Can we disable diffie-hellman-group-exchange-sha1 by default?

Sat Feb 16 04:04:03 AEDT 2019

Hi Yegor,

Yegor Ievlev <koops1997 at gmail.com> writes:

> I read this page MANY times, and generally I am also against using
> P-256/384/521. However I believe that risk of using non-EC DH under
> 2048 bits (Logjam) and SHA-1 is higher, and also take speed into
> consideration.

I wrote RFC8268 as I also had many of these same concerns, but I tend to
think that 4k bit DH primaes are good enough security for aes128-ctr or
aes128-gcm today. If you have a need for more security, then the
computation tradeoffs start to become cumbersome.

I regret that I am behind on revising the draft-ietf-curdle-ssh-curves
to address the Area Director comments to get that published as an RFC so
that more standards bodies will be able to specify the use of Curve25519
or Curve448 in the SSH protocol.

> Mark Baushke <mdb at juniper.net> writes:
> > I am given to understand that NIST is going to be considering EdDSA
> > and things like Curve25519 and Curve448 in the coming year for
> > release.
>
> Are you confusing IETF and NIST? IETF is heavily using these two
> curves, but I did not hear about NIST working at including them into
> their standards.

For Curve25519 and Curve448 references, this news announcement may be of
interest:

Transition Plans for Key Establishment Schemes using Public Key Cryptography
October 31, 2017

https://csrc.nist.gov/News/2017/Transition-Plans-for-Key-Establishment-Schemes
has this text:

    In addition, NIST guidelines on Elliptic Curve Cryptography are also
    being revised to propose the adoption of new elliptic curves
    specified in the Internet Engineering Task Force (IETF) RFC 7748.
    The upcoming draft of SP 800-186, which will specify approved
    elliptic curves, will include the curves currently specified in FIPS
    186-4 and two additional curves: Curve25519 and Curve448. Their
    associated key agreement schemes, X25519 and X448, will be
    considered for inclusion in a subsequent revision to SP 800-56A. The
    CMVP does not intend to enforce compliance with SP 800-56A until
    these revisions are complete.

For EdDSA you may wish to look here:

https://csrc.nist.gov/CSRC/media/Publications/sp/800-131a/rev-2/draft/documents/sp800-131Ar2-draft.pdf

On page iii is this text:

    4. A revision of FIPS 186 (FIPS 186-5) will soon be available for
       public comment. This revision will include EdDSA. SP 800-131A
       takes this into account.

See also references in sction 3 on line 162 with footnote 17 on page 6
and in Table 2 on page 7 and on line 192 on page 8 and line 222 on page
9.

The new draft of FIPS Special Publication 186-5 is not yet available for
review as of today.

> If by paired curves you mean converting the key between Curve25519 and
> Ed25519 form, that's generally not considered to be as secure as using
> separate keys.

No. The following will give you a better understanding for the nature of
the field that is emerging.

An Introduction to Pairing-Based Cryptography
by Alfred Menezes
https://www.math.uwaterloo.ca/~ajmeneze/publications/pairings.pdf

Pairing-Based Cryptography At High Security Levels
by Neal Koblitz and Alfred Menezes
http://www.mathnet.or.kr/mathnet/preprint_file/cacr/2005/cacr2005-08.pdf

Pairing-Friendly Curves
https://tools.ietf.org/html/draft-yonezawa-pairing-friendly-curves-00

Optimal Ate Pairing
https://tools.ietf.org/html/draft-kato-optimal-ate-pairings-01

It is not a mature enough field yet, but it is an active area of
research.

I hope you find this information useful.

Some folks may find it useful to visit the Internet Research Task Force
crypto Forum Research Group email archives. irtf.org has a pointer to
the Charter for the Research Group and that in turn has a pointer to the
cfrg mailint list. and jabber chat address.

	Enjoy!
        -- Mark