rfc8758xml2.original.xml   rfc8758.xml 
<?xml version="1.0" encoding="US-ASCII"?> <?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [ <!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent">
<!-- One method to get references from the online citation libraries.
There has to be one entity for each item to be referenced.
An alternate method (rfc include) is described in the references. -->
<!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.2119.xml">
<!ENTITY RFC8174 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.8174.xml">
<!--<!ENTITY RFC5226 SYSTEM
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.5226.xml"> -->
<!ENTITY RFC4345 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.4345.xml">
<!ENTITY RFC4253 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.4253.xml">
<!ENTITY RFC7465 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.7465.xml">
<!ENTITY RFC8429 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.8429.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?> <?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<!-- used by XSLT processors -->
<!-- For a complete list and description of processing instructions (PIs),
please see http://xml.resource.org/authoring/README.html. -->
<!-- Below are generally applicable Processing Instructions (PIs) that most I-Ds
might want to use.
(Here they are set differently than their defaults in xml2rfc v1.32) -->
<?rfc strict="yes" ?>
<!-- give errors regarding ID-nits and DTD validation -->
<!-- control the table of contents (ToC) -->
<?rfc toc="yes"?>
<!-- generate a ToC -->
<?rfc tocdepth="4"?>
<!-- the number of levels of subsections in ToC. default: 3 -->
<!-- control references -->
<?rfc symrefs="yes"?>
<!-- use symbolic references tags, i.e, [RFC2119] instead of [1] -->
<?rfc sortrefs="yes" ?>
<!-- sort the reference entries alphabetically -->
<!-- control vertical white space
(using these PIs as follows is recommended by the RFC Editor) -->
<?rfc compact="yes" ?>
<!-- do not start each main section on a new page -->
<?rfc subcompact="no" ?>
<!-- keep one blank line between list items -->
<!-- end of list of popular I-D processing instructions -->
<rfc category="bcp" updates="4253" docName="draft-ietf-curdle-rc4-die-die-die-18
" ipr="trust200902">
<!-- category values: std, bcp, info, exp, and historic
ipr values: trust200902, noModificationTrust200902, noDerivativesTrust200902
,
or pre5378Trust200902
you can add the attributes updates="NNNN" and obsoletes="NNNN"
they will automatically be output with "(if approved)" -->
<!-- ***** FRONT MATTER ***** -->
<front>
<!-- The abbreviated title is used in the page header - it is only necessary
if the
full title is longer than 39 characters -->
<title abbrev="draft-ietf-curdle-rc4-die-die-die">Deprecating RC4 in Secure S
hell (SSH)</title>
<!-- add 'role="editor"' below for the editors if appropriate -->
<!-- Another author who claims to be an editor -->
<author fullname="Loganaden Velvindron" initials="L.V." <rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="bcp" updates="4253"
surname="Velvindron"> docName="draft-ietf-curdle-rc4-die-die-die-18" ipr="trust200902"
<organization>cyberstorm.mu</organization> obsoletes="" submissionType="IETF" xml:lang="en" tocInclude="true"
tocDepth="4" symRefs="true" sortRefs="true" version="3" number="8758" conse
<address> nsus="true" >
<postal>
<street></street>
<!-- Reorder these if your country does things differently -->
<city></city>
<region></region>
<code></code>
<country>Mauritius</country> <!-- xml2rfc v2v3 conversion 2.40.1 -->
</postal> <front>
<phone></phone> <title abbrev="Deprecating RC4 in SSH">Deprecating RC4 in Secure Shell (SSH)<
/title>
<seriesInfo name="RFC" value="8758"/>
<seriesInfo name="BCP" value="227"/>
<email>logan@cyberstorm.mu</email> <author fullname="Loganaden Velvindron" initials="L." surname="Velvindron">
<organization>cyberstorm.mu</organization>
<address>
<postal>
<street/>
<city/>
<region/>
<code/>
<country>Mauritius</country>
</postal>
<phone/>
<email>logan@cyberstorm.mu</email>
<!-- uri and facsimile elements may also be added -->
</address> </address>
</author> </author>
<date year="2019" /> <date year="2020" month="April"/>
<!-- Meta-data Declarations -->
<area>General</area>
<workgroup>Internet Engineering Task Force</workgroup> <area>Security</area>
<workgroup>curdle</workgroup>
<!-- WG name at the upperleft corner of the doc, <!-- [rfced] Please insert any keywords (beyond those that appear in
IETF is fine for individual submissions. the title) for use on https://www.rfc-editor.org/search.
If this element is not present, the default is "Network Working Group", -->
which is used by the RFC Editor as a nod to the history of the IETF. -->
-&gt; <keyword>example</keyword>
<keyword>template</keyword>
<!-- Keywords will be incorporated into HTML output <!-- [rfced] When version 16 was approved, the authors indicated there might
files in a meta tag but they have no effect on text or nroff be some updates needed to address IESG comments. We assume these have been
output. If you submit your draft to the RFC Editor, the addressed in the updated versions. If this is incorrect, please either send
keywords will be used for the search engine. --> along changes or update the XML file.
-->
-&gt;
<abstract> <abstract>
<t> This document deprecates RC4 in Secure Shell (SSH). Therefore, this <t>This document deprecates RC4 in Secure Shell (SSH). Therefore, this
document formally moves RFC4345 to historic status. document formally moves RFC 4345 to Historic status.
</t> </t>
</abstract> </abstract>
</front> </front>
<middle>
<middle> <section numbered="true" toc="default">
<section title="Introduction"> <name>Introduction</name>
<t>The usage of RC4 suites ( also designated as arcfour ) for SSH are speci <t>The usage of RC4 suites (also designated as "arcfour") for SSH is
fied in <xref target="RFC4253"></xref> and <xref target="RFC4345"></xref>. specified in <xref target="RFC4253" format="default"/> and <xref
<xref target="RFC4253"></xref> specifies the allocation of the "arcfour" ci target="RFC4345" format="default"/>.
pher for SSH. <xref target="RFC4345"></xref> specifies and allocates <xref target="RFC4253" format="default"/> specifies the allocation of the "
arcfour" cipher for SSH. <xref target="RFC4345" format="default"/> specifies and
allocates
the "arcfour128" and "arcfour256" ciphers for SSH. the "arcfour128" and "arcfour256" ciphers for SSH.
RC4 encryption has known weaknesses <xref target="RFC7465"
format="default"/> <xref target="RFC8429" format="default"/>; therefore,
this document starts the deprecation process for their use in Secure Shell
(SSH) <xref target="RFC4253" format="default"/>. Accordingly, <xref
target="RFC4253" format="default"/> is
updated to note the deprecation of the RC4 ciphers, and <xref
target="RFC4345" format="default"/> is moved to Historic status, as all cip
hers
it specifies <bcp14>MUST NOT</bcp14> be used. </t>
<section numbered="true" toc="default">
<name>Requirements Language</name>
<t>
The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
"<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>",
"<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are
to be interpreted as described in BCP&nbsp;14 <xref target="RFC2119"/>
<xref target="RFC8174"/>
when, and only when, they appear in all capitals, as shown here.
</t>
RC4 encryption has known weaknesses <xref target="RFC7465"></xref> <xref ta </section>
rget="RFC8429"></xref>, </section>
and the deprecation process should be begun for their use in Secure Shell ( <section numbered="true" toc="default">
SSH) <xref target="RFC4253"></xref>. Accordingly, <xref target="RFC4253"></xref> <name>Updates to RFC 4253</name>
is <t>
updated to note the deprecation of the RC4 ciphers and <xref target="RFC434 <xref target="RFC4253" format="default"/> is updated to prohibit arcfour's use i
5"></xref> is moved to Historic as all ciphers it specifies MUST NOT be used. < n SSH.
/t> <xref target="RFC4253" sectionFormat="comma" section="6.3"/> allocates the
"arcfour" cipher by defining a list of defined ciphers in which the "arcfour"
<section title="Requirements Language"> cipher appears as optional, as shown in <xref target="OPTIONAL" />.
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref
target="RFC2119">RFC 2119</xref><xref
target="RFC8174">RFC 8174</xref> when, and only when, they appear in all
capitals, as shown here.</t>
</section>
</section>
<section title="Updates to RFC 4253">
<t>
<xref target="RFC4253"></xref> is updated to prohibit arcfour's use in SSH.
<xref target="RFC4253"></xref> allocates the "arcfour" cipher in Section 6.3 by
defining a list of defined ciphers where the "arcfour" cipher appears as optiona
l as mentioned below:
</t>
<texttable>
<ttcol ></ttcol>
<ttcol ></ttcol>
<ttcol ></ttcol>
<c>arcfour </c>
<c>OPTIONAL </c>
<c>the ARCFOUR stream cipher with a 128-bit key </c>
</texttable>
<t>
This current document updates the status of the "arcfour" ciphers in the list of
<xref target="RFC4253"></xref> Section 6.3 by moving it from OPTIONAL to MUST N
OT.
</t> </t>
<texttable> <table align="center" anchor="OPTIONAL">
<ttcol ></ttcol> <tbody>
<ttcol ></ttcol> <tr>
<ttcol ></ttcol> <td align="left">arcfour</td>
<c> arcfour </c> <c>MUST NOT </c> <c> the ARCFOUR stream cipher wi <td align="left"><bcp14>OPTIONAL</bcp14></td>
th a 128-bit key</c> <td align="left">the ARCFOUR stream cipher with a 128-bit key</td>
</texttable> </tr>
</tbody>
<t> </table>
<xref target="RFC4253"></xref> defines the "arcfour" ciphers with the text menti <t>
oned below: This document updates the status of the "arcfour" ciphers in the list
found in <xref target="RFC4253" sectionFormat="comma" section="6.3"/> by moving
it
from <bcp14>OPTIONAL</bcp14> to <bcp14>MUST NOT</bcp14>.
</t> </t>
<t> <table align="center">
The "arcfour" cipher is the Arcfour stream cipher with 128-bit keys. <tbody>
The Arcfour cipher is compatible with the RC4 cipher <tr>
<xref target= "SCHNEIER"></xref>. Arcfour (and RC4) has problems with weak k <td align="left"> arcfour </td>
eys, and <td align="left"><bcp14>MUST NOT</bcp14> </td>
should be used with caution. <td align="left"> the ARCFOUR stream cipher with a 128-bit key</td>
</tr>
</tbody>
</table>
<t>
<xref target="RFC4253" format="default"/> defines the "arcfour" ciphers with
the following text:
</t> </t>
<t> <blockquote>
This current document updates <xref target="RFC4253"></xref> Section 6.3 by repl The "arcfour" cipher is the Arcfour stream cipher with 128-bit keys. The
acing the text above with the following text: Arcfour cipher is believed to be compatible with the RC4 cipher <xref target=
"SCHNEIER"
format="default"/>. Arcfour (and RC4) has problems with weak keys, and
should be used with caution.</blockquote>
<t>
This document updates <xref target="RFC4253" sectionFormat="comma"
section="6.3"/> by replacing the text above with the following text:
</t> </t>
<t> <blockquote>
The "arcfour" cipher is the Arcfour stream cipher with 128-bit keys. The "arcfour" cipher is the Arcfour stream cipher with 128-bit keys.
The Arcfour cipher is compatible with the RC4 cipher The Arcfour cipher is compatible with the RC4 cipher
<xref target= "SCHNEIER"></xref>. Arcfour (and RC4) has known weaknesses <xr <xref target="SCHNEIER" format="default"/>. Arcfour (and RC4) has known weak
ef target="RFC7465"></xref> <xref target="RFC8429"></xref>, and nesses <xref target="RFC7465" format="default"/> <xref target="RFC8429" format="
MUST NOT be used. default"/> and
</t> <bcp14>MUST NOT</bcp14> be used.
</section> </blockquote>
</section>
<!-- Possibly a 'Contributors' section ... -->
<section title="IANA Considerations">
<t>The IANA is requested to update the Encryption Algorithm Name Registry
of the Secure Shell (SSH) Protocol Parameters <xref target="IANA"/>.
The Registration procedure is IETF Review which is achieved by this document. Th
e registry should be updated as follows:</t>
<texttable>
<ttcol>Encryption Algorithm Name </ttcol> <ttcol> Reference</ttcol> <ttcol>
Note</ttcol>
<c>arcfour</c> <c> [RFC-TBD]</c> <c> </c>
<c>arcfour128 </c> <c> [RFC-TBD] </c> <c> </c>
<c>arcfour256 </c> <c> [RFC-TBD] </c> <c> </c>
</texttable>
<t>Where TBD is the RFC number assigned to the document. </t>
<!-- <section numbered="true" toc="default">
<t>All drafts are required to have an IANA considerations section (see <name>IANA Considerations</name>
<xref target="RFC5226">Guidelines for Writing an IANA Considerations Sectio <t>The IANA has updated the "Encryption Algorithm Names"
n in RFCs</xref> for a guide). If the draft does not require IANA to do subregistry in the "Secure Shell (SSH) Protocol Parameters" registry <xref
anything, the section contains an explicit statement that this is the target="IANA" format="default"/>. The registration procedure is IETF
case (as above). If there are no requirements for IANA, the section will review, which is achieved by this document. The registry has been
be removed during conversion into an RFC by the RFC Editor.</t> updated as follows:</t>
<table align="center">
<thead>
<tr>
<th align="left">Encryption Algorithm Name</th>
<th align="left">Reference</th>
<th align="left">Note</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left">arcfour</td>
<td align="left">RFC 8758</td>
<td align="left">HISTORIC</td>
</tr>
<tr>
<td align="left">arcfour128 </td>
<td align="left">RFC 8758</td>
<td align="left">HISTORIC</td>
</tr>
<tr>
<td align="left">arcfour256 </td>
<td align="left">RFC 8758</td>
<td align="left">HISTORIC</td>
</tr>
</tbody>
</table>
</section> </section>
<section anchor="Security" numbered="true" toc="default">
<section anchor="Acknowledgements" title="Acknowledgements"> <name>Security Considerations</name>
<t>The authors would like to thank Eric Rescorla, Daniel Migault and Rich S <t>This document only prohibits the use of RC4 in SSH; it introduces no
alz. </t>
</section>
<section anchor="Security" title="Security Considerations">
<t>This document only prohibits the use of RC4 in SSH, and introduces no
new security considerations.</t> new security considerations.</t>
</section> </section>
</middle>
<!-- *****BACK MATTER ***** --> </middle>
<!-- *****BACK MATTER ***** -->
<back> <back>
<!-- References split into informative and normative --> <references>
<name>References</name>
<references title="Normative References"> <references>
<!--?rfc include="http://xml.resource.org/public/rfc/bibxml/reference.RFC.2 <name>Normative References</name>
119.xml"?-->
&RFC2119;
<!--?rfc include="http://xml.resource.org/public/rfc/bibxml/reference.RFC.8174.x
ml"?-->
&RFC8174;
</references>
<references title="Informative References">
<!-- Here we use entities that we defined at the beginning. -->
<!--&RFC5226;-->
&RFC4345;
&RFC4253;
&RFC7465; <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/referenc
e.RFC.2119.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/referenc
e.RFC.8174.xml"/>
</references>
<references>
&RFC8429; <name>Informative References</name>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.4345.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.4253.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.7465.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.8429.xml"/>
<!-- A reference written by by an organization not a person. --> <reference anchor="SCHNEIER" target="">
<reference anchor="SCHNEIER" target="SCHNEIER"> <front>
<front> <title>Applied Cryptography Second Edition: Protocols, Algorithms,
<title>Applied Cryptography Second Edition: and Source in Code in C </title>
protocols algorithms and source in code in C </title> <seriesInfo name="John Wiley and Sons" value="New York, NY"/>
<author initials="B.S" surname="Schneier" fullname="Bruce Schneier"> <author initials="B." surname="Schneier" fullname="Bruce Schneier">
<organization /> <organization/>
</author> </author>
<date month="" year="1996" /> <date month="" year="1996"/>
</front> </front>
<seriesInfo name="" value="" /> </reference>
</reference>
<reference anchor="IANA" target="https://www.iana.org/assignments/ssh-parameters
/ssh-parameters.xhtml#ssh-parameters-17">
<front>
<title>Secure Shell (SSH) Protocol Parameters: Encryption Algorithm Names</t
itle>
<author/>
<date/>
</front>
</reference>
</references> <reference anchor="IANA"
target="https://www.iana.org/assignments/ssh-parameters">
<front>
<title>Secure Shell (SSH) Protocol Parameters</title>
<author/>
</front>
</reference>
</references>
</references>
<!-- Change Log <section anchor="Acknowledgements" numbered="false" toc="default">
v08 update email address. <name>Acknowledgements</name>
v07 reproduce -06 of luis' draft + update with daniel's comments <t>The author would like to thank <contact fullname="Eric Rescorla"/>,
<contact fullname="Daniel Migault"/>, and <contact fullname="Rich Salz"/>.
</t>
</section>
-->
</back> </back>
</rfc> </rfc>
 End of changes. 33 change blocks. 
267 lines changed or deleted 209 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/