Re: [Curdle] ssh-ed25519 implementations

Stefan Bühler <ietf-curdle@stbuehler.de> Fri, 12 May 2017 06:38 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A7691294C4 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 11 May 2017 23:38:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.29
X-Spam-Level:
X-Spam-Status: No, score=-3.29 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_ALL=0.8, DKIM_SIGNED=0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=stbuehler.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9ptADv_cLDOX for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 11 May 2017 23:38:02 -0700 (PDT)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBEBA12EAB8 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Thu, 11 May 2017 23:33:36 -0700 (PDT)
Received: by mail.netbsd.org (Postfix, from userid 605) id B0F8185595; Fri, 12 May 2017 06:33:35 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: by mail.netbsd.org (Postfix, from userid 1347) id 66E5C85589; Fri, 12 May 2017 06:33:35 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 74CFD84CF0 for <ietf-ssh@NetBSD.org>; Thu, 11 May 2017 13:15:43 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Authentication-Results: mail.netbsd.org (amavisd-new); dkim=pass (1024-bit key) header.d=stbuehler.de
Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id 2qflE7Nueu7I for <ietf-ssh@netbsd.org>; Thu, 11 May 2017 13:15:42 +0000 (UTC)
Received: from mail.stbuehler.de (stbuehler.de [IPv6:2a01:4f8:a0:2276::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 7482484CEE for <ietf-ssh@NetBSD.org>; Thu, 11 May 2017 13:15:42 +0000 (UTC)
Received: from [IPv6:2001:7c0:2049:1d4:14b7:34a8:44f4:149e] (unknown [IPv6:2001:7c0:2049:1d4:14b7:34a8:44f4:149e]) by mail.stbuehler.de (Postfix) with ESMTPSA id 24CBDB80135; Thu, 11 May 2017 13:15:32 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=stbuehler.de; s=stbuehler1; t=1494508532; bh=pV8vDy1x/7V/upmia59nR6e2khWUxXG9C5wAmE7kQLw=; h=Subject:References:From:To:Cc:Date:In-Reply-To:From; b=eFBnPchq59deaL06NLrDr35TjvbzKxjTxULaiQjZggxWDgPvS3VlOEON6T4Ar3UuY xf12X1vQGlgtcuuIsNkId/uLxoumwuxWwRr2Du+uQjoP+M8lvPiW5dv8QpZmt9kiIO bcLJxk5oU/nomgTob9Se5y81PCgPBc/+m4navYDE=
Subject: Re: [Curdle] ssh-ed25519 implementations
References: <76FD0F39-1F3D-4476-A3D8-D4C942C2EFD1@juniper.net>
From: =?UTF-8?Q?Stefan_B=c3=bchler?= <ietf-curdle@stbuehler.de>
To: "curdle@ietf.org" <curdle@ietf.org>
Cc: "ietf-ssh@NetBSD.org" <ietf-ssh@NetBSD.org>
Message-ID: <76604306-d93a-5156-2350-636d3bda2323@stbuehler.de>
Date: Thu, 11 May 2017 15:15:31 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <76FD0F39-1F3D-4476-A3D8-D4C942C2EFD1@juniper.net>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list
List-Unsubscribe: <mailto:majordomo@NetBSD.org?subject=Unsubscribe%20ietf-ssh&body=unsubscribe%20ietf-ssh>

Hi,

On 05/10/2017 06:18 PM, Mark Baushke wrote:
> Hi,
> 
> Eric Rescorla <ekr@rtfm.com> has brought to my attention that in
> https://tools.ietf.org/html/draft-ietf-curdle-ssh-curves-04 it is
> currently specifying the SSH encoding of secrets on the wire using the
> mpint process as described in section 5 of [RFC4251] while RFC 7748
> describes using a little-endian format:
> 
>   GF(2^448 - 2^224 - 1) and are encoded as an array of bytes, u,
>   in little-endian order such that u[0] + 256*u[1] + 256^2*u[2] + ... +
> 
> This seems to be what is being implemeneted for
> curve25519-sha256@libssh.org, so I should make
> an explicit note of this in the draft.

While we are on the topic of converting the shared secret bytes X
generated by Curve* to an mpint, I'd like to point out that the
draft-ietf-curdle-ssh-curves-04 is not clear regarding leading zeroes:

>    If X has leading zero bytes, the mpint format requires such bytes
>    to be skipped.  In this case, the length of the encoded K will be
>    smaller.

If X has one leading zero byte, and the highest bit of the second byte
is set, K will be exactly X, not shorter.

Maybe it would be better to describe an algorithm for the conversion, like:

- trim all leading zero bytes
- at least one byte must remain ("Clients and servers MUST fail the key
  exchange if [...], or if the derived shared secret only consists of
  zero bits.")
- if the highest bit of the first byte of the remaining string is set,
  prepend one zero byte

Or as pseudo code:

    k := x;
    while (k.length() > 0 && k[0] == 0) k = k[1:];
    assert(k.length() > 0);
    if 0 != (k[0] & 0x80) k = '\0' .. k;

cheers,
Stefan