Russ Housley sent the enclosed message to the saag%mit.edu@localhost list last
week
(SAAG is the IETF Security Area Advisory Group; it's a public list).
There's been some discussion on this which followed.
I took a look at this draft-dang-nistkdf-00, and the NIST draft SP
800-56 it references. It specifies a method for using a hash function
to derive arbitrary-length session keys from a shared secret (such as
the result of a DH exchange). In addition, Appendix B of the NIST draft
lists a few alternatives as well as a few design principles for KDF's.
At first glance it looks to me that the key derivation used in SSHv2
violates a few of these design principles.
In addition, there's a secondary consideration for folks building
systems aimed at certain markets. To quote from a later message in the
thread from Tim Polk:
Since we currently don't have a standard, cryptomodules can
currently implement any KDF they choose. Once this document is
finalized, cryptomodules would be limited to "approved" KDFs (at
least in FIPS mode).
I've asked Tim to ask NIST to look at the SSH KDF; I haven't heard back
from him but cryptographers usually take their time.
If people are interested in using SSH with FIPS-certified crypto modules
the path of least resistance may well be to define a new key exchange
which uses this KDF.