draft-ietf-curdle-ssh-curves-01.txt   draft-ietf-curdle-ssh-curves-02.txt 
Internet Engineering Task Force A. Adamantiadis Internet Engineering Task Force A. Adamantiadis
Internet-Draft libssh Internet-Draft libssh
Intended status: Informational S. Josefsson Intended status: Standards Track S. Josefsson
Expires: September 28, 2017 SJD AB Expires: October 12, 2017 SJD AB
M. Baushke M. Baushke
Juniper Networks, Inc. Juniper Networks, Inc.
March 27, 2017 April 10, 2017
Secure Shell (SSH) Key Exchange Method using Curve25519 and Curve448 Secure Shell (SSH) Key Exchange Method using Curve25519 and Curve448
draft-ietf-curdle-ssh-curves-01 draft-ietf-curdle-ssh-curves-02
Abstract Abstract
How to implement the Curve25519 and Curve448 key exchange methods in This document describes the conventions for using Curve25519 and
the Secure Shell (SSH) protocol is described. Curve448 key exchange methods in the Secure Shell (SSH) protocol.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 28, 2017. This Internet-Draft will expire on October 12, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Key Exchange Methods . . . . . . . . . . . . . . . . . . . . 3 2. Key Exchange Methods . . . . . . . . . . . . . . . . . . . . 2
2.1. Shared Secret Encoding . . . . . . . . . . . . . . . . . 3 2.1. Shared Secret Encoding . . . . . . . . . . . . . . . . . 3
3. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4 3. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4
4. Security Considerations . . . . . . . . . . . . . . . . . . . 4 4. Security Considerations . . . . . . . . . . . . . . . . . . . 4
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 4
6.1. Normative References . . . . . . . . . . . . . . . . . . 5 6.1. Normative References . . . . . . . . . . . . . . . . . . 4
6.2. Informative References . . . . . . . . . . . . . . . . . 5 6.2. Informative References . . . . . . . . . . . . . . . . . 5
Appendix A. Copying conditions . . . . . . . . . . . . . . . . . 6 Appendix A. Copying conditions . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6
1. Introduction 1. Introduction
In [Curve25519], a new elliptic curve function for use in
cryptographic applications was introduced. In [Ed448-Goldilocks] the
Ed448-Goldilocks curve (also known as Curve448) is described. In
[RFC7748], the Diffie-Hellman functions using Curve25519 and Curve448
are specified.
Secure Shell (SSH) [RFC4251] is a secure remote login protocol. The Secure Shell (SSH) [RFC4251] is a secure remote login protocol. The
key exchange protocol described in [RFC4253] supports an extensible key exchange protocol described in [RFC4253] supports an extensible
set of methods. [RFC5656] describes how elliptic curves are set of methods. [RFC5656] describes how elliptic curves are
integrated in SSH, and this document reuses those protocol messages. integrated in SSH, and this document reuses those protocol messages.
This document describes how to implement key exchange based on This document describes how to implement key exchange based on
Curve25519 and Curve448 in SSH. For Curve25519 with SHA-256 [Curve25519] and [Ed448-Goldilocks] in SSH. For Curve25519 with
[RFC4634], the algorithm we describe is equivalent to the privately SHA-256 [RFC4634], the algorithm we describe is equivalent to the
defined algorithm "curve25519-sha256@libssh.org", which is currently privately defined algorithm "curve25519-sha256@libssh.org", which is
implemented and widely deployed in libssh and OpenSSH. The Curve448 currently implemented and widely deployed in libssh and OpenSSH. The
key exchange method is novel but similar in spirit, and we chose to Curve448 key exchange method is novel but similar in spirit, and we
couple it with SHA-512 [RFC4634] to further separate it from the chose to couple it with SHA-512 [RFC4634] to further separate it from
Curve25519 alternative. the Curve25519 alternative.
This document provide Curve25519 as the prefered choice, but suggests This document provide Curve25519 as the prefered choice, but suggests
that the fall back option Curve448 is implemented to provide an hedge that the fall back option Curve448 is implemented to provide an hedge
against unforseen analytical advances against Curve25519 and SHA-256. against unforseen analytical advances against Curve25519 and SHA-256.
Due to different implementation status of these two curves (high- Due to different implementation status of these two curves (high-
quality free implementations of Curve25519 has been in deployed use quality free implementations of Curve25519 has been in deployed use
for several years, while Curve448 implementations are slowly for several years, while Curve448 implementations are slowly
appearing), it is accepted that adoption of Curve448 will be slower. appearing), it is accepted that adoption of Curve448 will be slower.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
skipping to change at page 4, line 46 skipping to change at page 4, line 38
before it is hashed (i.e., adding or removing zero-bytes for before it is hashed (i.e., adding or removing zero-bytes for
encoding) raises the potential for a side-channel attack which could encoding) raises the potential for a side-channel attack which could
determine the length of what is hashed. This would leak the most determine the length of what is hashed. This would leak the most
significant bit of the derived secret, and/or allow detection of when significant bit of the derived secret, and/or allow detection of when
the most significant bytes are zero. For backwards compatibility the most significant bytes are zero. For backwards compatibility
reasons it was decided not to adress this potential problem. reasons it was decided not to adress this potential problem.
5. IANA Considerations 5. IANA Considerations
IANA is requested to add "curve25519-sha256" and "curve448-sha512" to IANA is requested to add "curve25519-sha256" and "curve448-sha512" to
the "Key Exchange Method Names" registry for SSH that was created in the "Key Exchange Method Names" registry for SSH [IANA-KEX] that was
RFC 4250 section 4.10 [RFC4250]. created in RFC 4250 section 4.10 [RFC4250].
6. References 6. References
6.1. Normative References 6.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
skipping to change at page 5, line 49 skipping to change at page 5, line 40
6.2. Informative References 6.2. Informative References
[Curve25519] [Curve25519]
Bernstein, D., "Curve25519: New Diffie-Hellman Speed Bernstein, D., "Curve25519: New Diffie-Hellman Speed
Records", Lecture Notes in Computer Science (LNCS) vol Records", Lecture Notes in Computer Science (LNCS) vol
3958, pp. 207-228, February 2006, 3958, pp. 207-228, February 2006,
<http://dx.doi.org/10.1007/11745853_14>. <http://dx.doi.org/10.1007/11745853_14>.
[Ed448-Goldilocks] [Ed448-Goldilocks]
Hamburg, , "Ed448-Goldilocks, a new elliptic curve", June Hamburg, M., "Ed448-Goldilocks, a new elliptic curve",
2015, <https://eprint.iacr.org/2015/625>. June 2015, <https://eprint.iacr.org/2015/625>.
[IANA-KEX]
Internet Assigned Numbers Authority (IANA), "Secure Shell
(SSH) Protocol Parameters: Key Exchange Method Names",
March 2017, <http://www.iana.org/assignments/ssh-
parameters/ssh-parameters.xhtml#ssh-parameters-16>.
Appendix A. Copying conditions Appendix A. Copying conditions
Regarding this entire document or any portion of it, the authors make Regarding this entire document or any portion of it, the authors make
no guarantees and are not responsible for any damage resulting from no guarantees and are not responsible for any damage resulting from
its use. The authors grant irrevocable permission to anyone to use, its use. The authors grant irrevocable permission to anyone to use,
modify, and distribute it in any way that does not diminish the modify, and distribute it in any way that does not diminish the
rights of anyone else to use, modify, and distribute it, provided rights of anyone else to use, modify, and distribute it, provided
that redistributed derivative works do not contain misleading author that redistributed derivative works do not contain misleading author
or version information. Derivative works need not be licensed under or version information. Derivative works need not be licensed under
 End of changes. 11 change blocks. 
27 lines changed or deleted 27 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/