Network Working Group K. Igoe Internet-Draft National Security Agency Intended status: Standards Track D. Stebila Expires: April 19, 2010 Queensland University of Technology November 10, 2009 X.509v3 Certificates for Secure Shell Authentication draft-igoe-secsh-x509v3-00 Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on April 19, 2010. Copyright Notice Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Igoe & Stebila Expires April 19, 2010 [Page 1] Internet-Draft X.509v3 Certificates for SSH November 2009 Abstract X.509 public key certificates use a signature by a trusted certification authority to bind a given public key to a given digital identity. This document outlines how to incorporate X.509 version 3 public key certificates into the authentication methods of the Secure Shell protocol. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. X.509 Version 3 Certificates . . . . . . . . . . . . . . . . . 5 3. Server Authentication (public key algorithm) Using X.509v3 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . 6 4. User Authentication (publickey authentication) Using X.509v3 Certificates . . . . . . . . . . . . . . . . . . . . . 7 5. Security Considerations . . . . . . . . . . . . . . . . . . . 8 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 7. Normative References . . . . . . . . . . . . . . . . . . . . . 10 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12 Igoe & Stebila Expires April 19, 2010 [Page 2] Internet-Draft X.509v3 Certificates for SSH November 2009 1. Introduction There are two Secure Shell (SSH) protocols that use public key cryptography for authentication. The Transport Layer Protocol, described in [RFC4253], requires that a digital signature algorithm (called the "public key algorithm") MUST be used to authenticate the server to the client. Additionally, the User Authentication Protocol described in [RFC4252] allows for the use of a digital signature to authenticate the client to the server ("publickey" authentication). In both cases, the validity of the authentication depends upon the strength of the linkage between the public signing key and the identity of the signer. Digital certificates, such as those in X.509 version 3 (X.509v3) format, use a chain of signatures by a trusted root certification authority and its designated intermediate certificate authorites to bind a given public signing key to a given digital identity. The following public key authentication algorithms are presently available for use in SSH: +--------------+-----------------------+ | Algorithm | Reference | +--------------+-----------------------+ | ssh-dss | [RFC4253] | | | | | ssh-rsa | [RFC4253] | | | | | pgp-sign-dss | [RFC4253] | | | | | pgp-sign-rsa | [RFC4253] | | | | | ecdsa-sha2-* | [I-D.green-secsh-ecc] | | | | | ecmqv-sha2 | [I-D.green-secsh-ecc] | +--------------+-----------------------+ Since PGP has its own method for binding a public key to a digital identity, this document focuses solely upon the non-PGP methods. In particular, this document defines the following public key algorithms which differ from the above solely in their use of X.509v3 certificates to convey the signer's public key. Igoe & Stebila Expires April 19, 2010 [Page 3] Internet-Draft X.509v3 Certificates for SSH November 2009 +---------------------+ | Algorithm | +---------------------+ | x509v3-ssh-dss | | | | x509v3-ssh-rsa | | | | x509v3-ecdsa-sha2-* | | | | x509v3-ecmqv-sha2 | +---------------------+ Implementation of this specification requires familiarity with the Secure Shell protocol [RFC4251] [RFC4253] and X.509v3 certificates [RFC5280]. This document is concerned with SSH implementation details; specification of the underlying cryptographic algorithms and the handling and structore of X.509v3 certificates is left to other standards documents. Igoe & Stebila Expires April 19, 2010 [Page 4] Internet-Draft X.509v3 Certificates for SSH November 2009 2. X.509 Version 3 Certificates The reader is referred to [RFC5280] for a general description of X.509 version 3 certificates. For the purposes of this document, it suffices to know that in X.509 a chain of certificates (possibly of length one) allows a Root Certificate Authority and its designated Intermediate Certificate Authorities to cryptographically bind a given public key to a given digital identity using public key signatures. A chain of certificates can then be unambiguously encoded as a string of octets using the DER encoding of Abstract Syntax Notation One (ASN.1) [ASN1]. The contents of the string containing the certificates is the DER encoding of an ASN.1 SEQUENCE of certificates, subject to the following constraints. o The sender's certificate MUST come first in the chain. o Each following certificate MUST certify the one proceeding it. o The self-signed certificate specifying the root authority MAY be omitted. o The individual certificates in the certificate chain MAY be signed using any approved Secure Shell public key signature algorithm. The choice of signature algorithm used by any given certificate is independent of the signature algorithms chosen by other certificates in the chain. Issues associated with the use of certificates (such as expiration of certificates and revocation of compromised certificates) are addressed in [RFC5280] and are outside the scope of this document. [I-D.solinas-suiteb-cert-profile] gives specific guidance on the structure of X.509v3 certificates to be used with Suite B ECDSA public keys. [RFC5280] provides guidance on certificates for RSA and DSA. Igoe & Stebila Expires April 19, 2010 [Page 5] Internet-Draft X.509v3 Certificates for SSH November 2009 3. Server Authentication (public key algorithm) Using X.509v3 Certificates The server's public host key is conveyed from the server to the client in the SSH_MSG_KEX*_REPLY_MSG, where * is either DH, RSA, ECDH or ECMQV. All four key exchange protocols place the public host key in a string (K_S). When a x509v3-* public key algorithm is used, the string K_S MUST contain a DER-encoded chain of certificates as described in Section 2. Igoe & Stebila Expires April 19, 2010 [Page 6] Internet-Draft X.509v3 Certificates for SSH November 2009 4. User Authentication (publickey authentication) Using X.509v3 Certificates The client initiates user authentication by sending an SSH_MSG_USERAUTH_REQUEST message to the server. One of the options available to the client is to specify that a public key authentication method is to be used. The list of user authentication public key algorithms defined for use in Secure Shell is precisely the same as the list of server authentication algorithms (public key algorithms) defined for use in Secure Shell. Note that the choice of a user authentication public key algorithm is independent of the choice of a server authentication algorithm. The client's public key is conveyed in a string called the "public key blob". The x509v3-* family of authentication algorithms REQUIRE this string to contain a DER-encoded chain of X.509v3 certificates as described in Section 2. Igoe & Stebila Expires April 19, 2010 [Page 7] Internet-Draft X.509v3 Certificates for SSH November 2009 5. Security Considerations This document provides new public key algorithms and new key agreement methods for the Secure Shell protocol. For the most part, the security considerations involved in using the Secure Shell protocol apply. Additionally, implementers should be aware of security considerations specific to the use of X.509v3 certificates in a public key infrastructure, including considerations related to expired certificates and certificate revocation lists. The reader is directed to the security considerations sections of [RFC4251] and [RFC5280]. Igoe & Stebila Expires April 19, 2010 [Page 8] Internet-Draft X.509v3 Certificates for SSH November 2009 6. IANA Considerations Consistent with Section 8 of [RFC4251] and Section 4.6 of [RFC4250], this document makes the following registrations: In the Public Key Algorithm Names registry: The family of SSH public key algorithm names beginning with "x509v3-ecdsa-sha2-" and not containing the at-sign ('@'). In the Key Exchange Method Names registry: The SSH key exchange method names "x509v3-ssh-dss", "x509v3-ssh-rsa", and "x509v3-ecmqv- sha2". This document creates no new registries. Igoe & Stebila Expires April 19, 2010 [Page 9] Internet-Draft X.509v3 Certificates for SSH November 2009 7. Normative References [ASN1] International Telecommunications Union, "Abstract Syntax Notation One (ASN.1): Specification of basic notation", X.680, July 2002. [I-D.green-secsh-ecc] Stebila, D. and J. Green, "Elliptic-Curve Algorithm Integration in the Secure Shell Transport Layer", draft-green-secsh-ecc-09 (work in progress), August 2009. [I-D.solinas-suiteb-cert-profile] Solinas, J. and L. Zieglar, "Suite B Certificate and Certificate Revocation List (CRL) Profile", draft-solinas-suiteb-cert-profile-04 (work in progress), July 2009. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC4250] Lehtinen, S. and C. Lonvick, "The Secure Shell (SSH) Protocol Assigned Numbers", RFC 4250, January 2006. [RFC4251] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) Protocol Architecture", RFC 4251, January 2006. [RFC4252] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) Authentication Protocol", RFC 4252, January 2006. [RFC4253] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) Transport Layer Protocol", RFC 4253, January 2006. [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, May 2008. Igoe & Stebila Expires April 19, 2010 [Page 10] Internet-Draft X.509v3 Certificates for SSH November 2009 Appendix A. Acknowledgements The authors acknowledge an earlier Internet-Draft by O. Saarenmaa and J. Galbraith on a similar topic. Igoe & Stebila Expires April 19, 2010 [Page 11] Internet-Draft X.509v3 Certificates for SSH November 2009 Authors' Addresses Kevin M. Igoe National Security Agency NSA/CSS Commercial Solutions Center United States of America Email: kmigoe@nsa.gov Douglas Stebila Queensland University of Technology Information Security Institute Level 7, 126 Margaret St Brisbane, Queensland 4000 Australia Email: douglas@stebila.ca Igoe & Stebila Expires April 19, 2010 [Page 12]