Re: Curve25519/448 key agreement for SSH

To: Simon Josefsson <simon%josefsson.org@localhost>
Subject: Re: Curve25519/448 key agreement for SSH
From: "Mark D. Baushke" <mdb%juniper.net@localhost>
Date: Sun, 21 Feb 2016 08:22:48 -0800

Hi Simon,

Regarding

  https://datatracker.ietf.org/doc/draft-josefsson-ssh-curves/

could advise on the the following?

|   The protocol flow, the SSH_MSG_KEX_ECDH_INIT and
|   SSH_MSG_KEX_ECDH_REPLY messages, and the structure of the exchange
|   hash are identical to chapter 4 of [RFC5656].
|
|   The method names registered by this document are "curve25519-sha256"
|   and "curve448-sha256".

The RFC5656 "4. ECDH Key Exchange" also says

|    The Elliptic Curve Diffie-Hellman (ECDH) key exchange method
|    generates a shared secret from an ephemeral local elliptic curve
|    private key and ephemeral remote elliptic curve public key.  This key
|    exchange method provides explicit server authentication as defined in
|    [RFC4253] using a signature on the exchange hash.  Every compliant
|    SSH ECC implementation MUST implement ECDH key exchange.

which would seem to also implicitly reference RFC5656 3.1.1:

| 3.1.1.  Signature Algorithm
| 
|    Signing and verifying is done using the Elliptic Curve Digital
|    Signature Algorithm (ECDSA).  ECDSA is specified in [SEC1].  The
|    message hashing algorithm MUST be from the SHA2 family of hash
|    functions [FIPS-180-3] and is chosen according to the curve size as
|    specified in Section 6.2.1.

and if so, looking at 6.2.1:

| 6.2.1.  Elliptic Curve Digital Signature Algorithm
|
|   The hashing algorithm defined by this family of method names is the
|   SHA2 family of hashing algorithms [FIPS-180-3].  The algorithm from
|   the SHA2 family that will be used is chosen based on the size of the
|   named curve specified in the public key:
|
|                     +----------------+----------------+
|                     |   Curve Size   | Hash Algorithm |
|                     +----------------+----------------+
|                     |    b <= 256    |     SHA-256    |
|                     |                |                |
|                     | 256 < b <= 384 |     SHA-384    |
|                     |                |                |
|                     |     384 < b    |     SHA-512    |
|                     +----------------+----------------+

Is the hash to use driven by the table in RFC5656 as seen in 6.2.1 such
that curve448 should use SHA-512?

If so, why is the Key Exchange Method name "curve448-sha256" rather than
"curve488-sha512" ?

Also, should the current draft be updated to change references of
[I-D.irtf-cfrg-curves] to [RFC7748] ?

	Thank you,
	-- Mark

Follow-Ups:
- Re: Curve25519/448 key agreement for SSH
  - From: Niels Möller

References:
- Re: Curve25519/448 key agreement for SSH
  - From: denis bider
- Re: Curve25519/448 key agreement for SSH
  - From: Simon Josefsson

Prev by Date: aes-gcm@openssh next step
Next by Date: Re: AEAD in ssh
Previous by Thread: Re: Curve25519/448 key agreement for SSH
Next by Thread: Re: Curve25519/448 key agreement for SSH
Indexes:

Home | Main Index | Thread Index | Old Index