Re: [Curdle] Looking for comments on draft-ietf-curdle-ssh-kex-sha2

Hubert Kario <> Wed, 26 August 2020 11:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 75AA83A11AB for <>; Wed, 26 Aug 2020 04:36:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 47AgdcUoSyjq for <>; Wed, 26 Aug 2020 04:36:12 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0CD183A104D for <>; Wed, 26 Aug 2020 04:36:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=mimecast20190719; t=1598441768; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pruSeLO9wilvSnccyI4Ua+yMmzYJGJWY9UyyPG0XolA=; b=bf6O51PluVrWqYkk2AQf6YXCdzcU0BETgWzyA6u1Gk61hA4ebvciT7yzRvNurqc5DlXo4Y 3B+3xe0v8tOT6Xa8icRfoVuFnQyaVurhDo8cje5ceM5Zz5SuLTH734BbzJqP8yAHidZL/o 5lQY1GkwMYYO8bQOQeEOiVyQgF3wTZw=
Received: from ( []) (Using TLS) by with ESMTP id us-mta-487-S788t_RCPTisqke6Rj69zQ-1; Wed, 26 Aug 2020 07:36:06 -0400
X-MC-Unique: S788t_RCPTisqke6Rj69zQ-1
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7D70B18A2251 for <>; Wed, 26 Aug 2020 11:36:03 +0000 (UTC)
Received: from localhost (unknown []) by (Postfix) with ESMTPS id 08D405D9EF for <>; Wed, 26 Aug 2020 11:36:02 +0000 (UTC)
From: Hubert Kario <>
Date: Wed, 26 Aug 2020 13:36:00 +0200
MIME-Version: 1.0
Message-ID: <>
In-Reply-To: <>
References: <> <> <> <>
Organization: Red Hat
User-Agent: Trojita/0.7-git; Qt/5.13.2; xcb; Linux; Fedora release 31 (Thirty One)
X-Scanned-By: MIMEDefang 2.79 on
Authentication-Results:; auth=pass smtp.auth=CUSA124A263
X-Mimecast-Spam-Score: 0.001
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [Curdle] Looking for comments on draft-ietf-curdle-ssh-kex-sha2
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 26 Aug 2020 11:36:20 -0000

On Tuesday, 18 August 2020 07:42:40 CEST, Ron Frederick wrote:
> On Aug 17, 2020, at 3:34 PM, Mark D. Baushke <> wrote:
>> Ron Frederick <> writes: ...
>> That said, there are many who have been doing research which seems to
>> show that ECC is easier to break with Quantum Crypto systems than FFC
>> and are NOT interested in implementating ANY ECC algorithms.
>> I believe I have seen some text from implementers who have said they
>> would NOT adopt ECC for their SSH implementations.
> That’s interesting - I hadn’t read that. I was aware of 
> concerns about potential compromises in the nistp curves, but 
> not specifically about Quantum attacks against ECC.

basically it boils down to the size of the field, with 256 bit field you
need 384 qbit QC, with 2048 bit field you need 3072 qbit QC to break it

so ECC will be broken before RSA/DH/DSA of similar classical level of 

the open question is how much time RSA/DH will have over ECC

>> - I’m also thinking diffie-hellman-group15-sha512 might be a good
>>>  candidate for a SHOULD rather than a MAY, but I’m not sure we have
>>>  consensus on that.
>> Yup, I have not seen any consensus on this issue as yet.
>> Perhaps we should opt to make diffie-hellman-group-exchange-sha256 a
>> MUST? This allows implementors to put in whatever MODP groups they wish
>> as long as q = (p-1)/2 ... so, a maximized q-ordered subgroup... though
>> I o worry a bit about the way that the generator g is created perhaps
>> not providing that g^q mod p == 1 is a will formed subgroup. When it is
>> not a well-formed subgroup, then it will be leaking the first bit of the
>> key value.
> That’s an interesting thought. Are there “best practices” which 
> could be followed in generating/validating  these values that 
> could avoid such a weakness?

if the p is a safe prime, then "a bad" generator can leak one bit of the 
key, but it can leak at most one bit of private key; you can guess that bit
with a 50% chance of being right anyway, that does not translate to an 

Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic