IETF Logo Mail Archive

Re: Curve25519/448 key agreement for SSH

Simon Josefsson <simon@josefsson.org> Thu, 25 February 2016 11:53 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E2CF1A1BB5 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 25 Feb 2016 03:53:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.606
X-Spam-Level:
X-Spam-Status: No, score=-1.606 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.006] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WgSvwnOBTCYS for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 25 Feb 2016 03:53:01 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE40A1A1BB0 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Thu, 25 Feb 2016 03:53:01 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id B238C85EF7; Thu, 25 Feb 2016 11:53:00 +0000 (UTC)
Delivered-To: ietf-ssh@NetBSD.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 70F4585EF2 for <ietf-ssh@NetBSD.org>; Thu, 25 Feb 2016 11:52:58 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id kJi64msDcvom for <ietf-ssh@netbsd.org>; Thu, 25 Feb 2016 11:52:58 +0000 (UTC)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 6BFDC85EEC for <ietf-ssh@NetBSD.org>; Thu, 25 Feb 2016 11:52:55 +0000 (UTC)
Received: from latte.josefsson.org ([IPv6:2001:9b0:104:42::a86]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id u1PBqaK5019419 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Thu, 25 Feb 2016 12:52:37 +0100
Date: Thu, 25 Feb 2016 12:52:35 +0100
From: Simon Josefsson <simon@josefsson.org>
To: nisse@lysator.liu.se
Cc: "Mark D. Baushke" <mdb@juniper.net>, denis bider <ietf-ssh3@denisbider.com>, ietf-ssh@NetBSD.org
Subject: Re: Curve25519/448 key agreement for SSH
Message-ID: <20160225125235.3d72117f@latte.josefsson.org>
In-Reply-To: <nnpovp3yen.fsf@armitage.lysator.liu.se>
References: <1023314969-1152@skroderider.denisbider.com> <874mg9y7s9.fsf@latte.josefsson.org> <423.1456071768@eng-mail01.juniper.net> <nnpovp3yen.fsf@armitage.lysator.liu.se>
X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.25; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; boundary="Sig_/zueZ+rZk0gK.ArpzO+k8p_g"; protocol="application/pgp-signature"
X-Virus-Scanned: clamav-milter 0.98.7 at duva.sjd.se
X-Virus-Status: Clean
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

Den Mon, 22 Feb 2016 10:08:32 +0100
skrev Re: Curve25519/448 key agreement for SSH:

> "Mark D. Baushke" <mdb@juniper.net> writes:
> 
> > If so, why is the Key Exchange Method name "curve448-sha256" rather
> > than "curve488-sha512" ?
> 
> I think Damien Miller's argument for using sha512 here makes sense:
> "curve448 is a backup against as-yet-unknown attacks on curve25519.
> Since we're not likely to need it, we might as well pair it with
> SHA512 as a backup against as-yet-unknown attacks on SHA256."

Hello Mark and Niels.  Indeed there appears to be strong support from
several people to couple Curve448 with SHA-512 instead of SHA-256.  We
are making this change and there will be a -04 out shortly.  Mark's
RFC quoting is a strong reason to make this change, but I believe there
were sufficient motivation to do it anyway because of the hedge aspect.

/Simon

v2.23.0 | Report a Bug | By Email