Re: Curve25519/448 key agreement for SSH

To: Simon Josefsson <simon%josefsson.org@localhost>
Subject: Re: Curve25519/448 key agreement for SSH
From: Damien Miller <djm%mindrot.org@localhost>
Date: Tue, 24 Nov 2015 11:12:20 +1100 (AEDT)

On Wed, 18 Nov 2015, Simon Josefsson wrote:

> This is another update, clarifying the encoding issue a bit further and
> improving language (thank you Denis).
> 
>   https://tools.ietf.org/html/draft-josefsson-ssh-curves-02
> 
> A discussion on CFRG came up recently about checking for the all-zero
> shared secret.  Does anyone know if libssh or OpenSSH (or anyone else)
> performs this check?  Not doing that has apparently led to real security
> problems.  For more background, see:
> 
>   http://thread.gmane.org/gmane.ietf.irtf.cfrg/6228
> 
> Thoughts on whether we should add a MUST to require checking the derived
> secret for the all-zero value?

OpenSSH performs the all-zero check

https://anongit.mindrot.org/openssh.git/tree/kexc25519.c?id=8ca915fc761519dd1f7766a550ec597a81db5646#n69

I think it should be a MUST.

-d

Follow-Ups:
- Re: Curve25519/448 key agreement for SSH
  - From: Simon Josefsson

References:
- Curve25519/448 key agreement for SSH
  - From: Simon Josefsson
- Re: Curve25519/448 key agreement for SSH
  - From: Simon Josefsson
- Re: Curve25519/448 key agreement for SSH
  - From: Simon Josefsson

Prev by Date: RE: [saag] potential new wg - curdle...
Next by Date: Re: Curve25519/448 key agreement for SSH
Previous by Thread: RE: Curve25519/448 key agreement for SSH
Next by Thread: Re: Curve25519/448 key agreement for SSH
Indexes:

Home | Main Index | Thread Index | Old Index