29 Oct 1998 10:10
Two ambiguities in transport protocol spec
Sigurdur Asgeirsson <siggi <at> undo.com>
1998-10-29 09:10:48 GMT
1998-10-29 09:10:48 GMT
1. The draft document "draft-ietf-secsh-transport-04.txt" section 5, "Key Exchange" contains the following text: "Each side MAY guess which algorithm the other side is using, and MAY send an initial key exchange packet according to the algorithm if appropriate for the preferred method. If all algorithms were guessed right, the optimistically sent packet MUST be handled as the first key exchange packet. However, if the guess was wrong, and a packet was optimistically sent by one or both parties, such packets MUST be ignored (even if the error in the guess would not affect the contents of the initial packet(s)), and the appropriate side MUST send the correct initial packet." The bit that goes "If all algorithms were guessed right" is what I have trouble with. It seem to me that only the key exchange algorithm and the server host key algorithm affect the key exchange, and the SSH unix sources indeed make and verify a guess based on those two only. The text should probably go like: "Each side MAY guess which key exchange algorithm and server key algorithm the other side is using, and MAY send an initial key exchange packet according to the guessed algorithms if appropriate. If both algorithms were guessed right, the optimistically sent packet MUST be handled as the first key exchange packet. However, if the guess was wrong, and a packet was optimistically sent by one or both parties, such packets MUST be ignored (even if the error in the guess would not affect the contents of the initial packet(s)), and the appropriate side MUST send the correct initial packet." 2. The draft document "draft-ietf-secsh-transport-04.txt" section 5.2, "Output from Key Exchange" contains the following text: "The key exchange produces two values: a shared secret K, and an exchange hash H." which implies that the exchange hash and the shared secret are two distinct values. Section 6, "Diffie-Hellman Key Exchange" then goes to great lengths to specify excactly how the exchange hash "H" is computed, but fails to specify the format of "K", which is used in key derivation. After a cursory look at the the SSH unix sources it seems that they use "H" in place of "K" for key derivation. I'm no crypto expert, but it seems to me that for the "diffie-hellman-group1-sha1" kex algorithm, "K" might contain as much as 1024 bits of entropy while "H" cannot possibly contain more than 160 bits. Any key derived from "H", no matter how large, would then be similarily restricted. This probably does't matter today, where none of the specified ciphers uses keys larger than 128 bits, but it seems like an unneccessary restriction. I propose that a paragraph be added to section 6, "Diffie-Hellman Key Exchange" that specifies the format of the shared secret "K" as an mpint for the purposes of key derivation.
RSS Feed