (TLS) id 8.2.254.0; Fri, 8 Apr 2011 07:22:31 -0700 Received: from eng-mail01.juniper.net (eng-mail01.juniper.net [172.17.28.114]) by magenta.juniper.net (8.11.3/8.11.3) with ESMTP id p38EOBv51625; Fri, 8 Apr 2011 07:24:12 -0700 (PDT) (envelope-from mdb@juniper.net) Received: from eng-mail01.juniper.net (localhost [127.0.0.1]) by eng-mail01.juniper.net (Postfix) with ESMTP id B682A11421; Fri, 8 Apr 2011 07:24:11 -0700 (PDT) To: Peter Gutmann CC: d3@denisbider.com, galb-list@vandyke.com, jhutz@cmu.edu, ietf-ssh@NetBSD.org Subject: Re: SHA-2 based HMAC algorithm... In-Reply-To: References: Comments: In-reply-to: Peter Gutmann message dated "Sat, 09 Apr 2011 00:33:39 +1200." From: "Mark D. Baushke" X-Phone: +1 408 745-2952 (Office) X-Mailer: MH-E 8.2; nmh 1.2; GNU Emacs 22.1.1 X-Face: #8D_6URD2G%vC.hzU MIME-Version: 1.0 Content-Type: text/plain Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list Peter Gutmann writes: > "denis bider" writes: > > >I have submitted a draft: > > > >http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-00.txt > > > >Comments appreciated. > > Just one minor nit, you should probably specify in section 2 that lengths are > in bytes (e.g. "32 bytes" rather than just "32"), given that there are bit- > lengths used in the same sentence. > > Also, should at least SHA2-256 be a SHOULD? That seems to be the most common > SHA2 variant around. > > Anyone want to do some interop-testing with this? I should be able to add > support for it later in the week when (if) I get a free day. Below is a patch adding support for it to OpenSSH 5.8p1. (For best results used OpenSSL 0.9.8r as the ssl library.) -- Mark Patch to OpenSSH 5.8p1 to support http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-00.txt Index: openssh-5.8p1/mac.c --- openssh-5.8p1/mac.c 2008-06-12 17:58:50.000000000 -0700 +++ openssh-5.8p1/mac.c 2011-04-08 07:13:30.764657000 -0700 @@ -57,6 +57,10 @@ struct { } macs[] = { { "hmac-sha1", SSH_EVP, EVP_sha1, 0, -1, -1 }, { "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, -1, -1 }, + { "hmac-sha2-256", SSH_EVP, EVP_sha256, 0, -1, -1 }, + { "hmac-sha2-256-96", SSH_EVP, EVP_sha256, 96, -1, -1 }, + { "hmac-sha2-512", SSH_EVP, EVP_sha512, 0, -1, -1 }, + { "hmac-sha2-512-96", SSH_EVP, EVP_sha512, 96, -1, -1 }, { "hmac-md5", SSH_EVP, EVP_md5, 0, -1, -1 }, { "hmac-md5-96", SSH_EVP, EVP_md5, 96, -1, -1 }, { "hmac-ripemd160", SSH_EVP, EVP_ripemd160, 0, -1, -1 }, Index: openssh-5.8p1/myproposal.h --- openssh-5.8p1/myproposal.h 2011-01-13 03:00:22.000000000 -0800 +++ openssh-5.8p1/myproposal.h 2011-04-08 07:13:30.769646000 -0700 @@ -78,8 +78,9 @@ #define KEX_DEFAULT_MAC \ "hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160," \ "hmac-ripemd160@openssh.com," \ - "hmac-sha1-96,hmac-md5-96" + "hmac-sha1-96,hmac-md5-96," \ + "hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96" #define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib" #define KEX_DEFAULT_LANG "" Index: openssh-5.8p1/ssh.0 --- openssh-5.8p1/ssh.0 2011-02-03 17:00:02.000000000 -0800 +++ openssh-5.8p1/ssh.0 2011-04-08 07:13:30.796642000 -0700 @@ -389,8 +389,9 @@ AUTHENTICATION support similar authentication methods, but protocol 2 is the default since it provides additional mechanisms for confidentiality (the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) and - integrity (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160). Protocol 1 - lacks a strong mechanism for ensuring the integrity of the connection. + integrity (hmac-md5, hmac-sha1, hmac-sha2-256, hmac-sha2-512, + umac-64, hmac-ripemd160). Protocol 1 lacks a strong mechanism for + ensuring the integrity of the connection. The methods available for authentication are: GSSAPI-based authentication, host-based authentication, public key authentication, Index: openssh-5.8p1/ssh.1 --- openssh-5.8p1/ssh.1 2010-11-19 20:21:03.000000000 -0800 +++ openssh-5.8p1/ssh.1 2011-04-08 07:13:30.897576000 -0700 @@ -664,7 +664,9 @@ Both protocols support similar authentic but protocol 2 is the default since it provides additional mechanisms for confidentiality (the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) -and integrity (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160). +and integrity (hmac-md5, hmac-sha1, +hmac-sha2-256, hmac-sha2-512, +umac-64, hmac-ripemd160). Protocol 1 lacks a strong mechanism for ensuring the integrity of the connection. .Pp Index: openssh-5.8p1/ssh_config.0 --- openssh-5.8p1/ssh_config.0 2011-02-03 17:00:03.000000000 -0800 +++ openssh-5.8p1/ssh_config.0 2011-04-08 07:13:30.812638000 -0700 @@ -451,7 +451,9 @@ DESCRIPTION must be comma-separated. The default is: hmac-md5,hmac-sha1,umac-64@openssh.com, - hmac-ripemd160,hmac-sha1-96,hmac-md5-96 + hmac-ripemd160,hmac-sha1-96,hmac-md5-96, + hmac-sha2-256,hmac-sha256-96,hmac-sha2-512, + hmac-hmac-sha2-512-96 NoHostAuthenticationForLocalhost This option can be used if the home directory is shared across Index: openssh-5.8p1/ssh_config.5 --- openssh-5.8p1/ssh_config.5 2010-12-25 19:26:48.000000000 -0800 +++ openssh-5.8p1/ssh_config.5 2011-04-08 07:13:30.902578000 -0700 @@ -770,7 +770,9 @@ Multiple algorithms must be comma-separa The default is: .Bd -literal -offset indent hmac-md5,hmac-sha1,umac-64@openssh.com, -hmac-ripemd160,hmac-sha1-96,hmac-md5-96 +hmac-ripemd160,hmac-sha1-96,hmac-md5-96, +hmac-sha2-256,hmac-sha256-96,hmac-sha2-512, +hmac-sha2-512-96 .Ed .It Cm NoHostAuthenticationForLocalhost This option can be used if the home directory is shared across machines. Index: openssh-5.8p1/sshd.0 --- openssh-5.8p1/sshd.0 2011-02-03 17:00:02.000000000 -0800 +++ openssh-5.8p1/sshd.0 2011-04-08 07:13:30.839599000 -0700 @@ -167,8 +167,8 @@ AUTHENTICATION AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. The client selects the encryption algorithm to use from those offered by the server. Additionally, session integrity is provided through a - cryptographic message authentication code (hmac-md5, hmac-sha1, umac-64 - or hmac-ripemd160). + cryptographic message authentication code (hmac-md5, hmac-sha1, umac-64, + hmac-ripemd160, hmac-sha2-256 or hmac-sha2-512). Finally, the server and the client enter an authentication dialog. The client tries to authenticate itself using host-based authentication, Index: openssh-5.8p1/sshd.8 --- openssh-5.8p1/sshd.8 2010-11-04 16:20:14.000000000 -0700 +++ openssh-5.8p1/sshd.8 2011-04-08 07:13:30.908565000 -0700 @@ -314,7 +314,8 @@ The client selects the encryption algori to use from those offered by the server. Additionally, session integrity is provided through a cryptographic message authentication code -(hmac-md5, hmac-sha1, umac-64 or hmac-ripemd160). +(hmac-md5, hmac-sha1, umac-64, hmac-ripemd160, +hmac-sha2-256 or hmac-sha2-512). .Pp Finally, the server and the client enter an authentication dialog. The client tries to authenticate itself using Index: openssh-5.8p1/sshd_config.0 --- openssh-5.8p1/sshd_config.0 2011-02-03 17:00:02.000000000 -0800 +++ openssh-5.8p1/sshd_config.0 2011-04-08 07:13:30.881570000 -0700 @@ -375,7 +375,9 @@ DESCRIPTION separated. The default is: hmac-md5,hmac-sha1,umac-64@openssh.com, - hmac-ripemd160,hmac-sha1-96,hmac-md5-96 + hmac-ripemd160,hmac-sha1-96,hmac-md5-96, + hmac-sha2-256,hmac-sha256-96,hmac-sha2-512, + hmac-sha2-512-96 Match Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines Index: openssh-5.8p1/sshd_config.5 --- openssh-5.8p1/sshd_config.5 2010-12-25 19:26:48.000000000 -0800 +++ openssh-5.8p1/sshd_config.5 2011-04-08 07:13:30.926577000 -0700 @@ -654,7 +654,9 @@ Multiple algorithms must be comma-separa The default is: .Bd -literal -offset indent hmac-md5,hmac-sha1,umac-64@openssh.com, -hmac-ripemd160,hmac-sha1-96,hmac-md5-96 +hmac-ripemd160,hmac-sha1-96,hmac-md5-96, +hmac-sha2-256,hmac-sha256-96,hmac-sha2-512, +hmac-sha2-512-96 .Ed .It Cm Match Introduces a conditional block. From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Fri Apr 8 12:55:31 2011 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6B62728C0CE for ; Fri, 8 Apr 2011 12:55:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ka9RqvDnVn8x for ; Fri, 8 Apr 2011 12:55:30 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:216:3eff:fe67:11]) by core3.amsl.com (Postfix) with ESMTP id EBB8028B56A for ; Fri, 8 Apr 2011 12:55:29 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id A94EE19D069; Fri, 8 Apr 2011 19:57:11 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 3A88919CF9C for ; Fri, 8 Apr 2011 19:57:10 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id aR7roHYLt9QD for ; Fri, 8 Apr 2011 19:57:09 +0000 (UTC) Received: from skroderider.denisbider.com (skroderider.denisbider.com [66.197.186.181]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.netbsd.org (Postfix) with ESMTPS id 8714019CFA4 for ; Fri, 8 Apr 2011 19:57:09 +0000 (UTC) Received: from localhost ([127.0.0.1]) by skroderider.denisbider.com (using TLSv1/SSLv3 with cipher AES128-SHA (128 bits)); Fri, 8 Apr 2011 15:57:15 -0400 Message-ID: <5F67ED28BE1043409DB93D1964966AFE@element> From: "denis bider \(Bitvise\)" To: "Peter Gutmann" , , , Cc: References: In-Reply-To: Subject: Re: SHA-2 based HMAC algorithm... Date: Fri, 8 Apr 2011 15:56:49 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Windows Mail 6.0.6002.18197 X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6002.18263 Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list > Just one minor nit, you should probably specify > in section 2 that lengths are in bytes (e.g. > "32 bytes" rather than just "32"), given that > there are bit-lengths used in the same sentence. Fair point. I updated the draft with this change: http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-01.txt > Anyone want to do some interop-testing with this? > I should be able to add support for it later in the > week when (if) I get a free day. Great. I'll add support for it in WinSSHD and post a link to a pre-release build when it's ready. denis From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Sat Apr 9 03:35:11 2011 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F119F3A6A56 for ; Sat, 9 Apr 2011 03:35:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aqmlHEYylTdT for ; Sat, 9 Apr 2011 03:35:08 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:216:3eff:fe67:11]) by core3.amsl.com (Postfix) with ESMTP id 2CDE63A69E7 for ; Sat, 9 Apr 2011 03:35:08 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id DE49919D0D6; Sat, 9 Apr 2011 10:36:52 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 8F92A19D0D5 for ; Sat, 9 Apr 2011 10:36:51 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id K0H0APdBbWKj for ; Sat, 9 Apr 2011 10:36:51 +0000 (UTC) Received: from atreus.tartarus.org (atreus.tartarus.org [80.252.125.10]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.netbsd.org (Postfix) with ESMTPS id E159A19D0C9 for ; Sat, 9 Apr 2011 10:36:49 +0000 (UTC) Received: from simon by atreus.tartarus.org with local (Exim 4.69) (envelope-from ) id 1Q8URV-0001Py-OU; Sat, 09 Apr 2011 10:26:57 +0100 X-Mailer: Jed/Timber v0.2 From: Simon Tatham To: "Peter Gutmann" , , , , Cc: In-Reply-To: <5F67ED28BE1043409DB93D1964966AFE@element> Subject: Re: SHA-2 based HMAC algorithm... MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-Id: Date: Sat, 09 Apr 2011 10:26:57 +0100 Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list denis bider \(Bitvise\) wrote: > I updated the draft with this change: > http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-01.txt Another minor nit: you're referencing HMAC, so you should add a reference to RFC 2104 in which the HMAC construction is defined. Meanwhile, I've done the implementation of this draft for PuTTY. At http://tartarus.org/simon/20110409-putty-sha2 I've uploaded a complete set of PuTTY executables (in the 'x86' subdir) and source archives modified for SHA-2 support, together with the source code patch (in 'sha2.diff'). I've verified that all four of the new MACs work against OpenSSH 5.8p1 with Peter Gutmann's patch applied. Cheers, Simon -- Simon Tatham "Imagine what the world would be like if there were no hypothetical situations..." From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Sat Apr 9 16:35:04 2011 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BE01C3A694D for ; Sat, 9 Apr 2011 16:35:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W6hmIje6qLQf for ; Sat, 9 Apr 2011 16:35:01 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:216:3eff:fe67:11]) by core3.amsl.com (Postfix) with ESMTP id 486523A68CB for ; Sat, 9 Apr 2011 16:35:01 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 3FF2B19D164; Sat, 9 Apr 2011 23:36:43 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 1785F19D163 for ; Sat, 9 Apr 2011 23:36:42 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id oDkeoaJWk511 for ; Sat, 9 Apr 2011 23:36:41 +0000 (UTC) Received: from skroderider.denisbider.com (skroderider.denisbider.com [66.197.186.181]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.netbsd.org (Postfix) with ESMTPS id 1A47B19D162 for ; Sat, 9 Apr 2011 23:36:40 +0000 (UTC) Received: from localhost ([127.0.0.1]) by skroderider.denisbider.com (using TLSv1/SSLv3 with cipher AES128-SHA (128 bits)); Sat, 9 Apr 2011 19:36:39 -0400 Message-ID: From: "denis bider \(Bitvise\)" To: "Simon Tatham" , "Peter Gutmann" , , , Cc: References: In-Reply-To: Subject: Re: SHA-2 based HMAC algorithm... Date: Sat, 9 Apr 2011 19:36:25 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Windows Mail 6.0.6002.18197 X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6002.18263 Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list > Another minor nit: you're referencing HMAC, > so you should add a reference to RFC 2104 > in which the HMAC construction is defined. No problem. I submitted a new version of the draft with references to RFC 2104 and RFC 4231: http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt denis From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Sat Apr 9 17:57:28 2011 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F1B893A694D for ; Sat, 9 Apr 2011 17:57:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o1bbjHS2sxHD for ; Sat, 9 Apr 2011 17:57:28 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:216:3eff:fe67:11]) by core3.amsl.com (Postfix) with ESMTP id D51A33A6918 for ; Sat, 9 Apr 2011 17:57:27 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id C5FD819D16F; Sun, 10 Apr 2011 00:59:10 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 8006819D161 for ; Sun, 10 Apr 2011 00:59:09 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id S7hESwTwMGS6 for ; Sun, 10 Apr 2011 00:59:09 +0000 (UTC) Received: from skroderider.denisbider.com (skroderider.denisbider.com [66.197.186.181]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.netbsd.org (Postfix) with ESMTPS id C8E7119D116 for ; Sun, 10 Apr 2011 00:59:08 +0000 (UTC) Received: from localhost ([127.0.0.1]) by skroderider.denisbider.com (using TLSv1/SSLv3 with cipher AES128-SHA (128 bits)); Sat, 9 Apr 2011 20:59:07 -0400 Message-ID: <2A308A2E234749298BF868A15A45D15E@element> From: "denis bider \(Bitvise\)" To: "Simon Tatham" , "Peter Gutmann" , , , Cc: References: In-Reply-To: Subject: Re: SHA-2 based HMAC algorithm... Date: Sat, 9 Apr 2011 20:58:54 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Windows Mail 6.0.6002.18197 X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6002.18263 Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list > I've uploaded a complete set of PuTTY executables > (in the 'x86' subdir) and source archives modified > for SHA-2 support, I also implemented the new algorithms in WinSSHD. The latest build supporting the hmac-sha2-256 and hmac-sha2-256-96 algorithms can be found here: http://dl.bitvise.com/WinSSHD-524-Pre1.exe Both algorithms appear to work fine with the PuTTY build provided by Simon. denis bider From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Sat Apr 9 23:33:57 2011 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 20EC53A69D9 for ; Sat, 9 Apr 2011 23:33:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.949 X-Spam-Level: X-Spam-Status: No, score=-1.949 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OENWMgQi2YMA for ; Sat, 9 Apr 2011 23:33:56 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:216:3eff:fe67:11]) by core3.amsl.com (Postfix) with ESMTP id 43A003A69D3 for ; Sat, 9 Apr 2011 23:33:56 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 9082519CF52; Sun, 10 Apr 2011 06:35:40 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 4756719CF24 for ; Sun, 10 Apr 2011 06:35:38 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id qfR0a8q4oO9P for ; Sun, 10 Apr 2011 06:35:37 +0000 (UTC) Received: from mail.lysator.liu.se (unknown [IPv6:2001:6b0:17:f0a0::3]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.netbsd.org (Postfix) with ESMTPS id 787E319CF20 for ; Sun, 10 Apr 2011 06:35:36 +0000 (UTC) Received: from mail.lysator.liu.se (localhost [127.0.0.1]) by mail.lysator.liu.se (Postfix) with ESMTP id D2C0F40002 for ; Sun, 10 Apr 2011 08:35:33 +0200 (CEST) Received: by mail.lysator.liu.se (Postfix, from userid 1004) id C861840020; Sun, 10 Apr 2011 08:35:33 +0200 (CEST) Received: from stalhein.lysator.liu.se (stalhein.lysator.liu.se [130.236.254.204]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.lysator.liu.se (Postfix) with ESMTPS id 0E5F540002; Sun, 10 Apr 2011 08:35:31 +0200 (CEST) Received: from stalhein.lysator.liu.se (localhost [127.0.0.1]) by stalhein.lysator.liu.se (8.14.4+Sun/8.14.4) with ESMTP id p3A6ZVLk011529; Sun, 10 Apr 2011 08:35:31 +0200 (MEST) Received: (from nisse@localhost) by stalhein.lysator.liu.se (8.14.4+Sun/8.14.4/Submit) id p3A6ZU3R011528; Sun, 10 Apr 2011 08:35:30 +0200 (MEST) X-Authentication-Warning: stalhein.lysator.liu.se: nisse set sender to nisse@lysator.liu.se using -f From: nisse@lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) To: "denis bider \(Bitvise\)" Cc: "Joseph Galbraith" , Subject: Re: SHA-2 based HMAC algorithm... References: <4D83E810.3030605@vandyke.com> <02351C58882E45F9BE44C62542DE4C5B@element> Date: Sun, 10 Apr 2011 08:35:30 +0200 In-Reply-To: <02351C58882E45F9BE44C62542DE4C5B@element> (denis bider's message of "Wed, 6 Apr 2011 23:40:17 -0400") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (usg-unix-v) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Scanned: ClamAV using ClamSMTP Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list "denis bider (Bitvise)" writes: > Is there a way we can agree on HMAC-SHA-256 with a 32-byte key, call it > "hmac-sha256", and register it? I see you're trying to follow the hmac definitions in RFC 4253. But is there any good reason a hmac keysize should match the digest size, in general? My understanding of hmac keysize, is that * it can't usefully exceed the internal hash blocksize (64 bytes for sha1 and sha-2-256, 128 bytes for sha-2-512) * should be large enough to exclude keysearch, by a reasonable margin Any other concerns I'm missing? Is the birthday paradox relevant to hmac in some way? My gut-feeling is that the suggested keysize (64 bytes, 512 bits) for hmac-sha2-512 is ridiculously large for a symmetric cryptographic construction. 20 bytes (160 bits) seem sufficient, and 32 bytes (256 bits) is overkill for the foreseeable future. I fully support a spec for using sha-2, but I'd like to see some motivation for the chosen key sizes. Ah, and one other thing: Would it make sense to use hmac-sha2-224-96 (different initial state) rather than hmac-sha2-256-96? I confess I never really understood the rationale behind sha2-224 and sha2-384. Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Sun Apr 10 05:23:59 2011 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7474B3A6A0F for ; Sun, 10 Apr 2011 05:23:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.571 X-Spam-Level: X-Spam-Status: No, score=-3.571 tagged_above=-999 required=5 tests=[AWL=0.028, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F5NL8hKnReHZ for ; Sun, 10 Apr 2011 05:23:58 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:216:3eff:fe67:11]) by core3.amsl.com (Postfix) with ESMTP id 397E63A69DE for ; Sun, 10 Apr 2011 05:23:58 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 32C4719CF5E; Sun, 10 Apr 2011 12:25:41 +0000 (UTC) Delivered-To: ietf-ssh@netbsd.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id C626B19CF50 for ; Sun, 10 Apr 2011 12:25:39 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Authentication-Results: mail.NetBSD.org (amavisd-new); dkim=pass header.i=pgut001@cs.auckland.ac.nz Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id YqoQ-XA+tm4m for ; Sun, 10 Apr 2011 12:25:39 +0000 (UTC) Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "mx2.auckland.ac.nz", Issuer "AusCERT Server CA" (not verified)) by mail.netbsd.org (Postfix) with ESMTPS id 858B119CEFE for ; Sun, 10 Apr 2011 12:25:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1302438339; x=1333974339; h=from:to:subject:cc:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20 |To:=20anakin@pobox.com,=20galb-list@vandyke.com,=20ietf- ssh2@denisbider.com,=0D=0A=20=20=20=20jhutz@cmu.edu,=20md b@juniper.net,=20pgut001@cs.auckland.ac.nz|Subject:=20Re: =20SHA-2=20based=20HMAC=20algorithm...|Cc:=20ietf-ssh@Net BSD.org|In-Reply-To:=20|Message-Id:=20|Date:=20Mon,=2011=20Apr=202011=2000:25:29=20+12 00; bh=OMrpdHD6GPZwJeYIVpZfWJCBp3C7IZyZZEDKHwlnnek=; b=mA5hNVwFkkBtfGWCKCwLUnSXqZzH4jayMMOzkeGnrGLQt1gWGwMz7IvS 6soRRQvMc8PA4j4B1tfUVAAsUQfvrxUtMwNBhdXP1cWbB4R9pisKt7fdP iOz3RSeQDk320a/jlp/6oIyOnyMtzv+tXS/1awX8flutEeJvX5rxjiwrI Q=; X-IronPort-AV: E=Sophos;i="4.63,334,1299409200"; d="scan'208";a="56040886" X-Ironport-HAT: APP-SERVERS - $RELAYED X-Ironport-Source: 130.216.33.150 - Outgoing - Outgoing Received: from mf1.fos.auckland.ac.nz ([130.216.33.150]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 11 Apr 2011 00:25:30 +1200 Received: from login01.fos.auckland.ac.nz ([130.216.34.40]) by mf1.fos.auckland.ac.nz with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1Q8thp-0007pv-IP; Mon, 11 Apr 2011 00:25:29 +1200 Received: from pgut001 by login01.fos.auckland.ac.nz with local (Exim 4.69) (envelope-from ) id 1Q8thp-0005pJ-L9; Mon, 11 Apr 2011 00:25:29 +1200 From: Peter Gutmann To: anakin@pobox.com, galb-list@vandyke.com, ietf-ssh2@denisbider.com, jhutz@cmu.edu, mdb@juniper.net, pgut001@cs.auckland.ac.nz Subject: Re: SHA-2 based HMAC algorithm... Cc: ietf-ssh@NetBSD.org In-Reply-To: Message-Id: Date: Mon, 11 Apr 2011 00:25:29 +1200 Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list Simon Tatham writes: >I've verified that all four of the new MACs work against OpenSSH 5.8p1 with >Peter Gutmann's patch applied. While I'd like to take credit for it :-), that wasn't my patch. I'll get it into my code later this week, sorry, terribly snowed under with other work at the moment. Peter. From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Sun Apr 10 05:30:23 2011 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9FA3E28B23E for ; Sun, 10 Apr 2011 05:30:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.572 X-Spam-Level: X-Spam-Status: No, score=-3.572 tagged_above=-999 required=5 tests=[AWL=0.027, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YjXXGT40oYAv for ; Sun, 10 Apr 2011 05:30:22 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:216:3eff:fe67:11]) by core3.amsl.com (Postfix) with ESMTP id 1F2D73A69DE for ; Sun, 10 Apr 2011 05:30:22 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 88B5619CFCB; Sun, 10 Apr 2011 12:32:06 +0000 (UTC) Delivered-To: ietf-ssh@netbsd.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id C3D4C19CFC6 for ; Sun, 10 Apr 2011 12:32:04 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Authentication-Results: mail.NetBSD.org (amavisd-new); dkim=pass header.i=pgut001@cs.auckland.ac.nz Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id wR0ieMRSL57x for ; Sun, 10 Apr 2011 12:32:04 +0000 (UTC) Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "mx2.auckland.ac.nz", Issuer "AusCERT Server CA" (not verified)) by mail.netbsd.org (Postfix) with ESMTPS id AB4A119CFC1 for ; Sun, 10 Apr 2011 12:32:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1302438723; x=1333974723; h=from:to:subject:cc:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20 |To:=20ietf-ssh2@denisbider.com,=20nisse@lysator.liu.se |Subject:=20Re:=20SHA-2=20based=20HMAC=20algorithm...|Cc: =20galb-list@vandyke.com,=20ietf-ssh@NetBSD.org |In-Reply-To:=20 |Message-Id:=20|Date:=20Mon,=2011=20Apr=202011=2000:32:01=20+1200; bh=w5fwPErint1GCsZYie60pf/D/xq+P7jRtJDGhKqt7c4=; b=JMIUfvVSA8EGJBZnvWREO86w7czqGxdWTo57tmM6HZexMV/m/vHRRDNc BXN1QmfD+3rNXIN+KRkMjnt9pHjxBmuGiMHVBd8hsSW4ipTtYAWJvas+I ywUVSL9PwySfHBM4AvdfN1alS0vNLGfLKLkcUQRDTdjTXVVmydNR48VtV U=; X-IronPort-AV: E=Sophos;i="4.63,334,1299409200"; d="scan'208";a="56041097" X-Ironport-HAT: APP-SERVERS - $RELAYED X-Ironport-Source: 130.216.33.150 - Outgoing - Outgoing Received: from mf1.fos.auckland.ac.nz ([130.216.33.150]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 11 Apr 2011 00:32:02 +1200 Received: from login01.fos.auckland.ac.nz ([130.216.34.40]) by mf1.fos.auckland.ac.nz with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1Q8to9-00081K-JB; Mon, 11 Apr 2011 00:32:01 +1200 Received: from pgut001 by login01.fos.auckland.ac.nz with local (Exim 4.69) (envelope-from ) id 1Q8to9-0005y5-Sl; Mon, 11 Apr 2011 00:32:01 +1200 From: Peter Gutmann To: ietf-ssh2@denisbider.com, nisse@lysator.liu.se Subject: Re: SHA-2 based HMAC algorithm... Cc: galb-list@vandyke.com, ietf-ssh@NetBSD.org In-Reply-To: Message-Id: Date: Mon, 11 Apr 2011 00:32:01 +1200 Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list nisse@lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) writes: >My gut-feeling is that the suggested keysize (64 bytes, 512 bits) for hmac- >sha2-512 is ridiculously large for a symmetric cryptographic construction. 20 >bytes (160 bits) seem sufficient, and 32 bytes (256 bits) is overkill for the >foreseeable future. The convention, both for pre-SHA2 hashes, and in other protocols where SHA2 hashes are used, is to use the block size as the key size. I agree that it's overkill, but in pretty much every case where it's used, it's the output of a PRF, and so key size doesn't really matter. >Ah, and one other thing: Would it make sense to use hmac-sha2-224-96 >(different initial state) rather than hmac-sha2-256-96? I confess I never >really understood the rationale behind sha2-224 and sha2-384. To quote someone on another list (possibly SAAG), SHA2-224 and -384 were created by NIST to confuse the crypto-clueless. They're barely supported and have no real reason for existence, please don't use them. Peter. From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Sun Apr 10 05:55:13 2011 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 32E693A6A15 for ; Sun, 10 Apr 2011 05:55:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.949 X-Spam-Level: X-Spam-Status: No, score=-1.949 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hL3tR3DDoVjD for ; Sun, 10 Apr 2011 05:55:11 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:216:3eff:fe67:11]) by core3.amsl.com (Postfix) with ESMTP id 694603A6A14 for ; Sun, 10 Apr 2011 05:55:11 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 4716B19D09E; Sun, 10 Apr 2011 12:56:55 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id D66BC19D0A5 for ; Sun, 10 Apr 2011 12:56:52 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id b481aXg83peZ for ; Sun, 10 Apr 2011 12:56:52 +0000 (UTC) Received: from mail.lysator.liu.se (unknown [IPv6:2001:6b0:17:f0a0::3]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.netbsd.org (Postfix) with ESMTPS id 11D3319CFCC for ; Sun, 10 Apr 2011 12:56:51 +0000 (UTC) Received: from mail.lysator.liu.se (localhost [127.0.0.1]) by mail.lysator.liu.se (Postfix) with ESMTP id 0F3C340032 for ; Sun, 10 Apr 2011 14:56:49 +0200 (CEST) Received: by mail.lysator.liu.se (Postfix, from userid 1004) id 0527F40030; Sun, 10 Apr 2011 14:56:49 +0200 (CEST) Received: from stalhein.lysator.liu.se (stalhein.lysator.liu.se [130.236.254.204]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.lysator.liu.se (Postfix) with ESMTPS id 827F74002A; Sun, 10 Apr 2011 14:56:47 +0200 (CEST) Received: from stalhein.lysator.liu.se (localhost [127.0.0.1]) by stalhein.lysator.liu.se (8.14.4+Sun/8.14.4) with ESMTP id p3ACulJa028468; Sun, 10 Apr 2011 14:56:47 +0200 (MEST) Received: (from nisse@localhost) by stalhein.lysator.liu.se (8.14.4+Sun/8.14.4/Submit) id p3ACuje5028456; Sun, 10 Apr 2011 14:56:45 +0200 (MEST) X-Authentication-Warning: stalhein.lysator.liu.se: nisse set sender to nisse@lysator.liu.se using -f From: nisse@lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) To: Peter Gutmann Cc: ietf-ssh2@denisbider.com, galb-list@vandyke.com, ietf-ssh@NetBSD.org Subject: Re: SHA-2 based HMAC algorithm... References: Date: Sun, 10 Apr 2011 14:56:45 +0200 In-Reply-To: (Peter Gutmann's message of "Mon, 11 Apr 2011 00:32:01 +1200") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (usg-unix-v) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Scanned: ClamAV using ClamSMTP Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list Peter Gutmann writes: > The convention, both for pre-SHA2 hashes, and in other protocols where SHA2 > hashes are used, is to use the block size as the key size. I see. I take it you mean *digest* size, not *block* size (or else, hmac-sha1 would use a keysize of 64 octets / 512 bits)? I guess there's some value in doing the same thing as everybody else, as long as that way is silly rather than actually broken. (And I should modify my previous statement that key size "can't usefully exceed the internal hash blocksize". After thinking just a little bit more I realized that key sizes larger than the *digest* size are not very useful, since it's the digest size, rather than the block size, which corresponds to the size of the internal state. This makes the convention of using keys of the same size as the digest more understandable. Sorry for the confusion). > To quote someone on another list (possibly SAAG), SHA2-224 and -384 were > created by NIST to confuse the crypto-clueless. The only property of sha224 which you don't get with sha256 with trunctated output, is that its difficult, given a sha256 hash of unknown data, to produce a sha224 hash for the same data (and similarly for sha512 and sha384). And also in the other direction, given a sha256 hash of unknown data, truncated to 224 bits, one could guess the missing bits with a success probablility of 2^{-32}; that is a lot harder to do based on the sha224 hash of the data. I don't know any protocol or scenario where these sha224 properties are important or desirable, but maybe there is some? Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Sun Apr 10 10:06:57 2011 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AA7383A6934 for ; Sun, 10 Apr 2011 10:06:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.949 X-Spam-Level: X-Spam-Status: No, score=-1.949 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9XcJLGfLsofb for ; Sun, 10 Apr 2011 10:06:56 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:216:3eff:fe67:11]) by core3.amsl.com (Postfix) with ESMTP id 156FB3A6916 for ; Sun, 10 Apr 2011 10:06:56 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 4F36519D0D9; Sun, 10 Apr 2011 17:06:54 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 404B019D0D6 for ; Sun, 10 Apr 2011 17:06:52 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id xO5eeaOD7T53 for ; Sun, 10 Apr 2011 17:06:51 +0000 (UTC) Received: from mail.lysator.liu.se (unknown [IPv6:2001:6b0:17:f0a0::3]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.netbsd.org (Postfix) with ESMTPS id 740D619D0BA for ; Sun, 10 Apr 2011 17:06:50 +0000 (UTC) Received: from mail.lysator.liu.se (localhost [127.0.0.1]) by mail.lysator.liu.se (Postfix) with ESMTP id F305B40032 for ; Sun, 10 Apr 2011 19:06:46 +0200 (CEST) Received: by mail.lysator.liu.se (Postfix, from userid 1004) id E52DF4002A; Sun, 10 Apr 2011 19:06:46 +0200 (CEST) Received: from stalhein.lysator.liu.se (stalhein.lysator.liu.se [130.236.254.204]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.lysator.liu.se (Postfix) with ESMTPS id 5662540007; Sun, 10 Apr 2011 19:06:45 +0200 (CEST) Received: from stalhein.lysator.liu.se (localhost [127.0.0.1]) by stalhein.lysator.liu.se (8.14.4+Sun/8.14.4) with ESMTP id p3AH6jWC010250; Sun, 10 Apr 2011 19:06:45 +0200 (MEST) Received: (from nisse@localhost) by stalhein.lysator.liu.se (8.14.4+Sun/8.14.4/Submit) id p3AH6hCP010249; Sun, 10 Apr 2011 19:06:43 +0200 (MEST) X-Authentication-Warning: stalhein.lysator.liu.se: nisse set sender to nisse@lysator.liu.se using -f From: nisse@lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) To: Dan Brown Cc: "pgut001\@cs.auckland.ac.nz" , "ietf-ssh2\@denisbider.com" , "galb-list\@vandyke.com" , "ietf-ssh\@NetBSD.org" Subject: Re: SHA-2 based HMAC algorithm... References: Date: Sun, 10 Apr 2011 19:06:43 +0200 In-Reply-To: (Dan Brown's message of "Sun, 10 Apr 2011 11:25:34 -0400") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (usg-unix-v) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Scanned: ClamAV using ClamSMTP Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list Dan Brown writes: > HMAC accepts any key size, so adding key size to alg name seems odd. SSH precedent seem to be that if only a single key size is ever going to be used (either just in the SSH protocol, or ever, anywhere), then don't include key size in the id. Examples: "3des-cbc", "arcfour", "hmac-sha1". And if several distinct keysizes are expected to be used, the key size is included in the id. Examples: "aes128-cbc". For HMAC, I don't see any need to support, e.g., hmac-sha2-256, with several different key sizes, so there's no need to include the key size in the identifier. > Nevertheless, parties must use the same key size, maybe the protocol, > ie SSH, using HMAC should fix key size to the largest not requiring an > extra hash? To size must be specified. But using the hash block size (which I think is what you're suggesting) seem unnecessarily large. That would meen 512 bits for hmac-sha1 (for which use in the ssh protocol is specified to use a 160 bit key), and 1024 bits for hmac-sha2-512, which I find totally out o fproportions. And the effective key size (i.e., the size of the internal state an attacker need to recover in order to form valid MACs) is limited to the digest size, or possibly twice the digest size, if I understand hmac correctly. Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Sun Apr 10 10:10:54 2011 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 81DC03A69AD for ; Sun, 10 Apr 2011 10:10:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.203 X-Spam-Level: X-Spam-Status: No, score=-5.203 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RMeySCcuygzr for ; Sun, 10 Apr 2011 10:10:52 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:216:3eff:fe67:11]) by core3.amsl.com (Postfix) with ESMTP id C3FF53A6999 for ; Sun, 10 Apr 2011 10:10:49 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id E890A19CEFE; Sun, 10 Apr 2011 17:10:46 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 2D1ED19CEFD for ; Sun, 10 Apr 2011 17:10:43 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id tJ7-O-nb25ph for ; Sun, 10 Apr 2011 17:10:42 +0000 (UTC) Received: from mhs060cnc.rim.net (mhs060cnc.rim.net [208.65.73.34]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mhs060cnc.rim.net", Issuer "Thawte SSL CA" (not verified)) by mail.netbsd.org (Postfix) with ESMTPS id 3B7C619CEF5 for ; Sun, 10 Apr 2011 17:10:41 +0000 (UTC) X-AuditID: 0a41282f-b7bfdae000005b36-9e-4da1cbf01346 Received: from XHT110CNC.rim.net (xht110cnc.rim.net [10.65.22.55]) (using TLS with cipher AES128-SHA (AES128-SHA/128 bits)) (Client did not present a certificate) by mhs060cnc.rim.net (SBG) with SMTP id 14.A8.23350.0FBC1AD4; Sun, 10 Apr 2011 15:25:36 +0000 (GMT) Received: from XCH117CNC.rim.net ([fe80::b8df:541f:9d85:9909]) by XHT110CNC.rim.net ([fe80::d0e9:e16f:525b:55f5%11]) with mapi; Sun, 10 Apr 2011 11:25:35 -0400 From: Dan Brown To: "pgut001@cs.auckland.ac.nz" , "ietf-ssh2@denisbider.com" , "nisse@lysator.liu.se" CC: "galb-list@vandyke.com" , "ietf-ssh@NetBSD.org" Date: Sun, 10 Apr 2011 11:25:34 -0400 Subject: Re: SHA-2 based HMAC algorithm... Thread-Topic: SHA-2 based HMAC algorithm... Thread-Index: Acv3e08QQT2HLUjdQl2/2ghXLZ9b3gAGDnES Message-ID: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" content-transfer-encoding: quoted-printable MIME-Version: 1.0 X-Brightmail-Tracker: AAAAAQAAAZE= Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list What about FIPS 180-4, which, if I recall, defines SHA-512-256, a truncation= of SHA-512 with a different IV? Arguably for use in HMAC it could be truncated to 128 bits (or less), so one= could have: HMAC-SHA2-512-256-128 (But I didn't yet check what 180-4 wants for HMAC.) With regard to naming, to avoid ambiguity with future 180-4 followers, the n= umber of numbers following SHA2 could be used to determine their meaning: wi= th 180-4 truncation requiring three numbers even if no further HMAC tag trun= cation is applied, eg HMAC-SHA2-512-256-256. HMAC accepts any key size, so adding key size to alg name seems odd. Nevert= heless, parties must use the same key size, maybe the protocol, ie SSH, usin= g HMAC should fix key size to the largest not requiring an extra hash? Best regards, Dan ----- Original Message ----- From: Peter Gutmann [mailto:pgut001@cs.auckland.ac.nz] Sent: Sunday, April 10, 2011 08:32 AM=0A= To: ietf-ssh2@denisbider.com ; nisse@lysator.liu.s= e Cc: galb-list@vandyke.com ; ietf-ssh@NetBSD.org Subject: Re: SHA-2 based HMAC algorithm... nisse@lysator.liu.se (Niels =3D?iso-8859-1?Q?M=3DF6ller?=3D) writes: >My gut-feeling is that the suggested keysize (64 bytes, 512 bits) for hmac- >sha2-512 is ridiculously large for a symmetric cryptographic construction.= 20 >bytes (160 bits) seem sufficient, and 32 bytes (256 bits) is overkill for t= he >foreseeable future. The convention, both for pre-SHA2 hashes, and in other protocols where SHA2 hashes are used, is to use the block size as the key size. I agree that it'= s overkill, but in pretty much every case where it's used, it's the output of= a PRF, and so key size doesn't really matter. >Ah, and one other thing: Would it make sense to use hmac-sha2-224-96 >(different initial state) rather than hmac-sha2-256-96? I confess I never >really understood the rationale behind sha2-224 and sha2-384. To quote someone on another list (possibly SAAG), SHA2-224 and -384 were created by NIST to confuse the crypto-clueless. They're barely supported an= d have no real reason for existence, please don't use them. Peter. --------------------------------------------------------------------- This transmission (including any attachments) may contain confidential infor= mation, privileged material (including material protected by the solicitor-c= lient or other applicable privileges), or constitute non-public information.= Any use of this information by anyone other than the intended recipient is= prohibited. If you have received this transmission in error, please immedia= tely reply to the sender and delete this information from your system. Use,= dissemination, distribution, or reproduction of this transmission by uninte= nded recipients is not authorized and may be unlawful. From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Sun Apr 10 22:13:34 2011 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 606A43A69C3 for ; Sun, 10 Apr 2011 22:13:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.449 X-Spam-Level: X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S-A7fYX75xIN for ; Sun, 10 Apr 2011 22:13:33 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:216:3eff:fe67:11]) by core3.amsl.com (Postfix) with ESMTP id 97BBF3A69BC for ; Sun, 10 Apr 2011 22:13:30 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id A2C2F19CFA4; Mon, 11 Apr 2011 05:13:27 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id E6B0419CF98 for ; Mon, 11 Apr 2011 05:13:25 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id E5ZcQ3B+eiHa for ; Mon, 11 Apr 2011 05:13:25 +0000 (UTC) Received: from skroderider.denisbider.com (skroderider.denisbider.com [66.197.186.181]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.netbsd.org (Postfix) with ESMTPS id 2984519CF93 for ; Mon, 11 Apr 2011 05:13:24 +0000 (UTC) Received: from localhost ([127.0.0.1]) by skroderider.denisbider.com (using TLSv1/SSLv3 with cipher AES128-SHA (128 bits)); Mon, 11 Apr 2011 01:13:19 -0400 Message-ID: <47324940A2A547DB87B4D2787B531F20@element> From: "denis bider \(Bitvise\)" To: =?iso-8859-1?Q?Niels_=22M=F6ller=22?= Cc: "Joseph Galbraith" , References: <4D83E810.3030605@vandyke.com><02351C58882E45F9BE44C62542DE4C5B@element> In-Reply-To: Subject: Re: SHA-2 based HMAC algorithm... Date: Mon, 11 Apr 2011 01:13:21 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Windows Mail 6.0.6002.18197 X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6002.18263 Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list > My gut-feeling is that the suggested keysize (64 bytes, > 512 bits) for hmac-sha2-512 is ridiculously large for a > symmetric cryptographic construction. 20 bytes (160 bits) > seem sufficient, and 32 bytes (256 bits) is overkill for > the foreseeable future. That could likely be the case. On the other hand, if someone is going to chose HMAC-SHA2-512, they are likely chosing it for the bigger numbers over HMAC-SHA2-256. I think HMAC-SHA2-512 is likely an overkill. 64 bytes for integrity verification, appended to every message, is a lot. At the moment, I won't be implementing support for this algorithm because it just seems like it has little benefit over HMAC-SHA2-256. If others don't plan to support SHA2-512 either, we can consider simply removing it. But if people intend to support HMAC-SHA2-512, then they want it for the bigger numbers. And in that case, why not give them a big key size, too? I'm not seeing how the larger key size hurts. According to my measurement at least, the performance impact of encryption and MAC is negligible compared to other aspects of an SSH session. It seems to me that the mammoth size of the digest itself would matter more than the key size, if you're going for SHA2-512 to begin with. denis From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Sun Apr 10 22:47:47 2011 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D79D83A6993 for ; Sun, 10 Apr 2011 22:47:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.949 X-Spam-Level: X-Spam-Status: No, score=-1.949 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J5uDNbNAKsSh for ; Sun, 10 Apr 2011 22:47:47 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:216:3eff:fe67:11]) by core3.amsl.com (Postfix) with ESMTP id C3FCC3A68A2 for ; Sun, 10 Apr 2011 22:47:45 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id C0D4919CFAA; Mon, 11 Apr 2011 05:47:41 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id BE13419CFA6 for ; Mon, 11 Apr 2011 05:47:39 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id seLN649GLy7w for ; Mon, 11 Apr 2011 05:47:39 +0000 (UTC) Received: from mail.lysator.liu.se (unknown [IPv6:2001:6b0:17:f0a0::3]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.netbsd.org (Postfix) with ESMTPS id ECAF519CFA4 for ; Mon, 11 Apr 2011 05:47:37 +0000 (UTC) Received: from mail.lysator.liu.se (localhost [127.0.0.1]) by mail.lysator.liu.se (Postfix) with ESMTP id E457E40030 for ; Mon, 11 Apr 2011 07:47:35 +0200 (CEST) Received: by mail.lysator.liu.se (Postfix, from userid 1004) id DA4B240031; Mon, 11 Apr 2011 07:47:35 +0200 (CEST) Received: from stalhein.lysator.liu.se (stalhein.lysator.liu.se [130.236.254.204]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.lysator.liu.se (Postfix) with ESMTPS id 3C8E740030; Mon, 11 Apr 2011 07:47:34 +0200 (CEST) Received: from stalhein.lysator.liu.se (localhost [127.0.0.1]) by stalhein.lysator.liu.se (8.14.4+Sun/8.14.4) with ESMTP id p3B5lXBt016554; Mon, 11 Apr 2011 07:47:33 +0200 (MEST) Received: (from nisse@localhost) by stalhein.lysator.liu.se (8.14.4+Sun/8.14.4/Submit) id p3B5lWjW016553; Mon, 11 Apr 2011 07:47:32 +0200 (MEST) X-Authentication-Warning: stalhein.lysator.liu.se: nisse set sender to nisse@lysator.liu.se using -f From: nisse@lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) To: "denis bider \(Bitvise\)" Cc: "Joseph Galbraith" , Subject: Re: SHA-2 based HMAC algorithm... References: <4D83E810.3030605@vandyke.com> <02351C58882E45F9BE44C62542DE4C5B@element> <47324940A2A547DB87B4D2787B531F20@element> Date: Mon, 11 Apr 2011 07:47:32 +0200 In-Reply-To: <47324940A2A547DB87B4D2787B531F20@element> (denis bider's message of "Mon, 11 Apr 2011 01:13:21 -0400") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (usg-unix-v) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Scanned: ClamAV using ClamSMTP Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list "denis bider (Bitvise)" writes: > On the other hand, if someone is going to chose HMAC-SHA2-512, they are > likely chosing it for the bigger numbers over HMAC-SHA2-256. Not necessarily. On 64-bit hardware, sha512 can be faster than sha256 (in my implementation, I get 18 cycles/byte for sha256, and 12 cycles/byte for sha512, benchmarked on an intel core2. And 8 cycles/byte for sha1). I was bit surprised when I first noticed this. Without any deep analysis, I think it simply works like this: the compression function takes more time for sha512 than sha256 (30% slower in my benchmarks), but then it processes twice as many input bytes. > I'm not seeing how the larger key size hurts. I guess it's no big problem, just a few more bytes to generate from the "raw" session key. I was asking for a motivation, since I thought you might have had some reason, besides the annoying incompatibility, to complain on the existing implementations using 16 byte or 20 byte hmac keys for hmac-sha256@ssh.com). To me it would make some sense to stick to a 20 byte (160 bit) key for all hmac-sha2 variants. But if there's no more compelling motivation than "that's what other protocols are doing", I guess I will have to be satisfied with that. Regard, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Mon Apr 11 00:12:30 2011 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E66F53A6A91 for ; Mon, 11 Apr 2011 00:12:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.572 X-Spam-Level: X-Spam-Status: No, score=-3.572 tagged_above=-999 required=5 tests=[AWL=0.027, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pt7Hy8L7oI5d for ; Mon, 11 Apr 2011 00:12:28 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:216:3eff:fe67:11]) by core3.amsl.com (Postfix) with ESMTP id 352513A6AA9 for ; Mon, 11 Apr 2011 00:12:28 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 0460319CFB4; Mon, 11 Apr 2011 07:12:20 +0000 (UTC) Delivered-To: ietf-ssh@netbsd.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id F068219CFB3 for ; Mon, 11 Apr 2011 07:12:17 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Authentication-Results: mail.NetBSD.org (amavisd-new); dkim=pass header.i=pgut001@cs.auckland.ac.nz Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id BiaFisQdnRpp for ; Mon, 11 Apr 2011 07:12:17 +0000 (UTC) Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "mx2.auckland.ac.nz", Issuer "AusCERT Server CA" (not verified)) by mail.netbsd.org (Postfix) with ESMTPS id 9B11719CFAD for ; Mon, 11 Apr 2011 07:12:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1302505937; x=1334041937; h=from:to:subject:cc:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20 |To:=20dbrown@certicom.com,=20ietf-ssh2@denisbider.com, =20nisse@lysator.liu.se,=0D=0A=20=20=20=20pgut001@cs.auck land.ac.nz|Subject:=20Re:=20SHA-2=20based=20HMAC=20algori thm...|Cc:=20galb-list@vandyke.com,=20ietf-ssh@NetBSD.org |In-Reply-To:=20|Message-Id:=20|Date:=20Mon,=2011=20Apr=202011=20 19:12:11=20+1200; bh=KzD10HKUVUw/aKUvCuHnPbNnpJDly7nOHcTWFO8ZE4k=; b=FmAUQMPgu1zXrI3opvkdJeIlancQKw+f+ai9VJ7Vs2FPPiwLd9CyPfeA zBD7351zwdmZxXULD/ss5lD3H7MqtytvAIIxHiMDdB19FNir50Ltu4bid KC43N5Mt6tiPqVsmYH11Gv7kWbruqcB+KU3TSMH0jSubSmnyx+b0jaGx0 k=; X-IronPort-AV: E=Sophos;i="4.63,338,1299409200"; d="scan'208";a="56232826" X-Ironport-HAT: APP-SERVERS - $RELAYED X-Ironport-Source: 130.216.33.150 - Outgoing - Outgoing Received: from mf1.fos.auckland.ac.nz ([130.216.33.150]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 11 Apr 2011 19:12:11 +1200 Received: from login01.fos.auckland.ac.nz ([130.216.34.40]) by mf1.fos.auckland.ac.nz with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1Q9BIB-0003CC-HG; Mon, 11 Apr 2011 19:12:11 +1200 Received: from pgut001 by login01.fos.auckland.ac.nz with local (Exim 4.69) (envelope-from ) id 1Q9BIB-0007CL-9n; Mon, 11 Apr 2011 19:12:11 +1200 From: Peter Gutmann To: dbrown@certicom.com, ietf-ssh2@denisbider.com, nisse@lysator.liu.se, pgut001@cs.auckland.ac.nz Subject: Re: SHA-2 based HMAC algorithm... Cc: galb-list@vandyke.com, ietf-ssh@NetBSD.org In-Reply-To: Message-Id: Date: Mon, 11 Apr 2011 19:12:11 +1200 Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list Dan Brown writes: >What about FIPS 180-4, which, if I recall, defines SHA-512-256, a truncation >of SHA-512 with a different IV? > >Arguably for use in HMAC it could be truncated to 128 bits (or less), so one >could have: > >HMAC-SHA2-512-256-128 Argh, no! The point is to have a single common SHA2 version that everyone can agree on (or possibly two), not to do a breadth-first walk of every bizarrro mutation of SHA2 that NIST has dreamed up. Currently we have SHA2-256, SHA2-512, SHA2-384, SHA2-224, SHA2-chipotle, SHA2-streaky-bacon, SHA2- thousand-island, SHA2-chunky, SHA2-extra-chunky, SHA2-barbeque, SHA2-salt- and-vinegar, SHA2-balsamic-vinaigrette, SHA2-caesar, SHA2-organic-sea-salt, and SHA2-barium-enema, but what's mostly implemented in practice is SHA2-256 and... nope, can't actually recall seeing anything else in use in practice [0]. So all we need to do is choose one standard mode with 256 bits of output to match SHA2-256, and probably another one for SHA2-512 for people who feel the need to make that particular fashion statement. Just because NIST hands us a really long coil of rope, doesn't mean we have to use it [1]. Peter. [0] OK, I've seen -512 and -384 in obscure, isolated implementations, but I've also seen Whirlpool and Tiger and others. I think I saw SHA-224 on display at the Ripley's Odditorium, but it may have been Haval. [1] This rant contains approximately 85% recycled content from another list that's just gone through the same thing. From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Mon Apr 11 07:56:20 2011 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 090793A6889 for ; Mon, 11 Apr 2011 07:56:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.203 X-Spam-Level: X-Spam-Status: No, score=-5.203 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ORZ10zG16BEQ for ; Mon, 11 Apr 2011 07:56:19 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:216:3eff:fe67:11]) by core3.amsl.com (Postfix) with ESMTP id ED0053A69FF for ; Mon, 11 Apr 2011 07:56:18 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 7F7CC19D0DB; Mon, 11 Apr 2011 14:56:15 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id BBC1519D06B for ; Mon, 11 Apr 2011 14:56:10 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id Z94FwYArUdae for ; Mon, 11 Apr 2011 14:56:09 +0000 (UTC) Received: from mhs060cnc.rim.net (mhs060cnc.rim.net [208.65.73.34]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mhs060cnc.rim.net", Issuer "Thawte SSL CA" (not verified)) by mail.netbsd.org (Postfix) with ESMTPS id A9AB119CFAA for ; Mon, 11 Apr 2011 14:56:08 +0000 (UTC) X-AuditID: 0a41282f-b7bfdae000005b36-ff-4da316583fe9 Received: from XHT105CNC.rim.net (xht105cnc.rim.net [10.65.12.216]) (using TLS with cipher AES128-SHA (AES128-SHA/128 bits)) (Client did not present a certificate) by mhs060cnc.rim.net (SBG) with SMTP id 17.61.23350.85613AD4; Mon, 11 Apr 2011 14:55:20 +0000 (GMT) Received: from XCH117CNC.rim.net ([fe80::b8df:541f:9d85:9909]) by XHT105CNC.rim.net ([fe80::24dd:699b:a19e:2bcc%11]) with mapi; Mon, 11 Apr 2011 10:55:19 -0400 From: Dan Brown To: 'Peter Gutmann' , "ietf-ssh2@denisbider.com" , "nisse@lysator.liu.se" CC: "galb-list@vandyke.com" , "ietf-ssh@NetBSD.org" Date: Mon, 11 Apr 2011 10:55:19 -0400 Subject: RE: SHA-2 based HMAC algorithm... Thread-Topic: SHA-2 based HMAC algorithm... Thread-Index: Acv4F840UT84aZ7ERuWZk21QL9rO7wAPgqiA Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" content-transfer-encoding: quoted-printable MIME-Version: 1.0 X-Brightmail-Tracker: AAAAAQAAAZE= Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list > -----Original Message----- > From: ietf-ssh-owner@NetBSD.org [mailto:ietf-ssh-owner@NetBSD.org] On > Behalf Of Peter Gutmann > Dan Brown writes: > > >What about FIPS 180-4, which, if I recall, defines SHA-512-256, a > truncation > >of SHA-512 with a different IV? > > > >Arguably for use in HMAC it could be truncated to 128 bits (or less), > so one > >could have: > > > >HMAC-SHA2-512-256-128 > > Argh, no! The point is to have a single common SHA2 version that > everyone can I agree: a single interoperable HMAC-SHA2 variant is sensible, since all SSH= implementations should have no problem. So, my points were merely (a) to give SSH a heads up on NIST activities, and= (b) to suggest a future naming solution for any future 180-4 adherents: use= three #s, but I admit that I'm not sure how much SSH needs to NIST-comply. > [1] This rant In NIST's defense: (1) hashes tend to get used in bizarre ways, hence the ne= ed for extra care (new IVs in draft FIPS 180-4), and (2) it is not uncommon= that crypto algorithms include steps which do not prevent known attacks (e.= g. provably secure algs, OAEP, PSS, etc., some of which may later resist lat= er discovered attacks, but others which may never.) SSH is surely not a case of (1), so probably no need for draft FIPS 180-4, i= .e. HMAC-SHA2-512 can go without the new IV, for the few who'd use SHA-512 (= say, for the speed?) --------------------------------------------------------------------- This transmission (including any attachments) may contain confidential infor= mation, privileged material (including material protected by the solicitor-c= lient or other applicable privileges), or constitute non-public information.= Any use of this information by anyone other than the intended recipient is= prohibited. If you have received this transmission in error, please immedia= tely reply to the sender and delete this information from your system. Use,= dissemination, distribution, or reproduction of this transmission by uninte= nded recipients is not authorized and may be unlawful. From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Mon Apr 11 08:17:34 2011 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8A87C28C12C for ; Mon, 11 Apr 2011 08:17:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.053 X-Spam-Level: X-Spam-Status: No, score=-5.053 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y+9shIhlPQrq for ; Mon, 11 Apr 2011 08:17:33 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:216:3eff:fe67:11]) by core3.amsl.com (Postfix) with ESMTP id 1928728C12B for ; Mon, 11 Apr 2011 08:17:33 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 7E33B19D0DB; Mon, 11 Apr 2011 15:17:29 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 4AE0719D0D9 for ; Mon, 11 Apr 2011 15:17:26 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id Bx8vdYMpaLDC for ; Mon, 11 Apr 2011 15:17:25 +0000 (UTC) Received: from mhs060cnc.rim.net (mhs060cnc.rim.net [208.65.73.34]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mhs060cnc.rim.net", Issuer "Thawte SSL CA" (not verified)) by mail.netbsd.org (Postfix) with ESMTPS id 5E8C619D0CF for ; Mon, 11 Apr 2011 15:17:25 +0000 (UTC) X-AuditID: 0a41282f-b7bfdae000005b36-72-4da31b83d0b0 Received: from XHT108CNC.rim.net (xht108cnc.rim.net [10.65.22.54]) (using TLS with cipher AES128-SHA (AES128-SHA/128 bits)) (Client did not present a certificate) by mhs060cnc.rim.net (SBG) with SMTP id DC.24.23350.38B13AD4; Mon, 11 Apr 2011 15:17:23 +0000 (GMT) Received: from XCH117CNC.rim.net ([fe80::b8df:541f:9d85:9909]) by XHT108CNC.rim.net ([fe80::5ccc:ad5f:1697:fdbb%11]) with mapi; Mon, 11 Apr 2011 11:17:23 -0400 From: Dan Brown To: =?iso-8859-1?Q?=27Niels_M=F6ller=27?= CC: "pgut001@cs.auckland.ac.nz" , "ietf-ssh2@denisbider.com" , "galb-list@vandyke.com" , "ietf-ssh@NetBSD.org" Date: Mon, 11 Apr 2011 11:17:22 -0400 Subject: RE: SHA-2 based HMAC algorithm... Thread-Topic: SHA-2 based HMAC algorithm... Thread-Index: Acv3oa83dkSCjxQmQjqFgnrYnSJjgQAtw+3A Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" content-transfer-encoding: quoted-printable MIME-Version: 1.0 X-Brightmail-Tracker: AAAAAQAAAZE= Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list > -----Original Message----- > From: Niels M=F6ller [mailto:nisse@lysator.liu.se] > Sent: Sunday, April 10, 2011 1:07 PM > > Dan Brown writes: > > > Nevertheless, parties must use the same key size, maybe the protocol, > > ie SSH, using HMAC should fix key size to the largest not requiring > >an > > extra hash? > > To size must be specified. But using the hash block size (which I think > is what you're suggesting) seem unnecessarily large. That would meen You're right: what I said implies a block size key, which is larger than the= hash size. I perhaps intended hash size: I was wrongly thinking that the H= MAC definition hashed any keys longer than the hash size. This may be unnecessarily large, but it's not too costly to generate to gene= rate a block length key pseudo-randomly. > 512 > bits for hmac-sha1 (for which use in the ssh protocol is specified to > use a 160 bit key), and 1024 bits for hmac-sha2-512, which I find > totally out o fproportions. And the effective key size (i.e., the size > of the internal state an attacker need to recover in order to form > valid > MACs) is limited to the digest size, or possibly twice the digest size, > if I understand hmac correctly. I don't quite understand your argument about the internal state. I agree that a tag-guessing attack has success rate depending only on the ta= g size. So, with respect a forging a single MAC, there seems to be no advan= tage to having a key larger than a MAC. If the MAC key is re-used, then the situation is a little different. As I u= nderstand HMAC, every block-sized should create a different MAC function bec= ause the outer hash (with opad). I'm not seeing the hash-length bottleneck o= f the internal state. That all said, the way MACs are generally used is for immediate authenticati= on. So, in terms of the threat prevented, MACs are an algorithm of least co= ncern. By contrast, digital signatures and encryption sometimes need long-t= erm protection to resist future attackers (though I suppose MACs used in st= orage need long term protection), so an argument for larger key sizes may be= useful in those cases. Therefore, the minimum key size recommended for HMAC, the hash length, is pr= obably fine. Indeed, if one matches AES-128 with HMAC-SHA256, then the auth= entication key is already twice the size of the encryption key (which is bac= kwards according to the prudent future-proofing argument above). --------------------------------------------------------------------- This transmission (including any attachments) may contain confidential infor= mation, privileged material (including material protected by the solicitor-c= lient or other applicable privileges), or constitute non-public information.= Any use of this information by anyone other than the intended recipient is= prohibited. If you have received this transmission in error, please immedia= tely reply to the sender and delete this information from your system. Use,= dissemination, distribution, or reproduction of this transmission by uninte= nded recipients is not authorized and may be unlawful. From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Mon Apr 11 12:36:14 2011 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 85E093A693D for ; Mon, 11 Apr 2011 12:36:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.003 X-Spam-Level: X-Spam-Status: No, score=-5.003 tagged_above=-999 required=5 tests=[AWL=-0.100, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3yrtgyIC9-7C for ; Mon, 11 Apr 2011 12:36:13 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:216:3eff:fe67:11]) by core3.amsl.com (Postfix) with ESMTP id E29ED3A6953 for ; Mon, 11 Apr 2011 12:36:12 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id F355B19CFC1; Mon, 11 Apr 2011 19:36:11 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id E7ACE19CF81 for ; Mon, 11 Apr 2011 19:36:09 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id Inx63e1tkLEk for ; Mon, 11 Apr 2011 19:36:09 +0000 (UTC) Received: from mhs061cnc.rim.net (mhs061cnc.rim.net [208.65.73.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mhs061cnc.rim.net", Issuer "Thawte SSL CA" (not verified)) by mail.netbsd.org (Postfix) with ESMTPS id F415919CE58 for ; Mon, 11 Apr 2011 19:36:08 +0000 (UTC) X-AuditID: 0a412830-b7b38ae00000638b-f2-4da33f874ca3 Received: from XHT110CNC.rim.net (xht110cnc.rim.net [10.65.22.55]) (using TLS with cipher AES128-SHA (AES128-SHA/128 bits)) (Client did not present a certificate) by mhs061cnc.rim.net (SBG) with SMTP id 6E.54.25483.78F33AD4; Mon, 11 Apr 2011 17:51:03 +0000 (GMT) Received: from XCH117CNC.rim.net ([fe80::b8df:541f:9d85:9909]) by XHT110CNC.rim.net ([fe80::d0e9:e16f:525b:55f5%11]) with mapi; Mon, 11 Apr 2011 13:51:02 -0400 From: Dan Brown To: Dan Brown , =?iso-8859-1?Q?=27Niels_M=F6ller=27?= CC: "pgut001@cs.auckland.ac.nz" , "ietf-ssh2@denisbider.com" , "galb-list@vandyke.com" , "ietf-ssh@NetBSD.org" Date: Mon, 11 Apr 2011 13:51:02 -0400 Subject: RE: SHA-2 based HMAC algorithm... Thread-Topic: SHA-2 based HMAC algorithm... Thread-Index: Acv3oa83dkSCjxQmQjqFgnrYnSJjgQAtw+3AAAXypFA= Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" content-transfer-encoding: quoted-printable MIME-Version: 1.0 X-Brightmail-Tracker: AAAAAQAAAZE= Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list > -----Original Message----- > From: ietf-ssh-owner@NetBSD.org [mailto:ietf-ssh-owner@NetBSD.org] On > Behalf Of Dan Brown > Sent: Monday, April 11, 2011 11:17 AM > To: 'Niels M=F6ller' > > > 512 > > bits for hmac-sha1 (for which use in the ssh protocol is specified to > > use a 160 bit key), and 1024 bits for hmac-sha2-512, which I find > > totally out o fproportions. And the effective key size (i.e., the > size > > of the internal state an attacker need to recover in order to form > > valid > > MACs) is limited to the digest size, or possibly twice the digest > size, > > if I understand hmac correctly. > > I don't quite understand your argument about the internal state. > Oops, now I understand. Sorry. Your argument is right. The pair of values= Hash(K+opad) and Hash(K+ipad) is indeed an internal state, and is a bottlen= eck on the effective key size equal to twice the hash (digest) length. --------------------------------------------------------------------- This transmission (including any attachments) may contain confidential infor= mation, privileged material (including material protected by the solicitor-c= lient or other applicable privileges), or constitute non-public information.= Any use of this information by anyone other than the intended recipient is= prohibited. If you have received this transmission in error, please immedia= tely reply to the sender and delete this information from your system. Use,= dissemination, distribution, or reproduction of this transmission by uninte= nded recipients is not authorized and may be unlawful. From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Mon Apr 11 16:34:50 2011 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfc.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfc.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id 560EBE06A8 for ; Mon, 11 Apr 2011 16:34:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.299 X-Spam-Level: X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3] Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4XuWlx3ngr5o for ; Mon, 11 Apr 2011 16:34:49 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:216:3eff:fe67:11]) by ietfc.amsl.com (Postfix) with ESMTP id B08EAE06B6 for ; Mon, 11 Apr 2011 16:34:44 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 0458719CE33; Mon, 11 Apr 2011 23:34:40 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 8DEFA19CE21 for ; Mon, 11 Apr 2011 23:34:38 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id 6WJ7Cup7DdWH for ; Mon, 11 Apr 2011 23:34:38 +0000 (UTC) Received: from skroderider.denisbider.com (skroderider.denisbider.com [66.197.186.181]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.netbsd.org (Postfix) with ESMTPS id D074119CE1F for ; Mon, 11 Apr 2011 23:34:37 +0000 (UTC) Received: from localhost ([127.0.0.1]) by skroderider.denisbider.com (using TLSv1/SSLv3 with cipher AES128-SHA (128 bits)); Mon, 11 Apr 2011 19:34:39 -0400 Message-ID: From: "denis bider" To: =?iso-8859-1?Q?Niels_=22M=F6ller=22?= Cc: "Joseph Galbraith" , References: <4D83E810.3030605@vandyke.com><02351C58882E45F9BE44C62542DE4C5B@element><47324940A2A547DB87B4D2787B531F20@element> In-Reply-To: Subject: Re: SHA-2 based HMAC algorithm... Date: Mon, 11 Apr 2011 19:34:26 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Windows Mail 6.0.6002.18197 X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6002.18263 Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list > I was asking for a motivation, since I thought you might > have had some reason, besides the annoying incompatibility, > to complain on the existing implementations using 16 byte > or 20 byte hmac keys for hmac-sha256@ssh.com). To me it > would make some sense to stick to a 20 byte (160 bit) > key for all hmac-sha2 variants. If we're moving towards a 256-bit hash for key exchange as well as data integrity, then the output of the key generation function will be 256-bit, and we would have to truncate that output if we want the HMAC key to be 160 bits. I don't see a compelling reason to not use the whole key, given that we're generating it anyway. That's my response to "why 32-byte key for hmac-sha2-256". As for whether the key size for hmac-sha2-512 is 32 bytes or 64 bytes, I don't have a strong preference either way. denis From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Mon Apr 11 17:37:53 2011 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfc.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfc.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id DA236E067F for ; Mon, 11 Apr 2011 17:37:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.704 X-Spam-Level: X-Spam-Status: No, score=-1.704 tagged_above=-999 required=5 tests=[AWL=-0.594, BAYES_05=-1.11] Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vSvKayETIXYZ for ; Mon, 11 Apr 2011 17:37:50 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:216:3eff:fe67:11]) by ietfc.amsl.com (Postfix) with ESMTP id 4458BE0613 for ; Mon, 11 Apr 2011 17:37:50 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id B874419D151; Tue, 12 Apr 2011 00:37:46 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id A4E9C19D11B for ; Tue, 12 Apr 2011 00:37:45 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id bNtSv1nQ13BX for ; Tue, 12 Apr 2011 00:37:45 +0000 (UTC) Received: from skroderider.denisbider.com (skroderider.denisbider.com [66.197.186.181]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.netbsd.org (Postfix) with ESMTPS id F1C4419CFD8 for ; Tue, 12 Apr 2011 00:37:44 +0000 (UTC) Received: from localhost ([127.0.0.1]) by skroderider.denisbider.com (using TLSv1/SSLv3 with cipher AES128-SHA (128 bits)); Mon, 11 Apr 2011 19:37:38 -0400 Message-ID: From: "denis bider" To: "Peter Gutmann" , , Cc: , References: In-Reply-To: Subject: Re: SHA-2 based HMAC algorithm... Date: Mon, 11 Apr 2011 19:37:25 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Windows Mail 6.0.6002.18197 X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6002.18263 Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list > Argh, no! The point is to have a single common SHA2 version > that everyone can agree on (or possibly two), not to do a > breadth-first walk of every bizarrro mutation of SHA2 > that NIST has dreamed up. That made me laugh. :-) Agreed entirely. denis From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Mon Apr 11 22:13:45 2011 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfc.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfc.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id 13787E0719 for ; Mon, 11 Apr 2011 22:13:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.949 X-Spam-Level: X-Spam-Status: No, score=-1.949 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3] Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5qfZ1um1B0Pz for ; Mon, 11 Apr 2011 22:13:44 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:216:3eff:fe67:11]) by ietfc.amsl.com (Postfix) with ESMTP id 4F983E0711 for ; Mon, 11 Apr 2011 22:13:44 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 4D22B19D18C; Tue, 12 Apr 2011 05:13:40 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 92B6119D15D for ; Tue, 12 Apr 2011 05:13:38 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id Tuij9Ku5WsOg for ; Tue, 12 Apr 2011 05:13:38 +0000 (UTC) Received: from mail.lysator.liu.se (unknown [IPv6:2001:6b0:17:f0a0::3]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.netbsd.org (Postfix) with ESMTPS id D147C19CEF5 for ; Tue, 12 Apr 2011 05:13:34 +0000 (UTC) Received: from mail.lysator.liu.se (localhost [127.0.0.1]) by mail.lysator.liu.se (Postfix) with ESMTP id E5CFB40009 for ; Tue, 12 Apr 2011 07:13:31 +0200 (CEST) Received: by mail.lysator.liu.se (Postfix, from userid 1004) id DB13B4000E; Tue, 12 Apr 2011 07:13:31 +0200 (CEST) Received: from stalhein.lysator.liu.se (stalhein.lysator.liu.se [130.236.254.204]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.lysator.liu.se (Postfix) with ESMTPS id 7515B40002; Tue, 12 Apr 2011 07:13:30 +0200 (CEST) Received: from stalhein.lysator.liu.se (localhost [127.0.0.1]) by stalhein.lysator.liu.se (8.14.4+Sun/8.14.4) with ESMTP id p3C5DUJ4023528; Tue, 12 Apr 2011 07:13:30 +0200 (MEST) Received: (from nisse@localhost) by stalhein.lysator.liu.se (8.14.4+Sun/8.14.4/Submit) id p3C5DSmE023527; Tue, 12 Apr 2011 07:13:28 +0200 (MEST) X-Authentication-Warning: stalhein.lysator.liu.se: nisse set sender to nisse@lysator.liu.se using -f From: nisse@lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) To: "denis bider" Cc: "Joseph Galbraith" , Subject: Re: SHA-2 based HMAC algorithm... References: <4D83E810.3030605@vandyke.com> <02351C58882E45F9BE44C62542DE4C5B@element> <47324940A2A547DB87B4D2787B531F20@element> Date: Tue, 12 Apr 2011 07:13:28 +0200 In-Reply-To: (denis bider's message of "Mon, 11 Apr 2011 19:34:26 -0400") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (usg-unix-v) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Scanned: ClamAV using ClamSMTP Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list "denis bider" writes: > If we're moving towards a 256-bit hash for key exchange as well as data > integrity, then the output of the key generation function will be > 256-bit, and we would have to truncate that output if we want the HMAC > key to be 160 bits. I see. Thanks for the explanation. Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Wed Apr 13 22:45:54 2011 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfc.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfc.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id 14EA4E0670 for ; Wed, 13 Apr 2011 22:45:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.509 X-Spam-Level: X-Spam-Status: No, score=-3.509 tagged_above=-999 required=5 tests=[AWL=0.090, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y+FEkIwwwObF for ; Wed, 13 Apr 2011 22:45:52 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:216:3eff:fe67:11]) by ietfc.amsl.com (Postfix) with ESMTP id 287F1E069D for ; Wed, 13 Apr 2011 22:45:52 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id D0AFA19D62B; Thu, 14 Apr 2011 05:45:50 +0000 (UTC) Delivered-To: ietf-ssh@netbsd.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 624F919D62E for ; Thu, 14 Apr 2011 05:45:49 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Authentication-Results: mail.NetBSD.org (amavisd-new); dkim=pass header.i=pgut001@cs.auckland.ac.nz Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id whAI5WVQCID0 for ; Thu, 14 Apr 2011 05:45:48 +0000 (UTC) Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "mx2.auckland.ac.nz", Issuer "AusCERT Server CA" (not verified)) by mail.netbsd.org (Postfix) with ESMTPS id 0D74819D622 for ; Thu, 14 Apr 2011 05:45:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1302759948; x=1334295948; h=from:to:subject:cc:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20 |To:=20anakin@pobox.com,=20galb-list@vandyke.com,=20ietf- ssh2@denisbider.com,=0D=0A=20=20=20=20jhutz@cmu.edu,=20md b@juniper.net,=20pgut001@cs.auckland.ac.nz|Subject:=20Re: =20SHA-2=20based=20HMAC=20algorithm...|Cc:=20ietf-ssh@Net BSD.org|In-Reply-To:=20|Message-Id:=20|Date:=20Thu,=2014=20Apr=202011=2017:45:30=20+12 00; bh=dSxwjY4ZdOIBFEgE79Ep4zNdOPTMywJFm3cNE13oumI=; b=Fdni18u9Q13vYoJyrxUwvV2qogEz97DK0gV5CNg7MwTTJQGA0YjJLS6h +D5pJ/8YqgfW1nJycdm0ZswMRosvRsJvKFIYADrDrlG1neVYG4BoD5neA cdblfxwHFKziH97n7TQEVrxwyXYKR/bYMTbH74FZEZ+ut9+02pSrY9eto 4=; X-IronPort-AV: E=Sophos;i="4.64,209,1301832000"; d="scan'208";a="56788920" X-Ironport-HAT: APP-SERVERS - $RELAYED X-Ironport-Source: 130.216.33.150 - Outgoing - Outgoing Received: from mf1.fos.auckland.ac.nz ([130.216.33.150]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 14 Apr 2011 17:45:30 +1200 Received: from login01.fos.auckland.ac.nz ([130.216.34.40]) by mf1.fos.auckland.ac.nz with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1QAFMw-0003tP-HB; Thu, 14 Apr 2011 17:45:30 +1200 Received: from pgut001 by login01.fos.auckland.ac.nz with local (Exim 4.69) (envelope-from ) id 1QAFMw-0007da-8u; Thu, 14 Apr 2011 17:45:30 +1200 From: Peter Gutmann To: anakin@pobox.com, galb-list@vandyke.com, ietf-ssh2@denisbider.com, jhutz@cmu.edu, mdb@juniper.net, pgut001@cs.auckland.ac.nz Subject: Re: SHA-2 based HMAC algorithm... Cc: ietf-ssh@NetBSD.org In-Reply-To: Message-Id: Date: Thu, 14 Apr 2011 17:45:30 +1200 Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list Simon Tatham writes: >I've uploaded a complete set of PuTTY executables (in the 'x86' subdir) and >source archives modified for SHA-2 support, together with the source code >patch (in 'sha2.diff'). I've verified that all four of the new MACs work >against OpenSSH 5.8p1 Works with cryptlib as well, after a two-line change :-). (One minor gripe, it would be nice if Putty's log window was resizeable and/or defaulted to being a bit larger than two adjacent low-denomination postage stamps). Peter.