Re: deaft-gree-sedsh-ecc-08: small correction

[Damien Miller <djm%mindrot.org@localhost>]

On Tue, 16 Jun 2009, Igoe, Kevin M. wrote:

> In the Introduction to draft-green-secsh-ecc-08 we find
>  
>    In the interest of adding Suite B algorithms to SSH this document
>    adds three ECC Suite B algorithms to the Secure Shell arsenal:
>    Elliptic Curve Menezes-Qu-Vanstone (ECMQV), Elliptic Curve Diffie-
>    Hellman (ECDH), and Elliptic Curve Digital Signature Algorithm
>    (ECDSA), as well as utilizing the SHA2 family of secure hash
>    algorithms.
> Slight error here: ECMQV is no longer part of Suite B.  For sake of
> correctness, I'd suggest something like the following:
>  
>    In the interest of adding Suite B algorithms to SSH this document
>    adds two ECC Suite B algorithms to the Secure Shell arsenal:
>    Elliptic Curve Diffie-Hellman (ECDH), and Elliptic Curve Digital  
>    Signature Algorithm (ECDSA), as well as utilizing the SHA2 family
>    of secure hash algorithms. Additonally, support is provided for
>       Elliptic Curve Menezes-Qu-Vanstone (ECMQV).

Why not drop ECMQV from the draft entirely? AFAIK it is patented,
which is enough to stop us (OpenSSH) from implementing it. I think
new KEX methods need a very good justification, since they represent
a significant part of the pre-auth attack surface.

Also on the -08 draft, shouldn't the client and server in ECDH reject
public keys from the peer that are points at infinity? Are there
other degenerate values to worry about?

-d