[Curdle] AD Review of: draft-ietf-curdle-ssh-curves-04.txt
Eric Rescorla <ekr@rtfm.com> Fri, 05 May 2017 19:33 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A69B8127876 for <curdle@ietfa.amsl.com>; Fri, 5 May 2017 12:33:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.7
X-Spam-Level:
X-Spam-Status: No, score=-0.7 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wYsBhhl0zgsC for <curdle@ietfa.amsl.com>; Fri, 5 May 2017 12:33:42 -0700 (PDT)
Received: from mail-yw0-x22c.google.com (mail-yw0-x22c.google.com [IPv6:2607:f8b0:4002:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21FED126C25 for <curdle@ietf.org>; Fri, 5 May 2017 12:33:42 -0700 (PDT)
Received: by mail-yw0-x22c.google.com with SMTP id k11so7685044ywb.1 for <curdle@ietf.org>; Fri, 05 May 2017 12:33:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=ZzU+7h23106vTqpv/Fd4QguPik5NF+vOTQqijvsSysY=; b=DNIXjvn6dulrz58HeyIKAUZJfNfJbSwb2PBkJgRfeFWughF4EkrgOckvj714RNn5zw dIx1w08bGPzyw3lBXhkoQB4DfQc7JBd9XH6lgbWX2R6GydSgk6KiEg++rUvdrJFwe39I sXlA9n3P6+672cZ0MVahSpDEI1l+f7Kv4caJeIeDdndSxNXhMHY3GEb/2vID8Agkmw5n mkN83EMvb86eSYxJ3bdB7w83GprMtA9CirrPjYPTJywOuoLLlW575jozdjYJzeHtXHV7 zNl4moidDl9oPu1WF42ze03GZy8TVTS/QhVW4TEXB4TcHRiBH7F/6gzv7i5ZcfxYUR8y OUdw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=ZzU+7h23106vTqpv/Fd4QguPik5NF+vOTQqijvsSysY=; b=ag1GYq8nGrASwNf4WRiNMMFyNvHxg5VglYMIGDdcSQQWZKypBpYQFu5K7EmLeM/t1r wDHJWlWaarYEk7kMRzzs3sNe/p/4TGWmQx0f+74Bg/ZitvTN4vSTy7g8K9yUD6VHkwVR UIg7S5IhNd6xpa4Tor1k1QCSuK0ILAJ6lPhd4tPOPpYKk4eSJvOg231vFemeAjk/P/ly f0rTJtWrBOUSAbcmeiYYr0fvnOx/XUv4lNryHnZunnKcw/h7quh/X9kGq5sZtzESpBtd 97eldu4y/7lS3k4QCbpRZ5nYTvu7f1B4e37ocdbpqcnI6kgRPbVevdoUPqdyPKAlrbC6 4SFQ==
X-Gm-Message-State: AN3rC/4/FtTmPz2bw2c2POZpWoLmXbPXF4C/ooOS+f5xKWv647jgatR0 8lXikZH1ANUh2MJAEbA45MsVRTGg4/cbFno=
X-Received: by 10.129.52.141 with SMTP id b135mr40414199ywa.85.1494012821118; Fri, 05 May 2017 12:33:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.131.150 with HTTP; Fri, 5 May 2017 12:33:00 -0700 (PDT)
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 05 May 2017 12:33:00 -0700
Message-ID: <CABcZeBMFWE35S0okfF378YMWoWmWuZRZCe4oHsHagN0LF9W0WA@mail.gmail.com>
To: curdle <curdle@ietf.org>
Content-Type: multipart/alternative; boundary="001a114089847e3fcc054ecbf73b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/sCaBBa1FWqm9tE6m4u7VYcRG_xU>
Subject: [Curdle] AD Review of: draft-ietf-curdle-ssh-curves-04.txt
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 May 2017 19:33:44 -0000
Document: draft-ietf-curdle-ssh-curves-04.txt TECHNICAL S 2. The methods are based on Curve25519 and Curve448 scalar multiplication, as described in [RFC7748]. Private and public keys are generated as described therein. Public keys are defined as strings of 32 bytes for Curve25519 and 56 bytes for Curve448. Clients and servers MUST fail the key exchange if the length of the received public keys are not the expected lengths, or if the derived shared secret only consists of zero bits. No further validation is required beyond what is discussed in [RFC7748]. Is any other validation specified? Maybe I'm missing it, but I don't see any. S 2.1. IMPORTANT: other side’s public key and the local private key scalar. The 32 or 56 bytes of X are converted into K by interpreting the bytes as an unsigned fixed-length integer encoded in network byte order. This conversion follows the normal "mpint" process as described in section 5 of [RFC4251]. It appears you are specifying the opposite encoding from RFC 7748 which says: or GF(2^448 - 2^224 - 1) and are encoded as an array of bytes, u, in little-endian order such that u[0] + 256*u[1] + 256^2*u[2] + ... + First, I want to confirm that this is in fact true and that I'm not missing something. Second, if it's not true, this needs to be called out in big letters. EDITORIAL Curve25519 provide strong security and is efficient on a wide range of architectures, and has properties that allows better implementation properties compared to traditional elliptic curves. Curve448 with SHA-512 is similar, but have not received the same has not received -Ekr
- [Curdle] AD Review of: draft-ietf-curdle-ssh-curv… Eric Rescorla
- Re: [Curdle] AD Review of: draft-ietf-curdle-ssh-… Mark D. Baushke
- Re: [Curdle] AD Review of: draft-ietf-curdle-ssh-… Eric Rescorla
- Re: [Curdle] AD Review of: draft-ietf-curdle-ssh-… Mark D. Baushke