IETF Logo Mail Archive

[Curdle] AD Review of: draft-ietf-curdle-ssh-curves-04.txt

Eric Rescorla <ekr@rtfm.com> Fri, 05 May 2017 19:33 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A69B8127876 for <curdle@ietfa.amsl.com>; Fri, 5 May 2017 12:33:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.7
X-Spam-Level:
X-Spam-Status: No, score=-0.7 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wYsBhhl0zgsC for <curdle@ietfa.amsl.com>; Fri, 5 May 2017 12:33:42 -0700 (PDT)
Received: from mail-yw0-x22c.google.com (mail-yw0-x22c.google.com [IPv6:2607:f8b0:4002:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21FED126C25 for <curdle@ietf.org>; Fri, 5 May 2017 12:33:42 -0700 (PDT)
Received: by mail-yw0-x22c.google.com with SMTP id k11so7685044ywb.1 for <curdle@ietf.org>; Fri, 05 May 2017 12:33:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=ZzU+7h23106vTqpv/Fd4QguPik5NF+vOTQqijvsSysY=; b=DNIXjvn6dulrz58HeyIKAUZJfNfJbSwb2PBkJgRfeFWughF4EkrgOckvj714RNn5zw dIx1w08bGPzyw3lBXhkoQB4DfQc7JBd9XH6lgbWX2R6GydSgk6KiEg++rUvdrJFwe39I sXlA9n3P6+672cZ0MVahSpDEI1l+f7Kv4caJeIeDdndSxNXhMHY3GEb/2vID8Agkmw5n mkN83EMvb86eSYxJ3bdB7w83GprMtA9CirrPjYPTJywOuoLLlW575jozdjYJzeHtXHV7 zNl4moidDl9oPu1WF42ze03GZy8TVTS/QhVW4TEXB4TcHRiBH7F/6gzv7i5ZcfxYUR8y OUdw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=ZzU+7h23106vTqpv/Fd4QguPik5NF+vOTQqijvsSysY=; b=ag1GYq8nGrASwNf4WRiNMMFyNvHxg5VglYMIGDdcSQQWZKypBpYQFu5K7EmLeM/t1r wDHJWlWaarYEk7kMRzzs3sNe/p/4TGWmQx0f+74Bg/ZitvTN4vSTy7g8K9yUD6VHkwVR UIg7S5IhNd6xpa4Tor1k1QCSuK0ILAJ6lPhd4tPOPpYKk4eSJvOg231vFemeAjk/P/ly f0rTJtWrBOUSAbcmeiYYr0fvnOx/XUv4lNryHnZunnKcw/h7quh/X9kGq5sZtzESpBtd 97eldu4y/7lS3k4QCbpRZ5nYTvu7f1B4e37ocdbpqcnI6kgRPbVevdoUPqdyPKAlrbC6 4SFQ==
X-Gm-Message-State: AN3rC/4/FtTmPz2bw2c2POZpWoLmXbPXF4C/ooOS+f5xKWv647jgatR0 8lXikZH1ANUh2MJAEbA45MsVRTGg4/cbFno=
X-Received: by 10.129.52.141 with SMTP id b135mr40414199ywa.85.1494012821118; Fri, 05 May 2017 12:33:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.131.150 with HTTP; Fri, 5 May 2017 12:33:00 -0700 (PDT)
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 05 May 2017 12:33:00 -0700
Message-ID: <CABcZeBMFWE35S0okfF378YMWoWmWuZRZCe4oHsHagN0LF9W0WA@mail.gmail.com>
To: curdle <curdle@ietf.org>
Content-Type: multipart/alternative; boundary="001a114089847e3fcc054ecbf73b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/sCaBBa1FWqm9tE6m4u7VYcRG_xU>
Subject: [Curdle] AD Review of: draft-ietf-curdle-ssh-curves-04.txt
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 May 2017 19:33:44 -0000

Document: draft-ietf-curdle-ssh-curves-04.txt

TECHNICAL
S 2.

   The methods are based on Curve25519 and Curve448 scalar
   multiplication, as described in [RFC7748].  Private and public keys
   are generated as described therein.  Public keys are defined as
   strings of 32 bytes for Curve25519 and 56 bytes for Curve448.
   Clients and servers MUST fail the key exchange if the length of the
   received public keys are not the expected lengths, or if the derived
   shared secret only consists of zero bits.  No further validation is
   required beyond what is discussed in [RFC7748].

Is any other validation specified? Maybe I'm missing it, but I don't
see any.


S 2.1. IMPORTANT:
   other side’s public key and the local private key scalar.  The 32 or
   56 bytes of X are converted into K by interpreting the bytes as an
   unsigned fixed-length integer encoded in network byte order.  This
   conversion follows the normal "mpint" process as described in section
   5 of [RFC4251].

It appears you are specifying the opposite encoding from RFC 7748 which
says:

   or GF(2^448 - 2^224 - 1) and are encoded as an array of bytes, u, in
   little-endian order such that u[0] + 256*u[1] + 256^2*u[2] + ... +

First, I want to confirm that this is in fact true and that I'm not
missing something. Second, if it's not true, this needs to be called out
in big letters.


EDITORIAL
   Curve25519 provide strong security and is efficient on a wide range
   of architectures, and has properties that allows better
   implementation properties compared to traditional elliptic curves.
   Curve448 with SHA-512 is similar, but have not received the same

has not received

-Ekr

v2.23.0 | Report a Bug | By Email