Re: Curve25519/448 key agreement for SSH

[denis bider <ietf-ssh3%denisbider.com@localhost>]

The DSA signature blob is originally defined as a string in RFC 4253, though.

The issue with K is that it's defined as mpint for all key exchange methods in RFC 4253, section 7.2, Output from Key Exchange:

   Encryption keys MUST be computed as HASH, of a known value and K, as
   follows:

   o  Initial IV client to server: HASH(K || H || "A" || session_id)
      (Here K is encoded as mpint and "A" as byte and session_id as raw
      data.  "A" means the single character A, ASCII 65).

It is this that has to be changed - allowing K to have a different encoding for different key exchange methods - in order to allow K to be encoded as string.


----- Original Message -----
From: Niels "Möller" 
Sent: Thursday, November 12, 2015 23:25
To: Simon Josefsson 
Cc: denis bider ; ietf-ssh%netbsd.org@localhost 
Subject: Re: Curve25519/448 key agreement for SSH

Simon Josefsson <simon%josefsson.org@localhost> writes:

> A simple approach would be to say that if the MSB is 1, prepend a zero
> byte.  However, the length difference would leak that information.

Note that it's also possible to use some slightly different mapping than
for mpints. Like it's been done in the dsa signature blob since ages;
there the integers are always coded as 20-byte values, no sign bit, and
no normalization if some value happens to get a zero high byte. 

I'm not sure I like that departure from mpint, but I'd like to point out
that it's a possibilty and it's been done before.

Regards,
/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.