IETF Logo Mail Archive

Re: Curve25519/448 key agreement for SSH

Simon Josefsson <simon@josefsson.org> Tue, 10 November 2015 22:33 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02EB41B4166 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Tue, 10 Nov 2015 14:33:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3LC7VkI2z4f9 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Tue, 10 Nov 2015 14:33:02 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11B241B4163 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Tue, 10 Nov 2015 14:33:02 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id 9881214A1E0; Tue, 10 Nov 2015 22:32:58 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: by mail.netbsd.org (Postfix, from userid 1347) id 3BE9B14A1B8; Tue, 10 Nov 2015 22:32:58 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 740B614A298 for <ietf-ssh@netbsd.org>; Tue, 10 Nov 2015 09:31:01 +0000 (UTC)
X-Virus-Scanned: amavisd-new at NetBSD.org
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id o0TOvAnsvXE8 for <ietf-ssh@netbsd.org>; Tue, 10 Nov 2015 09:31:00 +0000 (UTC)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 31ABC14A1D5 for <ietf-ssh@netbsd.org>; Tue, 10 Nov 2015 09:30:57 +0000 (UTC)
Received: from latte.josefsson.org ([155.4.17.2]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id tAA9UcDs001002 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Tue, 10 Nov 2015 10:30:39 +0100
From: Simon Josefsson <simon@josefsson.org>
To: denis bider <ietf-ssh3@denisbider.com>
Cc: ietf-ssh@netbsd.org
Subject: Re: Curve25519/448 key agreement for SSH
References: <2258609541-1780@skroderider.denisbider.com>
OpenPGP: id=54265E8C; url=http://josefsson.org/54265e8c.txt
X-Hashcash: 1:22:151110:ietf-ssh@netbsd.org::aQHVXHSVgUCsR1++:1Tij
X-Hashcash: 1:22:151110:ietf-ssh3@denisbider.com::P6baJ0rXozD3j+U1:Nyim
Date: Tue, 10 Nov 2015 10:30:37 +0100
In-Reply-To: <2258609541-1780@skroderider.denisbider.com> (denis bider's message of "Tue, 10 Nov 2015 06:12:05 +0000")
Message-ID: <87y4e6w69u.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
X-Virus-Scanned: clamav-milter 0.98.7 at duva.sjd.se
X-Virus-Status: Clean
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

denis bider <ietf-ssh3@denisbider.com> writes:

> Simon, Aris -
>
> thank you for this work. I plan to be implementing this soon, and I
> appreciate that you're moving ahead with standardization.

Hi Denis.  Excellent!  It would be perfect if someone would attempt
implementation based on this document (and cfrg-curves) and tell us what
is missing, and what could have helped them implement it more quickly.

> With respect to conversion of the binary string X into mpint K, is
> there a chance that X might have its high bit set?
>
> If it's possible for the high bit to be set, it seems you ought to
> clarify how that's converted into mpint, given that mpint is signed:
>
> https://www.ietf.org/rfc/rfc4251.txt

>       Represents multiple precision integers in two's complement format,
>       stored as a string, 8 bits per byte, MSB first.  Negative numbers
>       have the value 1 as the most significant bit of the first byte of
>       the data partition.  If the most significant bit would be set for
>       a positive number, the number MUST be preceded by a zero byte.

Good point, I believe the document has to discuss the mapping between
binary Curve25519/Curve448 binary strings into mpint's.

A simple approach would be to say that if the MSB is 1, prepend a zero
byte.  However, the length difference would leak that information.

For Curve25519 the most-significant bit is always zero though, so this
will never happen.  For Curve448 this seems like a problem.  Is it okay
to prepend a zero byte in SSH big integers even if one is not necessary?
Then a simple approach would be to do nothing for Curve2559 and to
always add a zero byte for Curve448.

> Besides that, I'm noticing the language could use improvement in
> places ("this document re-use" -> "this document reuses", "is is" ->
> "is").

Fixed, thank you.

/Simon

> Overall, thank you for moving forward with this, though.
>
>
> ----- Original Message -----
> From: Simon Josefsson 
> Sent: Monday, November 9, 2015 09:07
> To: ietf-ssh@netbsd.org 
> Subject: Curve25519/448 key agreement for SSH
>
> Aris and me have prepared a document describing key agreement using the
> CFRG curves for Secure Shell.  As you know, curve25519-sha256@libssh.org
> is already implemented by libssh, OpenSSH, Dropbear, and some others.
> This is about putting the description of that into IETF format, and to
> add the Curve448 hedge variant chosen by CFRG.  It might not be detailed
> enough for independent implementation, but we hope to get there.  Any
> review and feedback is welcome.
>
> https://tools.ietf.org/html/draft-josefsson-ssh-curves
>
> /Simon
>
> PS. There is https://tools.ietf.org/html/draft-bjh21-ssh-ed25519 but
> that talks about Ed25519 signatures.  The document above is about key
> agreement.
>

v2.23.0 | Report a Bug | By Email