From owner-ietf-ssh@clinet.fi  Wed Jan  7 03:48:51 1998
Return-Path: <owner-ietf-ssh@clinet.fi>
Received: from ssh.fi (muuri.ssh.fi [192.168.2.254])
	by pilari.ssh.fi (8.8.8/8.8.8/EPIPE-1.10) with ESMTP id DAA08961;
	Wed, 7 Jan 1998 03:48:49 +0200 (EET)
Received: from lohi.clinet.fi (majordom@lohi.clinet.fi [194.100.0.7])
	by ssh.fi (8.8.8/8.8.8/EPIPE-1.13) with ESMTP id DAA19184;
	Wed, 7 Jan 1998 03:48:46 +0200 (EET)
Received: (from majordom@localhost)
	by lohi.clinet.fi (8.8.8/8.8.6) id DAA17884
	for ietf-ssh-outgoing; Wed, 7 Jan 1998 03:35:38 +0200 (EET)
X-Authentication-Warning: lohi.clinet.fi: majordom set sender to owner-ietf-ssh@clinet.fi using -f
Received: from neon.transmeta.com (neon-best.transmeta.com [206.184.214.10])
	by lohi.clinet.fi (8.8.8/8.8.6) with ESMTP id DAA17880
	for <ietf-ssh@clinet.fi>; Wed, 7 Jan 1998 03:35:35 +0200 (EET)
Received: from gold-1.transmeta.com (mailhost.transmeta.com [10.1.1.79])
          by neon.transmeta.com (8.8.5/8.8.4) with ESMTP
	  id RAA11173 for <ietf-ssh@clinet.fi>; Tue, 6 Jan 1998 17:27:46 -0800
Received: from blighty.transmeta.com (morgan@blighty.transmeta.com [10.1.27.37])
	by gold-1.transmeta.com (8.8.7/8.8.5) with ESMTP id RAA08622
	for <ietf-ssh@clinet.fi>; Tue, 6 Jan 1998 17:34:10 -0800 (PST)
From: Andrew Morgan <morgan@transmeta.com>
Received: (from morgan@localhost) by blighty.transmeta.com (8.8.5/8.7.3) id RAA02719 for ietf-ssh@clinet.fi; Tue, 6 Jan 1998 17:34:08 -0800
Message-Id: <199801070134.RAA02719@blighty.transmeta.com>
Subject: ssh patches (better PAM support) (fwd)
To: ietf-ssh@clinet.fi (SSH Mailing List)
Date: Tue, 6 Jan 1998 17:34:08 -0800 (PST)
X-Mailer: ELM [version 2.4ME+ PL31 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-ssh@clinet.fi
Precedence: bulk
Content-Length: 1821
Lines: 49

----- Forwarded message from Andrew Morgan -----

From: Andrew Morgan <morgan@transmeta.com>
Subject: ssh patches (better PAM support)
To: pam-list@redhat.com (Linux-PAM)
Date: Tue, 6 Jan 1998 10:40:42 -0800 (PST)

Hi,

I've uploaded the latest version of my ssh->PAM patch:

	http://www.kernel.org/pub/linux/libs/pam/pre/ssh-PAM-mods.tar.gz
	ftp://www.kernel.org/pub/linux/libs/pam/pre/ssh-PAM-mods.tar.gz

Over the previous version, this patch makes a (weak) attempt to
integrate the PAM environment setting conventions into sshd.

A note on the version: 1.2.20 (4th revision).  If I recall there is
some security problem with this version related to the common user
being able to redirect ports arbitrarily.  Since this is a development
version of the PAM patch I'm not too bothered about upgrading, but if
anyone wants to do the donkey work and adapt the patch for the latest
and greatest release of ssh now, I'd be happy for them to do so.
Please post a pointer to the patches when you are done.

Note, my legal paranoia means that there is no crypto in my patches.
You will have to get the source for ssh from somewhere else (for help
on this there is a README in the above tar ball).

Further work:  we really need to work out how to plug in non-typed
authentication schemes.  There is a basic framework involving "BINARY"
message exchange (see the patch for the reserved tokens) but as to how
we do this, I have a blessing from Vipin to be creative...

[Suggestions are very welcome.  We will also need someone in a liberal
minded country to do some coding for things like RSA authentication
but we can worry about that after we've discussed it.]

Have fun,

Cheers

Andrew


-- 
To unsubscribe: mail -s unsubscribe pam-list-request@redhat.com < /dev/null

----- End of forwarded message from Andrew Morgan -----
From owner-ietf-ssh@clinet.fi  Thu Jan 22 21:05:55 1998
Return-Path: <owner-ietf-ssh@clinet.fi>
Received: from ssh.fi (muuri.ssh.fi [192.168.2.254])
	by pilari.ssh.fi (8.8.8/8.8.8/EPIPE-1.10) with ESMTP id VAA16284;
	Thu, 22 Jan 1998 21:05:53 +0200 (EET)
Received: from lohi.clinet.fi (majordom@lohi.clinet.fi [194.100.0.7])
	by ssh.fi (8.8.8/8.8.8/EPIPE-1.13) with ESMTP id VAA26054;
	Thu, 22 Jan 1998 21:05:49 +0200 (EET)
Received: (from majordom@localhost)
	by lohi.clinet.fi (8.8.8/8.8.6) id UAA11416
	for ietf-ssh-outgoing; Thu, 22 Jan 1998 20:53:41 +0200 (EET)
X-Authentication-Warning: lohi.clinet.fi: majordom set sender to owner-ietf-ssh@clinet.fi using -f
Received: from THOR.INNOSOFT.COM (SYSTEM@THOR.INNOSOFT.COM [192.160.253.66])
	by lohi.clinet.fi (8.8.8/8.8.6) with ESMTP id UAA11386
	for <ietf-ssh@clinet.fi>; Thu, 22 Jan 1998 20:53:23 +0200 (EET)
Received: from elwood.innosoft.com ("port 38889"@ELWOOD.INNOSOFT.COM)
 by INNOSOFT.COM (PMDF V5.1-10 #8694)
 with SMTP id <01ISOB1052WK99DGDC@INNOSOFT.COM> for ietf-ssh@clinet.fi; Thu,
 22 Jan 1998 10:51:34 PST
Date: Thu, 22 Jan 1998 10:53:31 -0800 (PST)
From: Chris Newman <chris+ietf-ssh@INNOSOFT.COM>
Subject: SSH and Diffie-Hellman Key Exchange
To: IETF Secure Shell list <ietf-ssh@clinet.fi>
Message-id: <Pine.SOL.3.95.980122103208.2923B-100000@elwood.innosoft.com>
MIME-version: 1.0
Content-type: TEXT/PLAIN; charset=US-ASCII
Originator-Info: login-id=chris; server=THOR.INNOSOFT.COM
Sender: owner-ietf-ssh@clinet.fi
Precedence: bulk
Content-Length: 1389
Lines: 30

In reading the ssh-transport specification, I notice it gives very little
guidance for choosing the private random Diffie-Hellman parameter (beyond
saying 1 < x < q).

My understanding is that choosing an x which is less than log base g of p
would make it rather easy to derive x from g^x mod p.  Also if x is a
small number of bits, it could be brute-forced.

In addition, if x is a large number of bits, then the Diffie-Hellman
computations are very slow.  In my experimental prototype of the
cryptographic exchange (DSS + Diffie-Hellman), it took over 2 seconds on
my 180MHz PowerPC chip (PowerBook 2400c) to perform both ends of the
exchange when x was a random 1023 bit number.  Hand-coding the inner
multiply/add loop in assembly reduced this to 1 second, which is still a
bit slow for consumer products.  Dropping the size of x to 160 bits
reduced the time to 1/3 second for both ends of the exchange which I
consider acceptable (given the further improvement precomputation could
add).

So my question is, what is an acceptable number of bits to use when
generating x, and should some advice to this effect be included in the SSH
specification?

My speculation is that 160 bits is good enough, but I'm not a
cryptographer.  Any suggestions for where to read up about this?
Schneier's Applied Cryptography doesn't discuss real-world use of
Diffie-Hellman in any detail.

		- Chris

From owner-ietf-ssh@clinet.fi  Fri Jan 23 02:52:46 1998
Return-Path: <owner-ietf-ssh@clinet.fi>
Received: from ssh.fi (muuri.ssh.fi [192.168.2.254])
	by pilari.ssh.fi (8.8.8/8.8.8/EPIPE-1.10) with ESMTP id CAA19273;
	Fri, 23 Jan 1998 02:52:46 +0200 (EET)
Received: from lohi.clinet.fi (majordom@lohi.clinet.fi [194.100.0.7])
	by ssh.fi (8.8.8/8.8.8/EPIPE-1.13) with ESMTP id CAA27361;
	Fri, 23 Jan 1998 02:52:44 +0200 (EET)
Received: (from majordom@localhost)
	by lohi.clinet.fi (8.8.8/8.8.6) id CAA10049
	for ietf-ssh-outgoing; Fri, 23 Jan 1998 02:52:19 +0200 (EET)
X-Authentication-Warning: lohi.clinet.fi: majordom set sender to owner-ietf-ssh@clinet.fi using -f
Received: from europe.std.com (europe.std.com [199.172.62.20])
	by lohi.clinet.fi (8.8.8/8.8.6) with ESMTP id CAA10045
	for <ietf-ssh@clinet.fi>; Fri, 23 Jan 1998 02:52:16 +0200 (EET)
Received: from world.std.com by europe.std.com (8.7.6/BZS-8-1.0)
	id TAA14741; Thu, 22 Jan 1998 19:51:15 -0500 (EST)
Received: from [192.0.2.1] (world.std.com) by world.std.com (TheWorld/Spike-2.0)
	id AA21878; Thu, 22 Jan 1998 19:51:12 -0500
Message-Id: <3.0.1.16.19980122195059.604f41a6@world.std.com>
X-Sender: dpj@world.std.com
X-Mailer: Windows Eudora Light Version 3.0.1 (16)
Date: Thu, 22 Jan 1998 19:50:59 -0500
To: Chris Newman <chris+ietf-ssh@INNOSOFT.COM>,
        IETF Secure Shell list <ietf-ssh@clinet.fi>
From: David Jablon <dpj@world.std.com>
Subject: Re: SSH and Diffie-Hellman Key Exchange
In-Reply-To: <Pine.SOL.3.95.980122103208.2923B-100000@elwood.innosoft.co
 m>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf-ssh@clinet.fi
Precedence: bulk
Content-Length: 1148
Lines: 29

At 10:53 AM 1/22/98 -0800, Chris Newman wrote:
>In reading the ssh-transport specification, I notice it gives very little
>guidance for choosing the private random Diffie-Hellman parameter (beyond
>saying 1 < x < q).
>
>My understanding is that choosing an x which is less than log base g of p
>would make it rather easy to derive x from g^x mod p.  Also if x is a
>small number of bits, it could be brute-forced. [...]
>
>My speculation is that 160 bits is good enough, but I'm not a
>cryptographer.  Any suggestions for where to read up about this?
>Schneier's Applied Cryptography doesn't discuss real-world use of
>Diffie-Hellman in any detail.

You want x to be at least twice the number of bits as you need
in the final key.  160-bits for x is good for an 80-bit key.
Here you could use the low 80 bits of a SHA1 hash
of the derived DH key.

See the Eurocrypt '96 van Oorschot & Wiener paper "On
Diffie-Hellman Key Agreement with Short Exponents" for details.
Full reference at: <http://world.std.com/~dpj/links.html>

------------------------------------
David Jablon
Integrity Sciences, Inc.
dpj@world.std.com
<http://world.std.com/~dpj/>

From owner-ietf-ssh@clinet.fi  Fri Jan 23 10:08:07 1998
Return-Path: <owner-ietf-ssh@clinet.fi>
Received: from ssh.fi (muuri.ssh.fi [192.168.2.254])
	by pilari.ssh.fi (8.8.8/8.8.8/EPIPE-1.10) with ESMTP id KAA23283;
	Fri, 23 Jan 1998 10:08:07 +0200 (EET)
Received: from lohi.clinet.fi (majordom@lohi.clinet.fi [194.100.0.7])
	by ssh.fi (8.8.8/8.8.8/EPIPE-1.13) with ESMTP id KAA28185;
	Fri, 23 Jan 1998 10:08:04 +0200 (EET)
Received: (from majordom@localhost)
	by lohi.clinet.fi (8.8.8/8.8.6) id KAA07850
	for ietf-ssh-outgoing; Fri, 23 Jan 1998 10:03:22 +0200 (EET)
X-Authentication-Warning: lohi.clinet.fi: majordom set sender to owner-ietf-ssh@clinet.fi using -f
Received: from ssh.fi (ssh.fi [194.100.44.97])
	by lohi.clinet.fi (8.8.8/8.8.6) with ESMTP id KAA07845
	for <ietf-ssh@clinet.fi>; Fri, 23 Jan 1998 10:03:21 +0200 (EET)
Received: from pilari.ssh.fi (pilari.ssh.fi [192.168.2.1])
	by ssh.fi (8.8.8/8.8.8/EPIPE-1.13) with ESMTP id KAA28178;
	Fri, 23 Jan 1998 10:02:15 +0200 (EET)
Received: from pilari.ssh.fi (pilari.ssh.fi [192.168.2.1])
	by pilari.ssh.fi (8.8.8/8.8.8/EPIPE-1.10) with SMTP id KAA23275;
	Fri, 23 Jan 1998 10:02:13 +0200 (EET)
Date: Fri, 23 Jan 1998 10:02:12 +0200 (EET)
From: Markku-Juhani Saarinen <mjos@ssh.fi>
To: Chris Newman <chris+ietf-ssh@INNOSOFT.COM>
cc: IETF Secure Shell list <ietf-ssh@clinet.fi>
Subject: Re: SSH and Diffie-Hellman Key Exchange
In-Reply-To: <Pine.SOL.3.95.980122103208.2923B-100000@elwood.innosoft.com>
Message-ID: <Pine.NEB.3.95q.980123094208.15177B-100000@pilari.ssh.fi>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-ietf-ssh@clinet.fi
Precedence: bulk
Content-Length: 816
Lines: 24


On Thu, 22 Jan 1998, Chris Newman wrote:
 
> So my question is, what is an acceptable number of bits to use when
> generating x, and should some advice to this effect be included in the SSH
> specification?

The IPSec oakley specification suggests using "at least" 180 bits of
entropy (draft-ietf-ipsec-oakley-02.txt, section 2.3.1.1.). 
Our own SSH2 implementation uses 192 bits.

> My speculation is that 160 bits is good enough, but I'm not a
> cryptographer.  Any suggestions for where to read up about this?
> Schneier's Applied Cryptography doesn't discuss real-world use of
> Diffie-Hellman in any detail.

P. C. van Oorschot, M. J. Wiener, "On Diffie-Hellman Key Agreement
with Short Exponents", in Eurocrypt 96 proceedings.

- mj

Markku-Juhani O. Saarinen <mjos@ssh.fi>, SSH Communications Security Ltd


From owner-ietf-ssh@clinet.fi  Fri Jan 23 10:20:09 1998
Return-Path: <owner-ietf-ssh@clinet.fi>
Received: from ssh.fi (muuri.ssh.fi [192.168.2.254])
	by pilari.ssh.fi (8.8.8/8.8.8/EPIPE-1.10) with ESMTP id KAA23331;
	Fri, 23 Jan 1998 10:20:09 +0200 (EET)
Received: from lohi.clinet.fi (majordom@lohi.clinet.fi [194.100.0.7])
	by ssh.fi (8.8.8/8.8.8/EPIPE-1.13) with ESMTP id KAA28221;
	Fri, 23 Jan 1998 10:20:08 +0200 (EET)
Received: (from majordom@localhost)
	by lohi.clinet.fi (8.8.8/8.8.6) id KAA09418
	for ietf-ssh-outgoing; Fri, 23 Jan 1998 10:19:18 +0200 (EET)
X-Authentication-Warning: lohi.clinet.fi: majordom set sender to owner-ietf-ssh@clinet.fi using -f
Received: from ssh.fi (ssh.fi [194.100.44.97])
	by lohi.clinet.fi (8.8.8/8.8.6) with ESMTP id KAA09411
	for <ietf-ssh@clinet.fi>; Fri, 23 Jan 1998 10:19:17 +0200 (EET)
Received: from pilari.ssh.fi (pilari.ssh.fi [192.168.2.1])
	by ssh.fi (8.8.8/8.8.8/EPIPE-1.13) with ESMTP id KAA28210;
	Fri, 23 Jan 1998 10:18:17 +0200 (EET)
Received: from pilari.ssh.fi (pilari.ssh.fi [192.168.2.1])
	by pilari.ssh.fi (8.8.8/8.8.8/EPIPE-1.10) with SMTP id KAA23322;
	Fri, 23 Jan 1998 10:18:16 +0200 (EET)
Date: Fri, 23 Jan 1998 10:18:15 +0200 (EET)
From: Markku-Juhani Saarinen <mjos@ssh.fi>
To: David Jablon <dpj@world.std.com>
cc: IETF Secure Shell list <ietf-ssh@clinet.fi>
Subject: Re: SSH and Diffie-Hellman Key Exchange
In-Reply-To: <3.0.1.16.19980122195059.604f41a6@world.std.com>
Message-ID: <Pine.NEB.3.95q.980123100834.15177C-100000@pilari.ssh.fi>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-ietf-ssh@clinet.fi
Precedence: bulk
Content-Length: 504
Lines: 18

David Jablon wrote:

> You want x to be at least twice the number of bits as you need
> in the final key.  160-bits for x is good for an 80-bit key.
> Here you could use the low 80 bits of a SHA1 hash
> of the derived DH key.

Yes, the Pollard lambda method runs in O(w^(1/2)) time.

The SecSh key setup procedure is described section 5.2. of
draft-ietf-secsh-transport-03.txt and differs from the procedure
you describe.

- mj

Markku-Juhani O. Saarinen <mjos@ssh.fi>, SSH Communications Security Ltd


