The IESG has approved the following document: - 'More Modular Exponential (MODP) Diffie-Hellman (DH) Key Exchange (KEX) Groups for Secure Shell (SSH)' (draft-ietf-curdle-ssh-modp-dh-sha2-09.txt) as Proposed Standard This document is the product of the CURves, Deprecating and a Little more Encryption Working Group. The IESG contact persons are Kathleen Moriarty and Eric Rescorla. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-curdle-ssh-modp-dh-sha2/ Technical Summary Relevant content can frequently be found in the abstract and/or introduction of the document. If not, this may be an indication that there are deficiencies in the abstract or introduction. This document defines added Modular Exponential (MODP) Groups for the Secure Shell (SSH) protocol using SHA-2 hashes. Working Group Summary Was there anything in WG process that is worth noting? For example, was there controversy about particular points or were there decisions where the consensus was particularly rough? The document received few reviews on the mailing list. However, discussions occur on whether: - choosing IKE vs TLS primes - choosing fixed primes versus random. The consensus for this document was to restraint to the primes defined for IKE. Are there existing implementations of the protocol? Have a significant number of vendors indicated their plan to implement the specification? Are there any reviewers that merit special mention as having done a thorough review, e.g., one that resulted in important changes or a conclusion that the document had no substantive issues? If there was a MIB Doctor, Media Type or other expert review, what was its course (briefly)? In the case of a Media Type review, on what date was the request posted? The draft describes the following key exchange algorithms: * diffie-hellman-group14-sha256 * diffie-hellman-group15-sha512 * diffie-hellman-group16-sha512 * diffie-hellman-group17-sha512 * diffie-hellman-group18-sha512 These suites have been at least partially implemented. [00],[2] * OpenSSH has implemented and distributed at least diffie-hellman-group14-sha256 it already [0] * Dropbear has preliminary support for diffie-hellman-group14-sha256 by Matt Johnston [1] * RLogin supports dh-group{14,15,16}-sha256 since version 2.19.8 [3]. * Tera Term committed dh-group{14,15,16}-sha256 support committed to trunk, and it will be included in next release. [4] * Poderosa [5] committed to support dh-group{14,15,16}-sha256 support where a pull request has been sent [6]. [00] http://ssh-comparison.quendi.de/comparison/kex.html [0] https://jbeekman.nl/blog/2015/05/ssh-logjam/ [1] http://www.ietf.org/mail-archive/web/secsh/current/msg01119.html [2] http://www.ietf.org/mail-archive/web/secsh/current/msg01139.html [3] http://nanno.dip.jp/softlib/man/rlogin/ [4] https://en.osdn.jp/projects/ttssh2/scm/svn/commits/6263 [5] http://poderosa.sourceforge.net/ in [6] https://github.com/poderosaproject/poderosa/pull/17
