Re: [Curdle] State of draft-ietf-curdle-ssh-kex-sha2?

To: Mouse <mouse%Rodents-Montreal.ORG@localhost>, "ietf-ssh%NetBSD.org@localhost" <ietf-ssh%NetBSD.org@localhost>
Subject: Re: [Curdle] State of draft-ietf-curdle-ssh-kex-sha2?
From: Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>
Date: Tue, 14 Jul 2020 04:10:18 +0000

Mouse <mouse%Rodents-Montreal.ORG@localhost> writes:

>As an implementor, it is highly unlikely I will support anything elliptic
>curve in the foreseeable future.

I support it but it's disabled by default because I can't think of a commonly-
used cryptosystem more riddled with side-channels than (EC)DSA, and most of
them end up leaking the private key (that's ECDSA, not 25519 which is too
novel/nonstandard to be usable with anything I work with).  In fact a recent
paper on yet another set of side-channel attacks (either "Minerva: The Curse
of ECDSA Nonces" or "Big Numbers - Big Troubles") mentions that this is merely
the latest set of side-channels that need patching, and more are expected in
the future.  And that's after several years of patching ECDSA side-channels
already.

At least with RSA you can just blind and be mostly done with it, you don't
have to deal with a mechanism where there's a linear relation between the
signing nonce and the private key, with everything around that tied up in
side-channels.

Peter.

References:
- Re: [Curdle] State of draft-ietf-curdle-ssh-kex-sha2?
  - From: Mark D. Baushke
- Re: [Curdle] State of draft-ietf-curdle-ssh-kex-sha2?
  - From: Ron Frederick
- Re: [Curdle] State of draft-ietf-curdle-ssh-kex-sha2?
  - From: Mouse

Prev by Date: Re: [Curdle] State of draft-ietf-curdle-ssh-kex-sha2?
Next by Date: Re: Time to Review IANA SSH Registries Policies?
Previous by Thread: Re: [Curdle] State of draft-ietf-curdle-ssh-kex-sha2?
Next by Thread: Re: Time to Review IANA SSH Registries Policies?
Indexes:

Home | Main Index | Thread Index | Old Index