IETF Logo Mail Archive

Re: [Curdle] ssh-ed25519 implementations

Ron Frederick <ronf@timeheart.net> Thu, 11 May 2017 02:49 UTC

Return-Path: <ronf@timeheart.net>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4514312EB2A for <curdle@ietfa.amsl.com>; Wed, 10 May 2017 19:49:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.334
X-Spam-Level:
X-Spam-Status: No, score=-1.334 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=timeheart.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZlYgwVFDVqpu for <curdle@ietfa.amsl.com>; Wed, 10 May 2017 19:49:32 -0700 (PDT)
Received: from mail-pf0-x22d.google.com (mail-pf0-x22d.google.com [IPv6:2607:f8b0:400e:c00::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 037B01296C9 for <curdle@ietf.org>; Wed, 10 May 2017 19:49:31 -0700 (PDT)
Received: by mail-pf0-x22d.google.com with SMTP id e193so6681052pfh.0 for <curdle@ietf.org>; Wed, 10 May 2017 19:49:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=timeheart.net; s=mail; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=hPIwb7fpi9Nrv8RUa7DTjE4iC6XJ3cnT3cY0MhWq+80=; b=UsHslBSMnOSAce3knbV/TUFamDyOX5vmEdphL55JKcOQNB4QYKGmd6NwE37N9J9QGe EwRWNdWTP/lpkPpb9g0DP9yWHRqqY8/uHo7LNVja0aoSr65Gw7bjV8useYRrwpmmAWUd SAMGsxoNrr9YYQnyUC72rfeSl9EUmgJnkUOOw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=hPIwb7fpi9Nrv8RUa7DTjE4iC6XJ3cnT3cY0MhWq+80=; b=SyzIWlr/fwYO2Yk4jBeXnkWBbXfydkAB1PKOOMZwhnTXiAPiDp3X9RXBZIKxaY5wBx ZiY3UtUYTbirKOX9BfdRE5VhoE8g7htIyH/QZPkAG6+CMoRQba9OTR0pKfY8AuDjXgvV j1cCJTpq4xoNXc1sHH3JAlTbRZ7XcB5nnsDwYdXdUqfBD0VPaN+Ul8ck3OfAHfSYSJ2D aAYl9njvL7iEkUi3UMYGdv9gc7oAvOLLCoBSRETlUDn2ACqdUvFLyHsfmEwNYvoLad7l GcrqsCHe2jv/64AD3UGxH55UH6avpMLqJbiPTb6NOmfUVD5MBboBpInEsFvYyeTdhz4N Gjvw==
X-Gm-Message-State: AODbwcDA52y89gacYgk7sE+6nqYWXj5fCULMHitqxRJ421fKz57YBcvy tmL37gEo+Jobng==
X-Received: by 10.84.130.7 with SMTP id 7mr12474829plc.35.1494470971492; Wed, 10 May 2017 19:49:31 -0700 (PDT)
Received: from ?IPv6:2601:647:4282:2200:cfa:5497:d692:7eeb? ([2601:647:4282:2200:cfa:5497:d692:7eeb]) by smtp.gmail.com with ESMTPSA id z68sm416169pgz.14.2017.05.10.19.49.30 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 10 May 2017 19:49:30 -0700 (PDT)
From: Ron Frederick <ronf@timeheart.net>
Message-Id: <0BC6F061-CBFB-4935-9C00-42CB1741543D@timeheart.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E671D99B-B3F3-4360-A53E-275EF6CD33BA"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Wed, 10 May 2017 19:49:29 -0700
In-Reply-To: <76FD0F39-1F3D-4476-A3D8-D4C942C2EFD1@juniper.net>
Cc: "ietf-ssh@NetBSD.org" <ietf-ssh@NetBSD.org>, "curdle@ietf.org" <curdle@ietf.org>
To: Mark Baushke <mdb@juniper.net>
References: <76FD0F39-1F3D-4476-A3D8-D4C942C2EFD1@juniper.net>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/HjK2W69pokbwlnErgkRdCwaXu9k>
X-Mailman-Approved-At: Thu, 11 May 2017 07:50:29 -0700
Subject: Re: [Curdle] ssh-ed25519 implementations
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 May 2017 02:50:39 -0000

On May 10, 2017, at 9:18 AM, Mark Baushke <mdb@juniper.net> wrote:
> Eric Rescorla <ekr@rtfm.com> has brought to my attention that in
> https://tools.ietf.org/html/draft-ietf-curdle-ssh-curves-04 it is
> currently specifying the SSH encoding of secrets on the wire using the
> mpint process as described in section 5 of [RFC4251] while RFC 7748
> describes using a little-endian format:
> 
>  GF(2^448 - 2^224 - 1) and are encoded as an array of bytes, u,
>  in little-endian order such that u[0] + 256*u[1] + 256^2*u[2] + ... +
> 
> This seems to be what is being implemeneted for
> curve25519-sha256@libssh.org, so I should make
> an explicit note of this in the draft.
> 
> However, I am unaware of any curve448-sha512 implementations at
> present and would like consensus that it should also follow the mpint
> method rather than the RFC 7748 method.
> 
> Please reply to curdle@ietf.org with your opinions.


I have implemented for ssh-ed25519 public keys and certificates in AsyncSSH, and my implementation currently uses opaque byte strings taken from the implementation of curve25519 in libsodium when encoding public and private keys. These byte strings are encoded as SSH ‘string’ values (4-byte big-endian string length followed by an array of bytes of that length). The public key is a single string value and the private key is the concatenation of two string values (public key followed by private key, each with its own preceding 4-byte length value). This implementation interoperates with OpenSSH.

More details can be found in the Internet Draft at:

https://tools.ietf.org/html/draft-bjh21-ssh-ed25519-00 <https://tools.ietf.org/html/draft-bjh21-ssh-ed25519-00>

This refers to:

https://tools.ietf.org/html/draft-josefsson-eddsa-ed25519-03 <https://tools.ietf.org/html/draft-josefsson-eddsa-ed25519-03>

I have also implemented curve25519-sha256@libssh.org <mailto:curve25519-sha256@libssh.org> key exchange as documented at:

https://git.libssh.org/projects/libssh.git/plain/doc/curve25519-sha256@libssh.org.txt <https://git.libssh.org/projects/libssh.git/plain/doc/curve25519-sha256@libssh.org.txt>

OpenSSH also implements this, and makes it available under both this name and more recently as just “curve25519-sha256”.

Here, the public key values exchanged in messages like KEX_ECDH_INIT and KEX_ECDH_REPLY are opaque byte strings similar to the above. As discussed in https://tools.ietf.org/html/draft-ietf-curdle-ssh-curves-04 <https://tools.ietf.org/html/draft-ietf-curdle-ssh-curves-04>, the final computed shared secret value is converted to an integer by taking the 32-byte point obtained by scalar multiplication and treating the bytes as a bigendian (network byte order) value, but this value is never directly sent on the wire, so I’m not sure the “mpint" encoding ever applies to it. The only values on the wire are the public keys and signature values, all of which are encoded as strings.
-- 
Ron Frederick
ronf@timeheart.net

v2.23.0 | Report a Bug | By Email