Re: Curve25519/448 key agreement for SSH

[denis bider <ietf-ssh3%denisbider.com@localhost>]

But X and K are different in each key exchange. The only way to make them same would be for both parties to conspire.

I have suggested solving this by reinterpreting X as an already encoded K, which may be negative. Well - that has a different issue: it violates mpint encoding when the first byte of X is zero...

All things considered, I don't think it really matters which way this is resolved. Just please make sure to be clear when you specify it. :) An imprecise specification may lead to problems that manifest in e.g. 1/256 of key exchanges.

Simon Josefsson <simon%josefsson.org@localhost> , 11/12/2015 8:50 AM:

denis bider <ietf-ssh3%denisbider.com@localhost> writes:

> Simon -
>
>
>> A simple approach would be to say that if the MSB is 1,
>> prepend a zero byte.  However, the length difference
>> would leak that information.
>
> The length difference might not be much of a problem, since K is never sent.

It shouldn't be difficult to fingerprint (statistically, over many
connections) if a remote application performs a hash on X bytes or X+1
bytes.  Knowing which leaks the MSB of the derived secret.

I'm inclined to add a security consideration describing this, and allow
for the potential of a nice conference paper describing how to exploit
this observation.  At this point, to fix this (as Damien described)
appear less appealing.

/Simon