[PATCH] curve25519-sha256 at libssh.org key exchange proposal
Aris Adamantiadis
aris at 0xbadc0de.be
Sat Nov 2 22:51:40 EST 2013
Le 2/11/13 12:30, Markus Friedl a écrit :
> Am 02.11.2013 um 11:38 schrieb Aris Adamantiadis <aris at 0xbadc0de.be>:
>
>> RFC4251 describes mpint to be multi-size and with positive values having
>> MSB clear, so it's clearly incompatible with raw string.
>>
>> Since you both agreed on the curve25519 implementation to use, I'll work
>> today on Markus' patch to make the changes Damien wanted.
> What do you want to change in my patch?
>
> I use string encoding for the pub keys both on the wire and for the hash. Only the shared secret uses mpint/bignum (for the hash).
>
> Should we use mpint everywhere?
> I don't think so as we can require strings if length 32 everywhere.
>
> So what would the be the consense?
Hi Markus,
I wanted to change the arc4_random thing but just seen you already fixed
it. I do not discuss the string encoding for pubkeys and hash, only for
shared secret. Currently it's mpint, you were discussing of making it
string.
I just pointed out that RFC5656 tells:
The hash H is formed by applying the algorithm HASH on a
concatenation of the following:
string V_C, client's identification string (CR and LF excluded)
string V_S, server's identification string (CR and LF excluded)
string I_C, payload of the client's SSH_MSG_KEXINIT
string I_S, payload of the server's SSH_MSG_KEXINIT
string K_S, server's public host key
string Q_C, client's ephemeral public key octet string
string Q_S, server's ephemeral public key octet string
mpint K, shared secret
So even tough public keys are points (x + y coordinates), the shared
secret (x coordinate) is hashed as an mpint. If we look at curve25519 as
a special case of RFC5656, the point and the x coordinate are the same.
Aris
More information about the openssh-unix-dev
mailing list