idnits 2.17.1 

draft-ietf-curdle-ssh-curves-06.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (November 12, 2017) is 2349 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

     No issues found here.

     Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.
--------------------------------------------------------------------------------


2	Internet Engineering Task Force                          A. Adamantiadis
3	Internet-Draft                                                    libssh
4	Intended status: Standards Track                            S. Josefsson
5	Expires: May 16, 2018                                             SJD AB
6	                                                              M. Baushke
7	                                                  Juniper Networks, Inc.
8	                                                       November 12, 2017

10	  Secure Shell (SSH) Key Exchange Method using Curve25519 and Curve448
11	                    draft-ietf-curdle-ssh-curves-06

13	Abstract

15	   This document describes the conventions for using Curve25519 and
16	   Curve448 key exchange methods in the Secure Shell (SSH) protocol.

18	Status of This Memo

20	   This Internet-Draft is submitted in full conformance with the
21	   provisions of BCP 78 and BCP 79.

23	   Internet-Drafts are working documents of the Internet Engineering
24	   Task Force (IETF).  Note that other groups may also distribute
25	   working documents as Internet-Drafts.  The list of current Internet-
26	   Drafts is at https://datatracker.ietf.org/drafts/current/.

28	   Internet-Drafts are draft documents valid for a maximum of six months
29	   and may be updated, replaced, or obsoleted by other documents at any
30	   time.  It is inappropriate to use Internet-Drafts as reference
31	   material or to cite them other than as "work in progress."

33	   This Internet-Draft will expire on May 16, 2018.

35	Copyright Notice

37	   Copyright (c) 2017 IETF Trust and the persons identified as the
38	   document authors.  All rights reserved.

40	   This document is subject to BCP 78 and the IETF Trust's Legal
41	   Provisions Relating to IETF Documents
42	   (https://trustee.ietf.org/license-info) in effect on the date of
43	   publication of this document.  Please review these documents
44	   carefully, as they describe your rights and restrictions with respect
45	   to this document.  Code Components extracted from this document must
46	   include Simplified BSD License text as described in Section 4.e of
47	   the Trust Legal Provisions and are provided without warranty as
48	   described in the Simplified BSD License.

50	Table of Contents

52	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
53	   2.  Key Exchange Methods  . . . . . . . . . . . . . . . . . . . .   3
54	     2.1.  Shared Secret Encoding  . . . . . . . . . . . . . . . . .   3
55	   3.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   4
56	   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   4
57	   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   4
58	   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   5
59	     6.1.  Normative References  . . . . . . . . . . . . . . . . . .   5
60	     6.2.  Informative References  . . . . . . . . . . . . . . . . .   5
61	   Appendix A.  Copying conditions . . . . . . . . . . . . . . . . .   6
62	   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   6

64	1.  Introduction

66	   Secure Shell (SSH) [RFC4251] is a secure remote login protocol.  The
67	   key exchange protocol described in [RFC4253] supports an extensible
68	   set of methods.  [RFC5656] describes how elliptic curves are
69	   integrated in SSH, and this document reuses those protocol messages.

71	   This document describes how to implement key exchange based on
72	   Curve25519 and Ed448-Goldilocks [RFC7748] in SSH.  For Curve25519
73	   with SHA-256 [RFC6234], the algorithm we describe is equivalent to
74	   the privately defined algorithm "curve25519-sha256@libssh.org", which
75	   is currently implemented and widely deployed in libssh and OpenSSH.
76	   The Curve448 key exchange method is novel but similar in spirit, and
77	   we chose to couple it with SHA-512 [RFC6234] to further separate it
78	   from the Curve25519 alternative.

80	   This document provide Curve25519 as the preferred choice, but
81	   suggests that the fall back option Curve448 is implemented to provide
82	   an hedge against unforeseen analytical advances against Curve25519
83	   and SHA-256.  Due to different implementation status of these two
84	   curves (high-quality free implementations of Curve25519 has been in
85	   deployed use for several years, while Curve448 implementations are
86	   slowly appearing), it is accepted that adoption of Curve448 will be
87	   slower.

89	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
90	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
91	   "OPTIONAL" in this document are to be interpreted as described in
92	   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
93	   capitals, as shown here.

95	2.  Key Exchange Methods

97	   The key exchange procedure is similar to the ECDH method described in
98	   chapter 4 of [RFC5656], though with a different wire encoding used
99	   for public values and the final shared secret.  Public ephemeral keys
100	   are encoded for transmission as standard SSH strings.

102	   The protocol flow, the SSH_MSG_KEX_ECDH_INIT and
103	   SSH_MSG_KEX_ECDH_REPLY messages, and the structure of the exchange
104	   hash are identical to chapter 4 of [RFC5656].

106	   The method names registered by this document are "curve25519-sha256"
107	   and "curve448-sha512".

109	   The methods are based on Curve25519 and Curve448 scalar
110	   multiplication, as described in [RFC7748].  Private and public keys
111	   are generated as described therein.  Public keys are defined as
112	   strings of 32 bytes for Curve25519 and 56 bytes for Curve448.
113	   Clients and servers MUST fail the key exchange if the length of the
114	   received public keys are not the expected lengths, or if the derived
115	   shared secret only consists of zero bits.  No further validation is
116	   required beyond what is discussed in [RFC7748].  The derived shared
117	   secret is 32 bytes when Curve25519 is used and 56 bytes when Curve448
118	   is used.  The encodings of all values are defined in [RFC7748].  The
119	   hash used is SHA-256 for Curve25519 and SHA-512 for Curve448.

121	2.1.  Shared Secret Encoding

123	   The following step differs from [RFC5656], which uses a different
124	   conversion.  This is not intended to modify that text generally, but
125	   only to be applicable to the scope of the mechanism described in this
126	   document.

128	   The shared secret, K, is defined in [RFC4253] and [RFC5656] as an
129	   integer encoded as a multiple precision integer (mpint).
130	   Curve25519/448 outputs a binary string X, which is the 32 or 56 byte
131	   point obtained by scalar multiplication of the other side's public
132	   key and the local private key scalar.  The 32 or 56 bytes of X are
133	   converted into K by interpreting the octets as an unsigned fixed-
134	   length integer encoded in network byte order.

136	   The integer K is then encoded as an mpint using the process described
137	   in section 5 of [RFC4251] and the resulting bytes are fed as
138	   described in [RFC4253] to the key exchange method's hash function to
139	   generate encryption keys.

141	   When performing the X25519 or X448 operations, the integer values
142	   there will be encoded into byte strings by doing a fixed-length
143	   unsigned little-endian conversion, per [RFC7748].  It is only later
144	   when these byte strings are then passed to the ECDH code in SSH that
145	   the bytes are re-interpreted as a fixed-length unsigned big-endian
146	   integer value K, and then later that K value is encoded as a
147	   variable-length signed "mpint" before being fed to the hash algorithm
148	   used for key generation.  The mpint K is then fed along with other
149	   data to the key exchange method's hash function to generate
150	   encryption keys.

152	3.  Acknowledgements

154	   The "curve25519-sha256" key exchange method is identical to the
155	   "curve25519-sha256@libssh.org" key exchange method created by Aris
156	   Adamantiadis and implemented in libssh and OpenSSH.

158	   Thanks to the following people for review and comments: Denis Bider,
159	   Damien Miller, Niels Moeller, Matt Johnston, Eric Rescorla, Ron
160	   Frederick, Stefan Buehler.

162	4.  Security Considerations

164	   The security considerations of [RFC4251], [RFC5656], and [RFC7748]
165	   are inherited.

167	   Curve25519 provide strong security and is efficient on a wide range
168	   of architectures, and has properties that allows better
169	   implementation properties compared to traditional elliptic curves.
170	   Curve448 with SHA-512 is similar, but has not received the same
171	   cryptographic review as Curve25519, and is slower, but it is provided
172	   as an hedge to combat unforeseen analytical advances against
173	   Curve25519 and SHA-256.

175	   The way the derived binary secret string is encoded into a mpint
176	   before it is hashed (i.e., adding or removing zero-bytes for
177	   encoding) raises the potential for a side-channel attack which could
178	   determine the length of what is hashed.  This would leak the most
179	   significant bit of the derived secret, and/or allow detection of when
180	   the most significant bytes are zero.  For backwards compatibility
181	   reasons it was decided not to address this potential problem.

183	5.  IANA Considerations

185	   IANA is requested to add "curve25519-sha256" and "curve448-sha512" to
186	   the "Key Exchange Method Names" registry for SSH [IANA-KEX] that was
187	   created in RFC 4250 section 4.10 [RFC4250].

189	6.  References

191	6.1.  Normative References

193	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
194	              Requirement Levels", BCP 14, RFC 2119,
195	              DOI 10.17487/RFC2119, March 1997,
196	              <https://www.rfc-editor.org/info/rfc2119>.

198	   [RFC4250]  Lehtinen, S. and C. Lonvick, Ed., "The Secure Shell (SSH)
199	              Protocol Assigned Numbers", RFC 4250,
200	              DOI 10.17487/RFC4250, January 2006,
201	              <https://www.rfc-editor.org/info/rfc4250>.

203	   [RFC4251]  Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
204	              Protocol Architecture", RFC 4251, DOI 10.17487/RFC4251,
205	              January 2006, <https://www.rfc-editor.org/info/rfc4251>.

207	   [RFC4253]  Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
208	              Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253,
209	              January 2006, <https://www.rfc-editor.org/info/rfc4253>.

211	   [RFC5656]  Stebila, D. and J. Green, "Elliptic Curve Algorithm
212	              Integration in the Secure Shell Transport Layer",
213	              RFC 5656, DOI 10.17487/RFC5656, December 2009,
214	              <https://www.rfc-editor.org/info/rfc5656>.

216	   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
217	              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
218	              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

220	6.2.  Informative References

222	   [IANA-KEX]
223	              Internet Assigned Numbers Authority (IANA), "Secure Shell
224	              (SSH) Protocol Parameters: Key Exchange Method Names",
225	              March 2017, <http://www.iana.org/assignments/ssh-
226	              parameters/ssh-parameters.xhtml#ssh-parameters-16>.

228	   [RFC6234]  Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms
229	              (SHA and SHA-based HMAC and HKDF)", RFC 6234,
230	              DOI 10.17487/RFC6234, May 2011,
231	              <https://www.rfc-editor.org/info/rfc6234>.

233	   [RFC7748]  Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
234	              for Security", RFC 7748, DOI 10.17487/RFC7748, January
235	              2016, <https://www.rfc-editor.org/info/rfc7748>.

237	Appendix A.  Copying conditions

239	   Regarding this entire document or any portion of it, the authors make
240	   no guarantees and are not responsible for any damage resulting from
241	   its use.  The authors grant irrevocable permission to anyone to use,
242	   modify, and distribute it in any way that does not diminish the
243	   rights of anyone else to use, modify, and distribute it, provided
244	   that redistributed derivative works do not contain misleading author
245	   or version information.  Derivative works need not be licensed under
246	   similar terms.

248	Authors' Addresses

250	   Aris Adamantiadis
251	   libssh

253	   Email: aris@badcode.be

255	   Simon Josefsson
256	   SJD AB

258	   Email: simon@josefsson.org

260	   Mark D. Baushke
261	   Juniper Networks, Inc.

263	   Email: mdb@juniper.net