Hi all,
Back in September 2018, I started a thread about implementing the
X448 key exchange (see
https://lists.mindrot.org/pipermail/openssh-unix-dev/2018-September/037183.html).
In February 2020, RFC 8731 (formally specifying X448 in SSH) has
been finalized: https://www.ietf.org/rfc/rfc8731.txt. I thought I'd
start this conversation up again to see if the interest level has
changed for implementing this in OpenSSH.
During the last conversation, the point was brought up that
post-quantum crypto would be more interesting than X448. Well in almost
two years, I have yet to personally gain faith in any new post-quantum
algorithm. Meanwhile, X448 has been a part of TLS 1.3 since August 2018
and has been through much more testing.
Not only am I still interested in using X448 since it provides ~224
bit security level, but I'd still be happy to write the initial
implementation for it as well. I'd need assurance that it has a chance
of being merged before I get started on it, however.
Thanks!
- Joe
--
Joseph S. Testa II
Founder & Principal Security Consultant
Positron Security
Hi Joseph, To the best of my understanding, the only SSH iplementation supporting ssh-ed448 is AsyncSSH. OpenSSL has support for x448/ed448/curve448 LibreSSL does not yet have this support see https://github.com/libressl-portable/portable/issues/552 I would hope that offering to do the X448 implementation for LibreSSL and patches to OpenSSH to enable either OpenSSL or LibreSSL for X448 would be well received. I am not an OpenSSH developer, so I cannot reasssure you that OpenSSH will ever embrace X448. For what it is worth, FIPS 186-5 includes both Edwards25519 and Edwards448 as approved new elliptic curves. They have also approved a deterministic ECDSA. NIST seems to be plugging away at Post-Quantum Cryptography (PQC) https://csrc.nist.gov/projects/post-quantum-cryptography I suspect they have a long way to go yet before they standardize on anything. Be safe, stay healthy, -- Mark
On 7/3/20 5:34 PM, Mark D. Baushke wrote:> I would hope that offering to do the X448 implementation for LibreSSL > and patches to OpenSSH to enable either OpenSSL or LibreSSL for X448 > would be well received.I wouldn't mind doing this if there was a good chance of X448 being included into OpenSSH as a result. But I wouldn't take up that project otherwise.> NIST seems to be plugging away at Post-Quantum Cryptography (PQC) > https://csrc.nist.gov/projects/post-quantum-cryptography I suspect they > have a long way to go yet before they standardize on anything.Right... and it would take even longer before I'd have enough faith in PQC for everyday use. Whereas X448 is available now and has undergone a lot of testing already. - Joe -- Joseph S. Testa II Founder & Principal Security Consultant Positron Security