Re: [Curdle] State of draft-ietf-curdle-ssh-kex-sha2?

denis bider <> Tue, 14 July 2020 21:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1B0713A0044 for <>; Tue, 14 Jul 2020 14:16:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Iz9FhTe1KmkN for <>; Tue, 14 Jul 2020 14:16:15 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D605C3A0039 for <>; Tue, 14 Jul 2020 14:16:15 -0700 (PDT)
Received: by with SMTP id e4so134139oib.1 for <>; Tue, 14 Jul 2020 14:16:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2BwwqlcNap91WQmKEPP0GWY4uP0MkHDrHWkiKyCYWro=; b=SrOoTuTx48SIuAxctJCsTtS5wLX5hQnWfl7uXEaFHYQNd8IN7Y47rod+PNeHfW8+Kk 0+oB6TSpxVg7jPNJrF1orAcyS4Utfu3aqGal31C0FoqcZyVOltThq+ThbzQsalvt83Nh WvrMYgdgGVFYL1WUN1Rk+I6Lkxv6wXZtwhkfrYaZ+Mj6Ey0k8CLeQbXJudsow2d//ciK TJWI2MxGq/mRV5oZMaUorziLIW7xyk44kBuP2AVNF9neeoj3AdOyTtlvEeRKvaosBUFV JsCr9PCAqUeich/Pg/giqrOTDIODiz/F1EeDJFDCfGUvC1+IFzUeoBrszpuQf/7U8lio Yv+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2BwwqlcNap91WQmKEPP0GWY4uP0MkHDrHWkiKyCYWro=; b=Br+wjmIzQd/pEnL31hhYeYt2jsU9Io/RO48d304CAFALhA3l/DNwrlFG6Opupyu4zj Qo+15XZDbMZSyhBMoNbpfSLUTIgAPeFaxTkX2MX41wIJOjupOaopbkVXNo8uVyzWr1IR HATiB1t6YJCoKxQlQo+5J0354S0J8XAFRitkelF6nqCplYr/zfr32swP/Ym2uxr9mz98 p3EwuIQndg2NbDtbQC5t+/oC4jhdphREi9j+CaNNe4C43loFoMT8hdTFWNaI/Dznqji7 NjeszR8NMYOXsI+pJ/y1+XxreYLAH4yBfqm8Q/4s23oI1kH/TzfIjCyYOG0J07DMr3Q/ w7Mw==
X-Gm-Message-State: AOAM530BVjNjSjxxSvEBM9HqFlqXvlqlDRtiH41MfBvCeFN8jn5aijd5 5oLhk7UFQxATbUzhmS0SJzrG4yVk9snb/V1IdSDWIxHKtPk=
X-Google-Smtp-Source: ABdhPJyo9phyFva54wViJhgNuuMCOKO/5fzfNjosPoMsBY6NjvWA+Js4HppXLFwfGCGGp5Q9eU4hox90EcVDIDCqCsk=
X-Received: by 2002:aca:b743:: with SMTP id h64mr5541074oif.88.1594761375092; Tue, 14 Jul 2020 14:16:15 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <202007131952.PAA23582@Stone.Rodents-Montreal.ORG> <> <202007132140.RAA29842@Stone.Rodents-Montreal.ORG> <>
In-Reply-To: <>
From: denis bider <>
Date: Tue, 14 Jul 2020 16:16:03 -0500
Message-ID: <>
To: "Mark D. Baushke" <>
Cc: curdle <>
Content-Type: multipart/alternative; boundary="0000000000004392e205aa6d51bf"
Archived-At: <>
Subject: Re: [Curdle] State of draft-ietf-curdle-ssh-kex-sha2?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 14 Jul 2020 21:16:17 -0000

(Replying to Curdle - the message I forward below was posted only on the

I'm pretty sure all the feedback so far suggests that
"diffie-hellman-group14-sha256" is the only key exchange method that has
consensus as a MUST right now.

With regard to group15 - if memory serves, the OpenSSH guys were
complaining about too much granularity in that regard, they preferred

group16 and larger have my protest as a MUST because too expensive.

DH group exchange methods are not interoperable: implementations that
generate their own groups fail to interoperate with FIPS implementations
half of the time.

ECDH has protestations from some niche implementers. Curve25519 apparently
isn't coming soon to SSH clients that run on clothing tags.

That leaves "diffie-hellman-group14-sha256", which is sensible for MUST,
even though in no way ambitious.

(Note the lowercase "diffie-hellman-group14-...". I've seen someone
capitalize it in this thread. Per RFC 4251, SSH algorithm names are case

In the SSH/QUIC draft, I opted for the following language:

"The requirement to implement any particular QUIC protocol version or TLS
cipher suite expires on the 5-year anniversary of the publishing of this
memo. At that point, implementers SHOULD consult any new standards
documents if available, or survey the practical use of SSH/QUIC for
implementation guidance."

Perhaps we could put in something like that, given that the only candidate
for MUST is the lowest common denominator that still meets current security


-------- Forwarded Message --------
Subject: Re: [Curdle] State of draft-ietf-curdle-ssh-kex-sha2?
Date: Tue, 14 Jul 2020 04:10:18 +0000
From: Peter Gutmann <>
To: Mouse <mouse@Rodents-Montreal.ORG>RG>,

Mouse <mouse@Rodents-Montreal.ORG> writes:

As an implementor, it is highly unlikely I will support anything elliptic
curve in the foreseeable future.

I support it but it's disabled by default because I can't think of a
used cryptosystem more riddled with side-channels than (EC)DSA, and most of
them end up leaking the private key (that's ECDSA, not 25519 which is too
novel/nonstandard to be usable with anything I work with). In fact a recent
paper on yet another set of side-channel attacks (either "Minerva: The Curse
of ECDSA Nonces" or "Big Numbers - Big Troubles") mentions that this is
the latest set of side-channels that need patching, and more are expected in
the future. And that's after several years of patching ECDSA side-channels

At least with RSA you can just blind and be mostly done with it, you don't
have to deal with a mechanism where there's a linear relation between the
signing nonce and the private key, with everything around that tied up in