draft-ietf-curdle-ssh-curves-03.txt   draft-ietf-curdle-ssh-curves-04.txt 
Internet Engineering Task Force A. Adamantiadis Internet Engineering Task Force A. Adamantiadis
Internet-Draft libssh Internet-Draft libssh
Intended status: Standards Track S. Josefsson Intended status: Standards Track S. Josefsson
Expires: October 12, 2017 SJD AB Expires: October 12, 2017 SJD AB
M. Baushke M. Baushke
Juniper Networks, Inc. Juniper Networks, Inc.
April 10, 2017 April 10, 2017
Secure Shell (SSH) Key Exchange Method using Curve25519 and Curve448 Secure Shell (SSH) Key Exchange Method using Curve25519 and Curve448
draft-ietf-curdle-ssh-curves-03 draft-ietf-curdle-ssh-curves-04
Abstract Abstract
This document describes the conventions for using Curve25519 and This document describes the conventions for using Curve25519 and
Curve448 key exchange methods in the Secure Shell (SSH) protocol. Curve448 key exchange methods in the Secure Shell (SSH) protocol.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
skipping to change at page 2, line 16 skipping to change at page 2, line 16
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Key Exchange Methods . . . . . . . . . . . . . . . . . . . . 2 2. Key Exchange Methods . . . . . . . . . . . . . . . . . . . . 2
2.1. Shared Secret Encoding . . . . . . . . . . . . . . . . . 3 2.1. Shared Secret Encoding . . . . . . . . . . . . . . . . . 3
3. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4 3. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4
4. Security Considerations . . . . . . . . . . . . . . . . . . . 4 4. Security Considerations . . . . . . . . . . . . . . . . . . . 4
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 4
6.1. Normative References . . . . . . . . . . . . . . . . . . 4 6.1. Normative References . . . . . . . . . . . . . . . . . . 4
6.2. Informative References . . . . . . . . . . . . . . . . . 5 6.2. Informative References . . . . . . . . . . . . . . . . . 5
Appendix A. Copying conditions . . . . . . . . . . . . . . . . . 6 Appendix A. Copying conditions . . . . . . . . . . . . . . . . . 5
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6
1. Introduction 1. Introduction
Secure Shell (SSH) [RFC4251] is a secure remote login protocol. The Secure Shell (SSH) [RFC4251] is a secure remote login protocol. The
key exchange protocol described in [RFC4253] supports an extensible key exchange protocol described in [RFC4253] supports an extensible
set of methods. [RFC5656] describes how elliptic curves are set of methods. [RFC5656] describes how elliptic curves are
integrated in SSH, and this document reuses those protocol messages. integrated in SSH, and this document reuses those protocol messages.
This document describes how to implement key exchange based on This document describes how to implement key exchange based on
[Curve25519] and [Ed448-Goldilocks] in SSH. For Curve25519 with Curve25519 and Ed448-Goldilocks [RFC7748] in SSH. For Curve25519
SHA-256 [RFC6234], the algorithm we describe is equivalent to the with SHA-256 [RFC6234], the algorithm we describe is equivalent to
privately defined algorithm "curve25519-sha256@libssh.org", which is the privately defined algorithm "curve25519-sha256@libssh.org", which
currently implemented and widely deployed in libssh and OpenSSH. The is currently implemented and widely deployed in libssh and OpenSSH.
Curve448 key exchange method is novel but similar in spirit, and we The Curve448 key exchange method is novel but similar in spirit, and
chose to couple it with SHA-512 [RFC6234] to further separate it from we chose to couple it with SHA-512 [RFC6234] to further separate it
the Curve25519 alternative. from the Curve25519 alternative.
This document provide Curve25519 as the prefered choice, but suggests This document provide Curve25519 as the prefered choice, but suggests
that the fall back option Curve448 is implemented to provide an hedge that the fall back option Curve448 is implemented to provide an hedge
against unforseen analytical advances against Curve25519 and SHA-256. against unforseen analytical advances against Curve25519 and SHA-256.
Due to different implementation status of these two curves (high- Due to different implementation status of these two curves (high-
quality free implementations of Curve25519 has been in deployed use quality free implementations of Curve25519 has been in deployed use
for several years, while Curve448 implementations are slowly for several years, while Curve448 implementations are slowly
appearing), it is accepted that adoption of Curve448 will be slower. appearing), it is accepted that adoption of Curve448 will be slower.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
skipping to change at page 5, line 34 skipping to change at page 5, line 34
(SHA and SHA-based HMAC and HKDF)", RFC 6234, (SHA and SHA-based HMAC and HKDF)", RFC 6234,
DOI 10.17487/RFC6234, May 2011, DOI 10.17487/RFC6234, May 2011,
<http://www.rfc-editor.org/info/rfc6234>. <http://www.rfc-editor.org/info/rfc6234>.
[RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
for Security", RFC 7748, DOI 10.17487/RFC7748, January for Security", RFC 7748, DOI 10.17487/RFC7748, January
2016, <http://www.rfc-editor.org/info/rfc7748>. 2016, <http://www.rfc-editor.org/info/rfc7748>.
6.2. Informative References 6.2. Informative References
[Curve25519]
Bernstein, D., "Curve25519: New Diffie-Hellman Speed
Records", Lecture Notes in Computer Science (LNCS) vol
3958, pp. 207-228, February 2006,
<http://dx.doi.org/10.1007/11745853_14>.
[Ed448-Goldilocks]
Hamburg, M., "Ed448-Goldilocks, a new elliptic curve",
June 2015, <https://eprint.iacr.org/2015/625>.
[IANA-KEX] [IANA-KEX]
Internet Assigned Numbers Authority (IANA), "Secure Shell Internet Assigned Numbers Authority (IANA), "Secure Shell
(SSH) Protocol Parameters: Key Exchange Method Names", (SSH) Protocol Parameters: Key Exchange Method Names",
March 2017, <http://www.iana.org/assignments/ssh- March 2017, <http://www.iana.org/assignments/ssh-
parameters/ssh-parameters.xhtml#ssh-parameters-16>. parameters/ssh-parameters.xhtml#ssh-parameters-16>.
Appendix A. Copying conditions Appendix A. Copying conditions
Regarding this entire document or any portion of it, the authors make Regarding this entire document or any portion of it, the authors make
no guarantees and are not responsible for any damage resulting from no guarantees and are not responsible for any damage resulting from
 End of changes. 4 change blocks. 
19 lines changed or deleted 9 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/