IETF Logo Mail Archive

[Curdle] Second AD Review: draft-ietf-curdle-ssh-curves.

Eric Rescorla <ekr@rtfm.com> Mon, 24 December 2018 22:17 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F7251311BA for <curdle@ietfa.amsl.com>; Mon, 24 Dec 2018 14:17:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w4dUe16ccrZf for <curdle@ietfa.amsl.com>; Mon, 24 Dec 2018 14:17:04 -0800 (PST)
Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D89101311B3 for <curdle@ietf.org>; Mon, 24 Dec 2018 14:17:03 -0800 (PST)
Received: by mail-lj1-x231.google.com with SMTP id s5-v6so11095330ljd.12 for <curdle@ietf.org>; Mon, 24 Dec 2018 14:17:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=Vs8I8tY1IjZXbh60MyP93Y2q557U9dus9vijVlsvdY4=; b=GKjr/HYq8SNqBkaq8BAbQ4QuDPiy6zRfpAOWstgH4I6akEm2qyWvL0WNPXgjBWZZJV xjwgQtODuANeGBdTc2oDlkNeqP7TRqkY49VVyRJPnWyJJOBXgO9CfkABVD00b6fy5cOR +bsksAm540i3IPbKA1LdJune27tULZbdPJcbn88n4K2KoF81rUR05qvkvNnFzJyrfR4A +3MQLGNy7ENIHCBjdlJhP1nXyaD5rN/+e8TR+CVcHb7eQguQDf+4BSR5sTAYFISqd7RX 1LtxXgro9Oz2VSLV+g/ypjF8xemLs7UP6m4k08huM2BKocruo+3S11JGpgdZnWx+OuI3 b4Ww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Vs8I8tY1IjZXbh60MyP93Y2q557U9dus9vijVlsvdY4=; b=OqU5Z7pAYzbAVtVD8t9LoaaSVKW1MugFvNXGjnaeJGxIj6OgS8fRbeGca0vw7HNgyQ ioCaDpukNAWPTbHkCjqXpBtT/07d1dpq7qM4y5rB9zbL0pqqT+t6JaIrWDMchSkU9gPp x9Szf2yVfS5FwJiS61eNmhMDt9XigIekBFgNDRnX4CxsE1XIWEweja1KTwz1tgTY8P7e JVR9x1DokgrLf673UZ/UOEzLh/yaK6eCwowF/KlXNBZbHCq8Y1yTURy5E9M0arYpZFfw S+XZNaog15mN8NBg8GoB6LuRamE2Y7/C9cC+BjVenXQZnrrRGrKyiGfacCeSrTZQbJKY +Skw==
X-Gm-Message-State: AJcUukf3ZDMK3MLlvseYIsi/E1IWbsCu+fgQ/se/pkBKcpnO8JgDYyQZ fshdmvCujjbOylC47MqhSkTK9Y5N/CoIvf36V8fklHeL9GU=
X-Google-Smtp-Source: ALg8bN4LVnPc7900Gf3WVAOmEqanUiuOMvjnFrwgV6XYhfD9AtpQk2uKe1tS65mOLP7qryJi798EARhPwd+GyAJWgRY=
X-Received: by 2002:a2e:6503:: with SMTP id z3-v6mr7913004ljb.153.1545689822054; Mon, 24 Dec 2018 14:17:02 -0800 (PST)
MIME-Version: 1.0
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 24 Dec 2018 14:16:24 -0800
Message-ID: <CABcZeBM1xaLR2RqYo8_VmO1ue2qr3rn_52MhSDHagKhNF-AYQA@mail.gmail.com>
To: draft-ietf-curdle-ssh-curves.all@ietf.org, curdle <curdle@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c6dc80057dcbf43f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/S_7Ahl1I9uTyAFCaLbu-bg6VKx8>
Subject: [Curdle] Second AD Review: draft-ietf-curdle-ssh-curves.
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Dec 2018 22:17:14 -0000

Thanks for addressing my comments.

IMPORTANT
S 3.
>      received public keys are not the expected lengths, or if the derived
>      shared secret only consists of zero bits.  No further validation is
>      required beyond what is discussed in [RFC7748].  The derived shared
>      secret is 32 bytes when Curve25519 is used and 56 bytes when Curve448
>      is used.  The encodings of all values are defined in [RFC7748].  The
>      hash used is SHA-256 for Curve25519 and SHA-512 for Curve448.

This is true if you use the 7748 algorithm, but not necessarily
otherwise.

Here is some OK language (from tcpcrypt)

 Key-agreement schemes ECDHE-Curve25519 and ECDHE-Curve448 perform the
   Diffie-Helman protocol using the functions X25519 and X448,
   respectively.  Implementations SHOULD compute these functions using
   the algorithms described in [RFC7748].  When they do so,
   implementations MUST check whether the computed Diffie-Hellman
shared
   secret is the all-zero value and abort if so, as described in
   Section 6 of [RFC7748].  Alternative implementations of these
   functions SHOULD abort when either input forces the shared secret
to
   one of a small set of values, as discussed in Section 7 of
[RFC7748].
COMMENTS
S 1.
>      key exchange protocol described in [RFC4253] supports an extensible
>      set of methods.  [RFC5656] describes how elliptic curves are
>      integrated in SSH, and this document reuses those protocol messages.
>
>      This document describes how to implement key exchange based on
>      Curve25519 and Ed448-Goldilocks [RFC7748] in SSH.  For Curve25519

7748 calls this Curve448 and you do so later, so please be consistent.

v2.23.0 | Report a Bug | By Email