openssh unix dev - Nov 2013 - [PATCH] curve25519-sha256@libssh.org key exchange proposal

On Fri, 1 Nov 2013, Markus Friedl wrote:
> Here are three versions (patch against openbsd cvs)
> 
> 1) repace nacl w/libsodium, so i could test
> 2) curve25519-donna
> 3) Matthew's public domain reference implementation.
> 
> i'd vote for #3
Yes, me too.

One thing: this patch will be incompatible with Aris' since we calculate
the hash over the DH values encoded as strings rather than (as he does)
bignums.

IMO they should be strings because they aren't ever sent as bignums on
the wire, but if the Curve25519 support is widely deployed then it might
be too late to change. I don't think the encoding makes any appreciable
difference to security - the bignum encoding is unambiguous.

-d

It should be compatible with the original patch. However I think that the shared
secret should be encoded as a string, too. What does libssh do?


> Am 02.11.2013 um 05:46 schrieb Damien Miller <djm at mindrot.org>:
> 
>> On Fri, 1 Nov 2013, Markus Friedl wrote:
>> 
>> Here are three versions (patch against openbsd cvs)
>> 
>> 1) repace nacl w/libsodium, so i could test
>> 2) curve25519-donna
>> 3) Matthew's public domain reference implementation.
>> 
>> i'd vote for #3
> 
> Yes, me too.
> 
> One thing: this patch will be incompatible with Aris' since we
calculate
> the hash over the DH values encoded as strings rather than (as he does)
> bignums.
> 
> IMO they should be strings because they aren't ever sent as bignums on
> the wire, but if the Curve25519 support is widely deployed then it might
> be too late to change. I don't think the encoding makes any appreciable
> difference to security - the bignum encoding is unambiguous.
> 
> -d