Network Working Group B. Harris Request for Comments: 4432 March 2006 Category: Standards Track
RSA Key Exchange for the Secure Shell (SSH)
Transport Layer Protocol
Status of This Memo
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for
improvements. Plea refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited. Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
妈妈生病了作文This memo describes a key-exchange method for the Secure Shell (SSH) protocol bad on Rivest-Shamir-Adleman (RSA) public-key encryption. It us much less client CPU time than the Diffie-Hellman algorithm
specified as part of the core protocol, and hence is particularly
suitable for slow client systems.
1. Introduction
Secure Shell (SSH) [RFC4251] is a cure remote-login protocol. The core protocol us Diffie-Hellman key exchange. On slow CPUs, this
key exchange can take tens of conds to complete, which can be
irritating for the ur. A previous version of the SSH protocol,
described in [SSH1], us a key-exchange method bad on
Rivest-Shamir-Adleman (RSA) public-key encryption, which consumes an order of magnitude less CPU time on the client, and hence is
particularly suitable for slow client systems such as mobile devices. This memo describes a key-exchange mechanism for the version of SSH
described in [RFC4251] that is similar to that ud by the older
version, and about as fast, while retaining the curity advantages
of the newer protocol.
Harris Standards Track [Page 1]
2. Conventions Ud in This Document
The key words "MUST" and "SHOULD" in this document are to be
interpreted as described in [RFC2119].
The data types "byte", "string", and "mpint" are defined in Section 5 of [RFC4251].
Other terminology and symbols have the same meaning as in [RFC4253].
3. Overview
The RSA key-exchange method consists of three messages. The rver
nds to the client an RSA public key, K_T, to which the rver holds the private key. This may be a transient key generated solely for
this SSH connection, or it may be re-ud for veral connections.
The client generates a string of random bytes, K, encrypts it using
K_T, and nds the result back to the rver, which decrypts it. The client and rver each hash K, K_T, and the various key-exchange
parameters to generate the exchange hash, H, which is ud to地理事物
generate the encryption keys for the ssion, and the rver signs H with its host key and nds the signature to the client. The client then verifies the host key as described in Section 8 of [RFC4253].
This method provides explicit rver identification as defined in
Section 7 of [RFC4253]. It requires a signature-capable host key.
4. Details
The RSA key-exchange method has the following parameters:
HASH hash algorithm for calculating exchange hash, etc.
HLEN output length of HASH in bits
MINKLEN minimum transient RSA modulus length in bits
Their values are defined in Section 5 and Section 6 for the two
methods defined by this document.
The method us the following messages.
First, the rver nds:
byte SSH_MSG_KEXRSA_PUBKEY
string rver public host key and certificates (K_S)
string K_T, transient RSA public key
Harris Standards Track [Page 2]
The key K_T is encoded according to the "ssh-rsa" scheme described in Section 6.6 of [RFC4253]. Note that unlike an "ssh-rsa" host key,
K_T is ud only for encryption, and not for signature. The modulus of K_T MUST be at least MINKLEN bits long.
The client generates a random integer, K, in the range
0 <= K < 2^(KLEN-2*HLEN-49), where KLEN is the length of the modulus of K_T, in bits. The client then us K_T to encrypt:
mpint K, the shared cret
The encryption is performed according to the RSAES-OAEP scheme of
[RFC3447], with a mask generation function of MGF1-with-HASH, a hash of HASH, and an empty label. See Appendix A for a proof that the
encoding of K is always short enough to be thus encrypted. Having
performed the encryption, the client nds:
byte SSH_MSG_KEXRSA_SECRET
string RSAES-OAEP-ENCRYPT(K_T, K)
Note that the last stage of RSAES-OAEP-ENCRYPT is to encode an
integer as an octet string using the I2OSP primitive of [RFC3447].
This, combined with encoding the result as an SSH "string", gives a
如果我是一滴水result that is similar, but not identical, to the SSH "mpint"
encoding applied to that integer. This is the same encoding as is
ud by "ssh-rsa" signatures in [RFC4253].
The rver decrypts K. If a decryption error occurs, the rver
SHOULD nd SSH_MESSAGE_DISCONNECT with a reason code of
SSH_DISCONNECT_KEY_EXCHANGE_FAILED and MUST disconnect. Otherwi,
the rver responds with:
byte SSH_MSG_KEXRSA_DONE
string signature of H with host key
The hash H is computed as the HASH hash of the concatenation of the
following:
string V_C, the client’s identification string
(CR and LF excluded)
string V_S, the rver’s identification string
(CR and LF excluded)
string I_C, the payload of the client’s SSH_MSG_KEXINIT
string I_S, the payload of the rver’s SSH_MSG_KEXINIT
string K_S, the host key
string K_T, the transient RSA key
string RSAES_OAEP_ENCRYPT(K_T, K), the encrypted cret
mpint K, the shared cret
Harris Standards Track [Page 3]
This value is called the exchange hash, and it is ud to
authenticate the key exchange. The exchange hash SHOULD be kept
cret.
The signature algorithm MUST be applied over H, not the original
data. Most signature algorithms include hashing and additional
padding. For example, "ssh-dss" specifies SHA-1 hashing. In such
cas, the data is first hashed with HASH to compute H, and H is then hashed again as part of the signing operation.
5. rsa1024-sha1
The "rsa1024-sha1" method specifies RSA key exchange as described
above with the following parameters:
HASH SHA-1, as defined in [RFC3174]
HLEN 160
MINKLEN 1024
6. rsa2048-sha256
The "rsa2048-sha256" method specifies RSA key exchange as described
above with the following parameters:
HASH SHA-256, as defined in [FIPS-180-2]
音乐律动
HLEN 256
MINKLEN 2048
7. Message Numbers
The following message numbers are defined:
SSH_MSG_KEXRSA_PUBKEY 30
SSH_MSG_KEXRSA_SECRET 31
SSH_MSG_KEXRSA_DONE 32
8. Security Considerations
The curity considerations in [RFC4251] apply.
If the RSA private key generated by the rver is revealed, then the ssion key is revealed. The rver should thus arrange to era
this from memory as soon as it is no longer required. If the same
RSA key is ud for multiple SSH connections, an attacker who can
find the private key (either by factorising the public key or by
柠檬黄
other means) will gain access to all of the ssions that ud that
key. As a result, rvers SHOULD u each RSA key for as few key
exchanges as possible.
Harris Standards Track [Page 4]华语电影三大奖
[RFC3447] recommends that RSA keys ud with RSAES-OAEP not be ud
with other schemes, or with RSAES-OAEP using a different hash
function. In particular, this means that K_T should not be ud as a host key, or as a rver key in earlier versions of the SSH protocol. Like all key-exchange mechanisms, this one depends for its curity
on the randomness of the crets generated by the client (the random number K) and the rver (the transient RSA private key). In
particular, it is esntial that the client u a high-quality
cryptographic pudo-random number generator to generate K. Using a bad random number generator will allow an attacker to break all the
encryption and integrity protection of the Secure Shell transport
layer. See [RFC4086] for recommendations on random number
generation.
The size of transient key ud should be sufficient to protect the
encryption and integrity keys generated by the key-exchange method.
For recommendations on this, e [RFC3766]. The strength of
RSAES-OAEP is in part dependent on the hash function it us.
[RFC3447] suggests using a hash with an output length of twice the
curity level required, so SHA-1 is appropriate for applications
requiring up to 80 bits of curity, and SHA-256 for tho requiring up to 128 bits.
Unlike the Diffie-Hellman key-exchange method defined by [RFC4253],
this method allows the client to fully determine the shared cret,
K. This is believed not to be significant, since K is only ever ud when hashed with data provided in part by the rver (usually in the form of the exchange hash, H). If an extension to SSH were to u K directly and to assume that it had been generated by Diffie-Hellman
key exchange, this could produce a curity weakness. Protocol
extensions using K directly should be viewed with extreme suspicion. This key-exchange method is
designed to be resistant to collision
attacks on the exchange hash, by ensuring that neither side is able
to freely choo its input to the hash after eing all of the other side’s input. The rver’s last input is in SSH_MSG_KEXRSA_PUBKEY,
before it has en the client’s choice of K. The client’s last input is K and its RSA encryption, and the one-way nature of RSA encryption should ensure that the client cannot choo K so as to cau a
collision.
9. IANA Considerations
IANA has assigned the names "rsa1024-sha1" and "rsa2048-sha256" as
Key Exchange Method Names in accordance with [RFC4250].
Harris Standards Track [Page 5]
10. Acknowledgements
The author acknowledges the assistance of Simon Tatham with the
design of this key exchange method.
The text of this document is derived in part from [RFC4253].
11. References
11.1. Normative References
[RFC2119] Bradner, S., "Key words for u in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3174] Eastlake, D. and P. Jones, "US Secure Hash Algorithm 1 (SHA1)", RFC 3174, September 2001.
[RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography
Standards (PKCS) #1: RSA Cryptography Specifications
Version 2.1", RFC 3447, February 2003.
[RFC4251] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH)
Protocol Architecture", RFC 4251, January 2006.
[RFC4253] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH)
Transport Layer Protocol", RFC 4253, January 2006.
[RFC4250] Lehtinen, S. and C. Lonvick, "The Secure Shell (SSH)
Protocol Assigned Numbers", RFC 4250, January 2006.
[FIPS-180-2] National Institute of Standards and Technology (NIST), "Secure Hash Standard (SHS)", FIPS PUB 180-2,
August 2002.
11.2. Informative References
[SSH1] Ylonen, T., "SSH -- Secure Login Connections over the
Internet", 6th USENIX Security Symposium, pp. 37-42,
July 1996.
[RFC3766] Orman, H. and P. Hoffman, "Determining Strengths For
手环Public Keys Ud For Exchanging Symmetric Keys",
灭火器如何使用BCP 86, RFC 3766, April 2004.
[RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness Requirements for Security", BCP 106, RFC 4086,
June 2005.
Harris Standards Track [Page 6]
