Internet Engineering Task Force (IETF)                           O. Sury
Request for Comments: 6594                                        CZ.NIC
Category: Standards Track                                     April 2012
ISSN: 2070-1721
        
Internet Engineering Task Force (IETF)                           O. Sury
Request for Comments: 6594                                        CZ.NIC
Category: Standards Track                                     April 2012
ISSN: 2070-1721
        

Use of the SHA-256 Algorithm with RSA, Digital Signature Algorithm (DSA), and Elliptic Curve DSA (ECDSA) in SSHFP Resource Records

在SSHFP资源记录中结合RSA、数字签名算法(DSA)和椭圆曲线DSA(ECDSA)使用SHA-256算法

Abstract

摘要

This document updates the IANA registries in RFC 4255, which defines SSHFP, a DNS Resource Record (RR) that contains a standard Secure Shell (SSH) key fingerprint used to verify SSH host keys using DNS Security Extensions (DNSSEC). This document defines additional options supporting SSH public keys applying the Elliptic Curve Digital Signature Algorithm (ECDSA) and the implementation of fingerprints computed using the SHA-256 message digest algorithm in SSHFP Resource Records.

本文档更新了RFC 4255中的IANA注册表,该注册表定义了SSHFP,这是一种DNS资源记录(RR),其中包含一个标准安全外壳(SSH)密钥指纹,用于使用DNS安全扩展(DNSSEC)验证SSH主机密钥。本文档定义了支持SSH公钥的其他选项,这些选项应用椭圆曲线数字签名算法(ECDSA)和在SSHFP资源记录中使用SHA-256消息摘要算法计算的指纹的实现。

Status of This Memo

关于下段备忘

This is an Internet Standards Track document.

这是一份互联网标准跟踪文件。

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the fInternet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被fInternet工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6594.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6594.

Copyright Notice

版权公告

Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2012 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从该文档中提取的代码组件必须

include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

包括信托法律条款第4.e节中所述的简化BSD许可证文本,且不提供简化BSD许可证中所述的担保。

Table of Contents

目录

   1. Introduction ....................................................3
   2. Requirements Language ...........................................4
   3. SSHFP Resource Records ..........................................4
      3.1. SSHFP Fingerprint Type Specification .......................4
           3.1.1. SHA-256 SSHFP Fingerprint Type Specification ........4
      3.2. SSHFP Algorithm Number Specification .......................4
           3.2.1. ECDSA SSHFP Algorithm Number Specification ..........4
   4. Implementation Considerations ...................................4
      4.1. Support for SHA-256 Fingerprints ...........................4
      4.2. Support for ECDSA ..........................................4
   5. Examples ........................................................5
      5.1. RSA Public Key .............................................5
           5.1.1. RSA Public Key with SHA1 Fingerprint ................5
           5.1.2. RSA Public Key with SHA-256 Fingerprint .............5
      5.2. DSA Public Key .............................................6
           5.2.1. DSA Public Key with SHA1 Fingerprint ................6
           5.2.2. DSA Public Key with SHA-256 Fingerprint .............6
      5.3. ECDSA Public Key ...........................................6
           5.3.1. ECDSA Public Key with SHA1 Fingerprint ..............7
           5.3.2. ECDSA Public Key with SHA-256 Fingerprint ...........7
   6. IANA Considerations .............................................7
      6.1. SSHFP RR Types for Public Key Algorithms ...................7
      6.2. SSHFP RR Types for Fingerprint Types .......................7
   7. Security Considerations .........................................8
   8. References ......................................................8
      8.1. Normative References .......................................8
      8.2. Informative References .....................................9
        
   1. Introduction ....................................................3
   2. Requirements Language ...........................................4
   3. SSHFP Resource Records ..........................................4
      3.1. SSHFP Fingerprint Type Specification .......................4
           3.1.1. SHA-256 SSHFP Fingerprint Type Specification ........4
      3.2. SSHFP Algorithm Number Specification .......................4
           3.2.1. ECDSA SSHFP Algorithm Number Specification ..........4
   4. Implementation Considerations ...................................4
      4.1. Support for SHA-256 Fingerprints ...........................4
      4.2. Support for ECDSA ..........................................4
   5. Examples ........................................................5
      5.1. RSA Public Key .............................................5
           5.1.1. RSA Public Key with SHA1 Fingerprint ................5
           5.1.2. RSA Public Key with SHA-256 Fingerprint .............5
      5.2. DSA Public Key .............................................6
           5.2.1. DSA Public Key with SHA1 Fingerprint ................6
           5.2.2. DSA Public Key with SHA-256 Fingerprint .............6
      5.3. ECDSA Public Key ...........................................6
           5.3.1. ECDSA Public Key with SHA1 Fingerprint ..............7
           5.3.2. ECDSA Public Key with SHA-256 Fingerprint ...........7
   6. IANA Considerations .............................................7
      6.1. SSHFP RR Types for Public Key Algorithms ...................7
      6.2. SSHFP RR Types for Fingerprint Types .......................7
   7. Security Considerations .........................................8
   8. References ......................................................8
      8.1. Normative References .......................................8
      8.2. Informative References .....................................9
        
1. Introduction
1. 介绍

The Domain Name System (DNS) is the global, hierarchical distributed database for Internet naming. The Secure Shell (SSH) is a protocol for secure remote login and other secure network services over an insecure network. RFC 4253 [RFC4253] defines Public Key Algorithms for the Secure Shell server public keys.

域名系统(DNS)是用于Internet命名的全局、分层分布式数据库。Secure Shell(SSH)是一种用于在不安全的网络上进行安全远程登录和其他安全网络服务的协议。RFC 4253[RFC4253]定义了安全外壳服务器公钥的公钥算法。

The DNS has been extended to store fingerprints in a DNS Resource Record named SSHFP [RFC4255], which provides out-of-band verification by looking up a fingerprint of the server public key in the DNS [RFC1034][RFC1035] and using Domain Name System Security Extensions (DNSSEC) [RFC4033][RFC4034][RFC4035] to verify the lookup.

DNS已扩展为在名为SSHFP[RFC4255]的DNS资源记录中存储指纹,该记录通过在DNS[RFC1034][RFC1035]中查找服务器公钥的指纹并使用域名系统安全扩展(DNSSEC)[RFC4033][RFC4034][RFC4035]验证查找来提供带外验证。

RFC 4255 [RFC4255] describes how to store the cryptographic fingerprint of SSH public keys in SSHFP Resource Records. SSHFP Resource Records contain the fingerprint and two index numbers identifying the cryptographic algorithms used:

RFC 4255[RFC4255]描述了如何在SSHFP资源记录中存储SSH公钥的加密指纹。SSHFP资源记录包含指纹和两个标识所用加密算法的索引号:

1. to link the fingerprinted public key with the corresponding private key, and

1. 将指纹公钥与相应的私钥链接,以及

2. to derive the message digest stored as the fingerprint in the record.

2. 导出作为指纹存储在记录中的消息摘要。

RFC 4255 [RFC4255] then specifies lists of cryptographic algorithms and the corresponding index numbers used to identify them in SSHFP Resource Records.

RFC 4255[RFC4255]然后指定加密算法列表以及用于在SSHFP资源记录中识别它们的相应索引号。

This document updates the IANA registry "SSHFP RR Types for public key algorithms" and "SSHFP RR types for fingerprint types" [SSHFPVALS] by adding a new option in each list:

本文档通过在每个列表中添加新选项来更新IANA注册表“公钥算法的SSHFP RR类型”和“指纹类型的SSHFP RR类型”[SSHFPVALS]:

o the Elliptic Curve Digital Signature Algorithm (ECDSA) [RFC6090], which has been added to the Secure Shell Public Key list by RFC 5656 [RFC5656] in the public key algorithms list, and

o 椭圆曲线数字签名算法(ECDSA)[RFC6090],已由公钥算法列表中的RFC 5656[RFC5656]添加到安全外壳公钥列表中,以及

o the SHA-256 algorithm [FIPS.180-3.2008] in the SSHFP fingerprint type list.

o SSHFP指纹类型列表中的SHA-256算法[FIPS.180-3.2008]。

Familiarity with DNSSEC, SSH Protocol [RFC4251][RFC4253][RFC4250], SSHFP [RFC4255], and the SHA-2 [FIPS.180-3.2008] family of algorithms is assumed in this document.

本文档假设您熟悉DNSSEC、SSH协议[RFC4251][RFC4253][RFC4250]、SSHFP[RFC4255]和SHA-2[FIPS.180-3.2008]系列算法。

2. Requirements Language
2. 需求语言

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].

本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[RFC2119]中所述进行解释。

3. SSHFP Resource Records
3. SSHFP资源记录

The format of the SSHFP RR can be found in RFC 4255 [RFC4255].

SSHFP RR的格式可在RFC 4255[RFC4255]中找到。

3.1. SSHFP Fingerprint Type Specification
3.1. SSHFP指纹类型规范

The fingerprint type octet identifies the message digest algorithm used to calculate the fingerprint of the public key.

指纹类型八位组标识用于计算公钥指纹的消息摘要算法。

3.1.1. SHA-256 SSHFP Fingerprint Type Specification
3.1.1. SHA-256 SSHFP指纹类型规范

SHA-256 fingerprints of the public keys are stored in SSHFP Resource Records with the fingerprint type 2.

公钥的SHA-256指纹存储在指纹类型为2的SSHFP资源记录中。

3.2. SSHFP Algorithm Number Specification
3.2. SSHFP算法编号规范

The SSHFP Resource Record algorithm number octet describes the algorithm of the public key.

SSHFP资源记录算法八位字节描述了公钥的算法。

3.2.1. ECDSA SSHFP Algorithm Number Specification
3.2.1. ECDSA SSHFP算法编号规范

ECDSA public keys are stored in SSHFP Resource Records with the algorithm number 3.

ECDSA公钥存储在算法编号为3的SSHFP资源记录中。

4. Implementation Considerations
4. 实施考虑
4.1. Support for SHA-256 Fingerprints
4.1. 支持SHA-256指纹

SSHFP-aware Secure Shell implementations SHOULD support the SHA-256 fingerprints for verification of the public key. Secure Shell implementations that support SHA-256 fingerprints MUST prefer a SHA-256 fingerprint over SHA-1 if both are available for a server. If the SHA-256 fingerprint is tested and does not match the SSH public key received from the SSH server, then the key MUST be rejected rather than testing the alternative SHA-1 fingerprint.

支持SSHFP的安全Shell实现应支持SHA-256指纹以验证公钥。支持SHA-256指纹的安全Shell实现必须首选SHA-256指纹,而不是SHA-1指纹(如果两者都适用于服务器)。如果测试了SHA-256指纹,但与从SSH服务器接收的SSH公钥不匹配,则必须拒绝该密钥,而不是测试备用SHA-1指纹。

4.2. Support for ECDSA
4.2. 支持ECDSA

SSHFP-aware Secure Shell implementations that also implement the ECDSA for the public key SHOULD support SSHFP fingerprints for ECDSA public keys.

支持SSHFP的安全Shell实现(也实现了公钥的ECDSA)应该支持ECDSA公钥的SSHFP指纹。

5. Examples
5. 例子

The following examples provide reference for both the newly defined value for ECDSA and the use of the SHA-256 fingerprint combined with both the new and the existing algorithm numbers.

以下示例为ECDSA的新定义值以及结合新算法编号和现有算法编号使用SHA-256指纹提供了参考。

5.1. RSA Public Key
5.1. RSA公钥

A public key with the following value in OpenSSH format [RFC4716] would appear as follows:

OpenSSH格式[RFC4716]中具有以下值的公钥将显示如下:

       ---- BEGIN SSH2 PUBLIC KEY ----
       AAAAB3NzaC1yc2EAAAADAQABAAABAQDCUR4JOhxTinzq7QO3bQXW4jmPCCulFsnh
       8Yi7MKwpMnd96+T7uV7nEwy+6+GWYu98IxFJByIjFXX/a6BXDp3878wezH1DZ2tN
       D/tu/eudz6ErpTFYmnVLyEDARYSzVBNQuIK1UDqvvB6KffJcyt78FpwW27euGkqE
       kam7GaurPRAgwXehDB/gMwRtXVRZ+13zYWkAmAY+5OAWVmdXuQVm5kjlvcNzto2H
       3m3nqJtD4J9L1lKPuSVVqwJr4/6hibXJkQEvWpUvdOAUw3frKpNwa932fXFk3ke4
       rsDjQ/W8GyleMtK3Tx8tE4z1wuowXtYe6Ba8q3LAPs/m2S4pUscx
       ---- END SSH2 PUBLIC KEY ----
        
       ---- BEGIN SSH2 PUBLIC KEY ----
       AAAAB3NzaC1yc2EAAAADAQABAAABAQDCUR4JOhxTinzq7QO3bQXW4jmPCCulFsnh
       8Yi7MKwpMnd96+T7uV7nEwy+6+GWYu98IxFJByIjFXX/a6BXDp3878wezH1DZ2tN
       D/tu/eudz6ErpTFYmnVLyEDARYSzVBNQuIK1UDqvvB6KffJcyt78FpwW27euGkqE
       kam7GaurPRAgwXehDB/gMwRtXVRZ+13zYWkAmAY+5OAWVmdXuQVm5kjlvcNzto2H
       3m3nqJtD4J9L1lKPuSVVqwJr4/6hibXJkQEvWpUvdOAUw3frKpNwa932fXFk3ke4
       rsDjQ/W8GyleMtK3Tx8tE4z1wuowXtYe6Ba8q3LAPs/m2S4pUscx
       ---- END SSH2 PUBLIC KEY ----
        
5.1.1. RSA Public Key with SHA1 Fingerprint
5.1.1. 具有SHA1指纹的RSA公钥

The SSHFP Resource Record for this key would be:

此密钥的SSHFP资源记录为:

server.example.net IN SSHFP 1 1 ( dd465c09cfa51fb45020cc83316fff 21b9ec74ac )

SSHFP 1 1中的server.example.net(dd465c09cfa51fb45020cc83316fff 21b9ec74ac)

5.1.2. RSA Public Key with SHA-256 Fingerprint
5.1.2. 具有SHA-256指纹的RSA公钥

The SSHFP Resource Record for this key would be:

此密钥的SSHFP资源记录为:

server.example.net IN SSHFP 1 2 ( b049f950d1397b8fee6a61e4d14a9a cdc4721e084eff5460bbed80cfaa2c e2cb )

SSHFP 1 2中的server.example.net(b049f950d1397b8fee6a61e4d14a9a cdc4721e084eff5460bbed80cfaa2c e2cb)

5.2. DSA Public Key
5.2. DSA公钥

A public key with the following value in OpenSSH format would appear as follows:

OpenSSH格式的公钥具有以下值,如下所示:

       ---- BEGIN SSH2 PUBLIC KEY ----
       AAAAB3NzaC1kc3MAAACBAPVFrc0U36gWaywbfJzjcv8ef13qAX4EJl8Na6xqvXh1
       t+aCJEdS7soRjtvK4KsNhk78DjdtnfhEhyFKHHNz3i6/c/s9lP0UjV7mRAo6nA7A
       3Gs6iQElb6O9Fqm6iVSC6bYWilTSB0tYencEEJUoaAua8YQF/uxRzPrReXxGqHnj
       AAAAFQDC9M/pli8VIVmEGOO0wC1TeUTN4wAAAIEAgA2Fbkbbeo0+u/qw8mQFOFWZ
       pTaqNo7d7jov3majbh5LqEVD7yT3MS1GSGhjgvvhus/ehMTqzYbjTc0szUM9JnwT
       7xq15P2ZYDK98IVxrw31jMtsUUEmBqB4DUjTurtcaWmJ9LNaP1/k4bMo0/hotnOc
       OVnIPsTLBFWVvdNRxUAAAACAOZcDcK01NTM1qIIYbBqCffrwjQ+9PmsuSKI6nUzf
       S4NysXHkdbW5u5VxeXLcwWj5PGbRfoS2P3vwYAmakqgq502wigam18u9nAczUYl+
       2kOeOiIRrtSmLfpV7thLOAb8k1ESjIlkbn35jKmTcoMFRXbFmkKRTK8OEnWQ8AVg
       6w8=
       ---- END SSH2 PUBLIC KEY ----
        
       ---- BEGIN SSH2 PUBLIC KEY ----
       AAAAB3NzaC1kc3MAAACBAPVFrc0U36gWaywbfJzjcv8ef13qAX4EJl8Na6xqvXh1
       t+aCJEdS7soRjtvK4KsNhk78DjdtnfhEhyFKHHNz3i6/c/s9lP0UjV7mRAo6nA7A
       3Gs6iQElb6O9Fqm6iVSC6bYWilTSB0tYencEEJUoaAua8YQF/uxRzPrReXxGqHnj
       AAAAFQDC9M/pli8VIVmEGOO0wC1TeUTN4wAAAIEAgA2Fbkbbeo0+u/qw8mQFOFWZ
       pTaqNo7d7jov3majbh5LqEVD7yT3MS1GSGhjgvvhus/ehMTqzYbjTc0szUM9JnwT
       7xq15P2ZYDK98IVxrw31jMtsUUEmBqB4DUjTurtcaWmJ9LNaP1/k4bMo0/hotnOc
       OVnIPsTLBFWVvdNRxUAAAACAOZcDcK01NTM1qIIYbBqCffrwjQ+9PmsuSKI6nUzf
       S4NysXHkdbW5u5VxeXLcwWj5PGbRfoS2P3vwYAmakqgq502wigam18u9nAczUYl+
       2kOeOiIRrtSmLfpV7thLOAb8k1ESjIlkbn35jKmTcoMFRXbFmkKRTK8OEnWQ8AVg
       6w8=
       ---- END SSH2 PUBLIC KEY ----
        
5.2.1. DSA Public Key with SHA1 Fingerprint
5.2.1. 具有SHA1指纹的DSA公钥

The SSHFP Resource Record for this key would be:

此密钥的SSHFP资源记录为:

server.example.net IN SSHFP 2 1 ( 3b6ba6110f5ffcd29469fc1ec2ee25 d61718badd )

SSHFP 2 1中的server.example.net(3b6ba6110f5ffcd29469fc1ec2ee25 d61718badd)

5.2.2. DSA Public Key with SHA-256 Fingerprint
5.2.2. 具有SHA-256指纹的DSA公钥

The SSHFP Resource Record for this key would be:

此密钥的SSHFP资源记录为:

server.example.net IN SSHFP 2 2 ( f9b8a6a460639306f1b38910456a6a e1018a253c47ecec12db77d7a0878b 4d83 )

SSHFP 2中的server.example.net(f9b8a6a460639306f1b38910456a6a E1018A253C47ECECEC12DB77D7A0878B 4d83)

5.3. ECDSA Public Key
5.3. ECDSA公钥

A public key with the following value in OpenSSH format would appear as follows:

OpenSSH格式的公钥具有以下值,如下所示:

       ---- BEGIN SSH2 PUBLIC KEY ----
       AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAD+9COUiX7W
       YgcvIOdI8+djdoFDVUTxNrcog8sSYdbIzeG+bYdsssvcyy/nRfVhXC5QBCk8IThq
       s7D4/lFxX5g=
       ---- END SSH2 PUBLIC KEY ----
        
       ---- BEGIN SSH2 PUBLIC KEY ----
       AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAD+9COUiX7W
       YgcvIOdI8+djdoFDVUTxNrcog8sSYdbIzeG+bYdsssvcyy/nRfVhXC5QBCk8IThq
       s7D4/lFxX5g=
       ---- END SSH2 PUBLIC KEY ----
        
5.3.1. ECDSA Public Key with SHA1 Fingerprint
5.3.1. 具有SHA1指纹的ECDSA公钥

The SSHFP Resource Record for this key would be:

此密钥的SSHFP资源记录为:

server.example.net IN SSHFP 3 1 ( c64607a28c5300fec1180b6e417b92 2943cffcdd )

SSHFP 3 1中的server.example.net(c64607a28c5300fec1180b6e417b92 2943cffcdd)

5.3.2. ECDSA Public Key with SHA-256 Fingerprint
5.3.2. 具有SHA-256指纹的ECDSA公钥

The SSHFP Resource Record for this key would be:

此密钥的SSHFP资源记录为:

server.example.net IN SSHFP 3 2 ( 821eb6c1c98d9cc827ab7f456304c0 f14785b7008d9e8646a8519de80849 afc7 )

SSHFP 3 2中的server.example.net(821eb6c1c98d9cc827ab7f456304c0 f14785b7008d9e8646a8519de80849 afc7)

6. IANA Considerations
6. IANA考虑

This document updates the IANA registry "SSHFP RR Types for public key algorithms" and "SSHFP RR types for fingerprint types" [SSHFPVALS].

本文档更新了IANA注册表“公钥算法的SSHFP RR类型”和“指纹类型的SSHFP RR类型”[SSHFPVALS]。

6.1. SSHFP RR Types for Public Key Algorithms
6.1. 公钥算法的SSHFP-RR类型

The following entries have been added to the "SSHFP RR Types for public key algorithms" registry:

以下条目已添加到“用于公钥算法的SSHFP RR类型”注册表中:

                   +-------+-------------+------------+
                   | Value | Description |  Reference |
                   +-------+-------------+------------+
                   |   3   |    ECDSA    | [This doc] |
                   +-------+-------------+------------+
        
                   +-------+-------------+------------+
                   | Value | Description |  Reference |
                   +-------+-------------+------------+
                   |   3   |    ECDSA    | [This doc] |
                   +-------+-------------+------------+
        
6.2. SSHFP RR Types for Fingerprint Types
6.2. 指纹类型的SSHFP RR类型

The following entries have been added to the "SSHFP RR types for fingerprint types" registry:

以下条目已添加到“指纹类型的SSHFP RR类型”注册表中:

                   +-------+-------------+------------+
                   | Value | Description |  Reference |
                   +-------+-------------+------------+
                   |   2   |   SHA-256   | [This doc] |
                   +-------+-------------+------------+
        
                   +-------+-------------+------------+
                   | Value | Description |  Reference |
                   +-------+-------------+------------+
                   |   2   |   SHA-256   | [This doc] |
                   +-------+-------------+------------+
        
7. Security Considerations
7. 安全考虑

Please see the security considerations in [RFC4255] for SSHFP Resource Records and [RFC5656] for the ECDSA.

请参阅[RFC4255]中有关SSHFP资源记录的安全注意事项,以及[RFC5656]中有关ECDSA的安全注意事项。

Users of SSHFP are encouraged to deploy SHA-256 as soon as implementations allow for it. The SHA-2 family of algorithms is widely believed to be more resilient to attack than SHA-1, and confidence in SHA-1's strength is being eroded by recently announced attacks [IACR2007/474]. Regardless of whether or not the attacks on SHA-1 will affect SSHFP, it is believed (at the time of this writing) that SHA-256 is the better choice for use in SSHFP records.

鼓励SSHFP用户在实施允许的情况下尽快部署SHA-256。人们普遍认为,SHA-2系列算法比SHA-1更能抵御攻击,而最近宣布的攻击正在削弱人们对SHA-1实力的信心[IACR2007/474]。无论对SHA-1的攻击是否会影响SSHFP,人们相信(在撰写本文时)在SSHFP记录中使用SHA-256是更好的选择。

SHA-256 is considered sufficiently strong for the immediate future, but predictions about future development in cryptography and cryptanalysis are beyond the scope of this document.

SHA-256被认为在不久的将来足够强大,但对密码术和密码分析未来发展的预测超出了本文的范围。

8. References
8. 工具书类
8.1. Normative References
8.1. 规范性引用文件

[FIPS.180-3.2008] National Institute of Standards and Technology, "Secure Hash Standard (SHS)", FIPS PUB 180-3, October 2008, <http://csrc.nist.gov/publications/fips/fips180-3/ fips180-3_final.pdf>.

[FIPS.180-3.2008]国家标准与技术研究所,“安全哈希标准(SHS)”,FIPS PUB 180-3,2008年10月<http://csrc.nist.gov/publications/fips/fips180-3/ fips180-3_final.pdf>。

[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", STD 13, RFC 1034, November 1987.

[RFC1034]Mockapetris,P.,“域名-概念和设施”,STD 13,RFC 1034,1987年11月。

[RFC1035] Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, November 1987.

[RFC1035]Mockapetris,P.,“域名-实现和规范”,STD 13,RFC 1035,1987年11月。

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[RFC4250] Lehtinen, S. and C. Lonvick, "The Secure Shell (SSH) Protocol Assigned Numbers", RFC 4250, January 2006.

[RFC4250]Lehtinen,S.和C.Lonvick,“安全外壳(SSH)协议分配编号”,RFC 4250,2006年1月。

[RFC4251] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) Protocol Architecture", RFC 4251, January 2006.

[RFC4251]Ylonen,T.和C.Lonvick,“安全外壳(SSH)协议架构”,RFC 4251,2006年1月。

[RFC4253] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) Transport Layer Protocol", RFC 4253, January 2006.

[RFC4253]Ylonen,T.和C.Lonvick,“安全外壳(SSH)传输层协议”,RFC 4253,2006年1月。

[RFC4255] Schlyter, J. and W. Griffin, "Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints", RFC 4255, January 2006.

[RFC4255]Schlyter,J.和W.Griffin,“使用DNS安全发布安全外壳(SSH)密钥指纹”,RFC 4255,2006年1月。

[RFC5656] Stebila, D. and J. Green, "Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer", RFC 5656, December 2009.

[RFC5656]Stebila,D.和J.Green,“安全壳传输层中的椭圆曲线算法集成”,RFC 56562009年12月。

8.2. Informative References
8.2. 资料性引用

[IACR2007/474] Cochran, M., "Notes on the Wang et al. 2^63 SHA-1 Differential Path", IACR 2007/474, <http://eprint.iacr.org/2007/474.pdf>.

[IACR2007/474]Cochran,M.,“关于Wang等人2^63 SHA-1微分路径的注释”,IACR 2007/474<http://eprint.iacr.org/2007/474.pdf>.

[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "DNS Security Introduction and Requirements", RFC 4033, March 2005.

[RFC4033]Arends,R.,Austein,R.,Larson,M.,Massey,D.,和S.Rose,“DNS安全介绍和要求”,RFC 4033,2005年3月。

[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Resource Records for the DNS Security Extensions", RFC 4034, March 2005.

[RFC4034]Arends,R.,Austein,R.,Larson,M.,Massey,D.,和S.Rose,“DNS安全扩展的资源记录”,RFC 40342005年3月。

[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Protocol Modifications for the DNS Security Extensions", RFC 4035, March 2005.

[RFC4035]Arends,R.,Austein,R.,Larson,M.,Massey,D.,和S.Rose,“DNS安全扩展的协议修改”,RFC 4035,2005年3月。

[RFC4716] Galbraith, J. and R. Thayer, "The Secure Shell (SSH) Public Key File Format", RFC 4716, November 2006.

[RFC4716]Galbraith,J.和R.Thayer,“安全外壳(SSH)公钥文件格式”,RFC 47162006年11月。

[RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic Curve Cryptography Algorithms", RFC 6090, February 2011.

[RFC6090]McGrew,D.,Igoe,K.,和M.Salter,“基本椭圆曲线密码算法”,RFC 60902011年2月。

[SSHFPVALS] IANA, "DNS SSHFP Resource Records Parameters", <http://www.iana.org/assignments/ dns-sshfp-rr-parameters>.

[SSHFPVALS]IANA,“DNS SSHFP资源记录参数”<http://www.iana.org/assignments/ dns sshfp rr参数>。

Author's Address

作者地址

Ondrej Sury CZ.NIC Americka 23 120 00 Praha 2 Czech Republic

Ondrej Sury CZ.NIC Americka 23 120 00普拉哈2捷克共和国

   Phone: +420 222 745 110
   EMail: ondrej.sury@nic.cz
        
   Phone: +420 222 745 110
   EMail: ondrej.sury@nic.cz