Network Working Group K. Igoe
Internet-Draft National Security Agency
Intended status: Standards Track D. Stebila
Expires: April 19, 2010 Queensland University of Technology
November 10, 2009
X.509v3 Certificates for Secure Shell Authentication
draft-igoe-secsh-x509v3-00
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 19, 2010.
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Igoe & Stebila Expires April 19, 2010 [Page 1]
Internet-Draft X.509v3 Certificates for SSH November 2009
Abstract
X.509 public key certificates use a signature by a trusted
certification authority to bind a given public key to a given digital
identity. This document outlines how to incorporate X.509 version 3
public key certificates into the authentication methods of the Secure
Shell protocol.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. X.509 Version 3 Certificates . . . . . . . . . . . . . . . . . 5
3. Server Authentication (public key algorithm) Using X.509v3
Certificates . . . . . . . . . . . . . . . . . . . . . . . . . 6
4. User Authentication (publickey authentication) Using
X.509v3 Certificates . . . . . . . . . . . . . . . . . . . . . 7
5. Security Considerations . . . . . . . . . . . . . . . . . . . 8
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
7. Normative References . . . . . . . . . . . . . . . . . . . . . 10
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12
Igoe & Stebila Expires April 19, 2010 [Page 2]
Internet-Draft X.509v3 Certificates for SSH November 2009
1. Introduction
There are two Secure Shell (SSH) protocols that use public key
cryptography for authentication. The Transport Layer Protocol,
described in [RFC4253], requires that a digital signature algorithm
(called the "public key algorithm") MUST be used to authenticate the
server to the client. Additionally, the User Authentication Protocol
described in [RFC4252] allows for the use of a digital signature to
authenticate the client to the server ("publickey" authentication).
In both cases, the validity of the authentication depends upon the
strength of the linkage between the public signing key and the
identity of the signer. Digital certificates, such as those in X.509
version 3 (X.509v3) format, use a chain of signatures by a trusted
root certification authority and its designated intermediate
certificate authorites to bind a given public signing key to a given
digital identity.
The following public key authentication algorithms are presently
available for use in SSH:
+--------------+-----------------------+
| Algorithm | Reference |
+--------------+-----------------------+
| ssh-dss | [RFC4253] |
| | |
| ssh-rsa | [RFC4253] |
| | |
| pgp-sign-dss | [RFC4253] |
| | |
| pgp-sign-rsa | [RFC4253] |
| | |
| ecdsa-sha2-* | [I-D.green-secsh-ecc] |
| | |
| ecmqv-sha2 | [I-D.green-secsh-ecc] |
+--------------+-----------------------+
Since PGP has its own method for binding a public key to a digital
identity, this document focuses solely upon the non-PGP methods. In
particular, this document defines the following public key algorithms
which differ from the above solely in their use of X.509v3
certificates to convey the signer's public key.
Igoe & Stebila Expires April 19, 2010 [Page 3]
Internet-Draft X.509v3 Certificates for SSH November 2009
+---------------------+
| Algorithm |
+---------------------+
| x509v3-ssh-dss |
| |
| x509v3-ssh-rsa |
| |
| x509v3-ecdsa-sha2-* |
| |
| x509v3-ecmqv-sha2 |
+---------------------+
Implementation of this specification requires familiarity with the
Secure Shell protocol [RFC4251] [RFC4253] and X.509v3 certificates
[RFC5280].
This document is concerned with SSH implementation details;
specification of the underlying cryptographic algorithms and the
handling and structore of X.509v3 certificates is left to other
standards documents.
Igoe & Stebila Expires April 19, 2010 [Page 4]
Internet-Draft X.509v3 Certificates for SSH November 2009
2. X.509 Version 3 Certificates
The reader is referred to [RFC5280] for a general description of
X.509 version 3 certificates. For the purposes of this document, it
suffices to know that in X.509 a chain of certificates (possibly of
length one) allows a Root Certificate Authority and its designated
Intermediate Certificate Authorities to cryptographically bind a
given public key to a given digital identity using public key
signatures. A chain of certificates can then be unambiguously
encoded as a string of octets using the DER encoding of Abstract
Syntax Notation One (ASN.1) [ASN1].
The contents of the string containing the certificates is the DER
encoding of an ASN.1 SEQUENCE of certificates, subject to the
following constraints.
o The sender's certificate MUST come first in the chain.
o Each following certificate MUST certify the one proceeding it.
o The self-signed certificate specifying the root authority MAY be
omitted.
o The individual certificates in the certificate chain MAY be signed
using any approved Secure Shell public key signature algorithm.
The choice of signature algorithm used by any given certificate is
independent of the signature algorithms chosen by other
certificates in the chain.
Issues associated with the use of certificates (such as expiration of
certificates and revocation of compromised certificates) are
addressed in [RFC5280] and are outside the scope of this document.
[I-D.solinas-suiteb-cert-profile] gives specific guidance on the
structure of X.509v3 certificates to be used with Suite B ECDSA
public keys. [RFC5280] provides guidance on certificates for RSA and
DSA.
Igoe & Stebila Expires April 19, 2010 [Page 5]
Internet-Draft X.509v3 Certificates for SSH November 2009
3. Server Authentication (public key algorithm) Using X.509v3
Certificates
The server's public host key is conveyed from the server to the
client in the SSH_MSG_KEX*_REPLY_MSG, where * is either DH, RSA, ECDH
or ECMQV. All four key exchange protocols place the public host key
in a string (K_S). When a x509v3-* public key algorithm is used, the
string K_S MUST contain a DER-encoded chain of certificates as
described in Section 2.
Igoe & Stebila Expires April 19, 2010 [Page 6]
Internet-Draft X.509v3 Certificates for SSH November 2009
4. User Authentication (publickey authentication) Using X.509v3
Certificates
The client initiates user authentication by sending an
SSH_MSG_USERAUTH_REQUEST message to the server. One of the options
available to the client is to specify that a public key
authentication method is to be used. The list of user authentication
public key algorithms defined for use in Secure Shell is precisely
the same as the list of server authentication algorithms (public key
algorithms) defined for use in Secure Shell. Note that the choice of
a user authentication public key algorithm is independent of the
choice of a server authentication algorithm.
The client's public key is conveyed in a string called the "public
key blob". The x509v3-* family of authentication algorithms REQUIRE
this string to contain a DER-encoded chain of X.509v3 certificates as
described in Section 2.
Igoe & Stebila Expires April 19, 2010 [Page 7]
Internet-Draft X.509v3 Certificates for SSH November 2009
5. Security Considerations
This document provides new public key algorithms and new key
agreement methods for the Secure Shell protocol. For the most part,
the security considerations involved in using the Secure Shell
protocol apply. Additionally, implementers should be aware of
security considerations specific to the use of X.509v3 certificates
in a public key infrastructure, including considerations related to
expired certificates and certificate revocation lists. The reader is
directed to the security considerations sections of [RFC4251] and
[RFC5280].
Igoe & Stebila Expires April 19, 2010 [Page 8]
Internet-Draft X.509v3 Certificates for SSH November 2009
6. IANA Considerations
Consistent with Section 8 of [RFC4251] and Section 4.6 of [RFC4250],
this document makes the following registrations:
In the Public Key Algorithm Names registry: The family of SSH public
key algorithm names beginning with "x509v3-ecdsa-sha2-" and not
containing the at-sign ('@').
In the Key Exchange Method Names registry: The SSH key exchange
method names "x509v3-ssh-dss", "x509v3-ssh-rsa", and "x509v3-ecmqv-
sha2".
This document creates no new registries.
Igoe & Stebila Expires April 19, 2010 [Page 9]
Internet-Draft X.509v3 Certificates for SSH November 2009
7. Normative References
[ASN1] International Telecommunications Union, "Abstract Syntax
Notation One (ASN.1): Specification of basic notation",
X.680, July 2002.
[I-D.green-secsh-ecc]
Stebila, D. and J. Green, "Elliptic-Curve Algorithm
Integration in the Secure Shell Transport Layer",
draft-green-secsh-ecc-09 (work in progress), August 2009.
[I-D.solinas-suiteb-cert-profile]
Solinas, J. and L. Zieglar, "Suite B Certificate and
Certificate Revocation List (CRL) Profile",
draft-solinas-suiteb-cert-profile-04 (work in progress),
July 2009.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4250] Lehtinen, S. and C. Lonvick, "The Secure Shell (SSH)
Protocol Assigned Numbers", RFC 4250, January 2006.
[RFC4251] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH)
Protocol Architecture", RFC 4251, January 2006.
[RFC4252] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH)
Authentication Protocol", RFC 4252, January 2006.
[RFC4253] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH)
Transport Layer Protocol", RFC 4253, January 2006.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008.
Igoe & Stebila Expires April 19, 2010 [Page 10]
Internet-Draft X.509v3 Certificates for SSH November 2009
Appendix A. Acknowledgements
The authors acknowledge an earlier Internet-Draft by O. Saarenmaa and
J. Galbraith on a similar topic.
Igoe & Stebila Expires April 19, 2010 [Page 11]
Internet-Draft X.509v3 Certificates for SSH November 2009
Authors' Addresses
Kevin M. Igoe
National Security Agency
NSA/CSS Commercial Solutions Center
United States of America
Email: kmigoe@nsa.gov
Douglas Stebila
Queensland University of Technology
Information Security Institute
Level 7, 126 Margaret St
Brisbane, Queensland 4000
Australia
Email: douglas@stebila.ca
Igoe & Stebila Expires April 19, 2010 [Page 12]