Re: Curve25519/448 key agreement for SSH

To: nisse%lysator.liu.se@localhost (Niels Möller)
Subject: Re: Curve25519/448 key agreement for SSH
From: Simon Josefsson <simon%josefsson.org@localhost>
Date: Thu, 25 Feb 2016 12:52:35 +0100

Den Mon, 22 Feb 2016 10:08:32 +0100
skrev Re: Curve25519/448 key agreement for SSH:

> "Mark D. Baushke" <mdb%juniper.net@localhost> writes:
> 
> > If so, why is the Key Exchange Method name "curve448-sha256" rather
> > than "curve488-sha512" ?
> 
> I think Damien Miller's argument for using sha512 here makes sense:
> "curve448 is a backup against as-yet-unknown attacks on curve25519.
> Since we're not likely to need it, we might as well pair it with
> SHA512 as a backup against as-yet-unknown attacks on SHA256."

Hello Mark and Niels.  Indeed there appears to be strong support from
several people to couple Curve448 with SHA-512 instead of SHA-256.  We
are making this change and there will be a -04 out shortly.  Mark's
RFC quoting is a strong reason to make this change, but I believe there
were sufficient motivation to do it anyway because of the hedge aspect.

/Simon

Attachment: pgp36EYp43LgA.pgp
Description: OpenPGP digital signatur

References:
- Re: Curve25519/448 key agreement for SSH
  - From: denis bider
- Re: Curve25519/448 key agreement for SSH
  - From: Simon Josefsson
- Re: Curve25519/448 key agreement for SSH
  - From: Mark D. Baushke
- Re: Curve25519/448 key agreement for SSH
  - From: Niels Möller

Prev by Date: Re: AEAD in ssh
Next by Date: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
Previous by Thread: Re: Curve25519/448 key agreement for SSH
Next by Thread: rsa-sha2-256: Need YOUR opinion on PSS vs PKCS#1 v1.5
Indexes:

Home | Main Index | Thread Index | Old Index