Re: Curve25519/448 key agreement for SSH
denis bider <ietf-ssh3@denisbider.com> Tue, 10 November 2015 22:34 UTC
Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96A901B416E for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Tue, 10 Nov 2015 14:34:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4lkORmkwe8re for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Tue, 10 Nov 2015 14:34:18 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 316CB1B417A for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Tue, 10 Nov 2015 14:34:18 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id D325A14A1F7; Tue, 10 Nov 2015 22:34:17 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: by mail.netbsd.org (Postfix, from userid 1347) id 7BF6D14A1F3; Tue, 10 Nov 2015 22:34:17 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id F3E8814A31A for <ietf-ssh@netbsd.org>; Tue, 10 Nov 2015 14:32:45 +0000 (UTC)
X-Virus-Scanned: amavisd-new at NetBSD.org
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id me4nNq4ZAR_c for <ietf-ssh@netbsd.org>; Tue, 10 Nov 2015 14:32:45 +0000 (UTC)
Received: from skroderider.denisbider.com (skroderider.denisbider.com [50.18.172.175]) (using TLSv1.1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 02A2D14A311 for <ietf-ssh@netbsd.org>; Tue, 10 Nov 2015 14:32:44 +0000 (UTC)
X-Footer: ZGVuaXNiaWRlci5jb20=
Received: from localhost ([127.0.0.1]) by skroderider.denisbider.com for ietf-ssh@netbsd.org; Tue, 10 Nov 2015 14:32:17 +0000
Date: Tue, 10 Nov 2015 14:32:17 +0000
Subject: Re: Curve25519/448 key agreement for SSH
X-User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Message-ID: <2289172118-568@skroderider.denisbider.com>
X-Priority: 3
Importance: Normal
MIME-Version: 1.0
From: denis bider <ietf-ssh3@denisbider.com>
To: ietf-ssh@netbsd.org
Cc: Simon Josefsson <simon@josefsson.org>, djm@mindrot.org
Content-Type: multipart/alternative; boundary="=-LFBhBGGgWahE/uupDZnb"
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list
Simon - > A simple approach would be to say that if the MSB is 1, > prepend a zero byte. However, the length difference > would leak that information. The length difference might not be much of a problem, since K is never sent. > For Curve448 this seems like a problem. Is it okay to > prepend a zero byte in SSH big integers even if > one is not necessary? No, this is prohibited in RFC 4251: Unnecessary leading bytes with the value 0 or 255 MUST NOT be included. The value zero MUST be stored as a string with zero bytes of data. denis ----- Original Message ----- From: Simon Josefsson Sent: Tuesday, November 10, 2015 03:30 To: denis bider Cc: ietf-ssh@netbsd.org Subject: Re: Curve25519/448 key agreement for SSH denis bider <ietf-ssh3@denisbider.com> writes: > Simon, Aris - > > thank you for this work. I plan to be implementing this soon, and I > appreciate that you're moving ahead with standardization. Hi Denis. Excellent! It would be perfect if someone would attempt implementation based on this document (and cfrg-curves) and tell us what is missing, and what could have helped them implement it more quickly. > With respect to conversion of the binary string X into mpint K, is > there a chance that X might have its high bit set? > > If it's possible for the high bit to be set, it seems you ought to > clarify how that's converted into mpint, given that mpint is signed: > > https://www.ietf.org/rfc/rfc4251.txt > Represents multiple precision integers in two's complement format, > stored as a string, 8 bits per byte, MSB first. Negative numbers > have the value 1 as the most significant bit of the first byte of > the data partition. If the most significant bit would be set for > a positive number, the number MUST be preceded by a zero byte. Good point, I believe the document has to discuss the mapping between binary Curve25519/Curve448 binary strings into mpint's. A simple approach would be to say that if the MSB is 1, prepend a zero byte. However, the length difference would leak that information. For Curve25519 the most-significant bit is always zero though, so this will never happen. For Curve448 this seems like a problem. Is it okay to prepend a zero byte in SSH big integers even if one is not necessary? Then a simple approach would be to do nothing for Curve2559 and to always add a zero byte for Curve448. > Besides that, I'm noticing the language could use improvement in > places ("this document re-use" -> "this document reuses", "is is" -> > "is"). Fixed, thank you. /Simon > Overall, thank you for moving forward with this, though. > > > ----- Original Message ----- > From: Simon Josefsson > Sent: Monday, November 9, 2015 09:07 > To: ietf-ssh@netbsd.org > Subject: Curve25519/448 key agreement for SSH > > Aris and me have prepared a document describing key agreement using the > CFRG curves for Secure Shell. As you know, curve25519-sha256@libssh.org > is already implemented by libssh, OpenSSH, Dropbear, and some others. > This is about putting the description of that into IETF format, and to > add the Curve448 hedge variant chosen by CFRG. It might not be detailed > enough for independent implementation, but we hope to get there. Any > review and feedback is welcome. > > https://tools.ietf.org/html/draft-josefsson-ssh-curves > > /Simon > > PS. There is https://tools.ietf.org/html/draft-bjh21-ssh-ed25519 but > that talks about Ed25519 signatures. The document above is about key > agreement. >
- Re: Curve25519/448 key agreement for SSH Simon Josefsson
- Re: Curve25519/448 key agreement for SSH Simon Josefsson
- Curve25519/448 key agreement for SSH Simon Josefsson
- RE: Curve25519/448 key agreement for SSH denis bider
- Re: Curve25519/448 key agreement for SSH Damien Miller
- Re: Curve25519/448 key agreement for SSH Damien Miller
- Re: Curve25519/448 key agreement for SSH Simon Josefsson
- Re: Curve25519/448 key agreement for SSH denis bider
- Re: Curve25519/448 key agreement for SSH Damien Miller
- Re: Curve25519/448 key agreement for SSH Simon Josefsson
- Re: Curve25519/448 key agreement for SSH Simon Josefsson
- Re: Curve25519/448 key agreement for SSH Simon Josefsson
- Re: Curve25519/448 key agreement for SSH Simon Josefsson
- Re: Curve25519/448 key agreement for SSH denis bider
- Re: Curve25519/448 key agreement for SSH denis bider
- Re: Curve25519/448 key agreement for SSH denis bider
- Re: Curve25519/448 key agreement for SSH Niels Möller
- Re: Curve25519/448 key agreement for SSH Simon Josefsson
- Re: Curve25519/448 key agreement for SSH denis bider
- Re: Curve25519/448 key agreement for SSH denis bider
- Re: Curve25519/448 key agreement for SSH Mark D. Baushke
- Re: Curve25519/448 key agreement for SSH James Cloos
- Re: Curve25519/448 key agreement for SSH Niels Möller
- Re: Curve25519/448 key agreement for SSH Niels Möller
- Re: Curve25519/448 key agreement for SSH denis bider
- Re: Curve25519/448 key agreement for SSH denis bider
- Re: Curve25519/448 key agreement for SSH Niels Möller
- Re: Curve25519/448 key agreement for SSH Niels Möller
- Re: Curve25519/448 key agreement for SSH denis bider
- Re: Curve25519/448 key agreement for SSH Matt Johnston
- Re: Curve25519/448 key agreement for SSH Simon Josefsson
- Re: Curve25519/448 key agreement for SSH Simon Josefsson
- RE: Curve25519/448 key agreement for SSH Peter Gutmann
- Re: Curve25519/448 key agreement for SSH denis bider
- Re: Curve25519/448 key agreement for SSH Damien Miller
- Re: Curve25519/448 key agreement for SSH Simon Josefsson
- Re: Curve25519/448 key agreement for SSH Simon Josefsson
- Re: Curve25519/448 key agreement for SSH denis bider
- Re: Curve25519/448 key agreement for SSH Mark D. Baushke
- Re: Curve25519/448 key agreement for SSH Niels Möller
- Re: Curve25519/448 key agreement for SSH Simon Josefsson