X448 Key Exchange
djm at mindrot.org
Fri Sep 14 10:18:06 AEST 2018
On Thu, 13 Sep 2018, Joseph S. Testa II wrote:
> Hi all,
> I'm interested in having X448 protocol available as an option, as it gives
> a larger security margin over X25519. For anyone unfamiliar, it is an
> Diffie-Hellman elliptic curve key exchange using Curve448 (defined in RFC7748:
> https://tools.ietf.org/html/rfc7748). Furthermore, it is included in the new
> TLS 1.3 specification (RFC8846: https://tools.ietf.org/html/rfc8446).
> A few questions:
> 1. What has been OpenSSH's involvement in this related IETF draft, if
> any?: https://tools.ietf.org/id/draft-ietf-curdle-ssh-curves-08.html
> 2. Has there been any (even informal) plans for including X448?
> 3. Has anyone begun an implementation yet?
We have any plans to add more crypto options to OpenSSH without a strong
justification, and I don't see one for X448-SHA512 ATM.
It's hard to imagine a world where X25519-SHA256 is broken but
X448-SHA512 is unaffected. AFAIK The most likely ways that X25519-SHA256
could fail are:
1) discovery of weaknesses in prime field EC crypto. This would almost
certainly affect both X25519/X448.
2) working quantum computers. Exciting times, everything breaks.
3) a weakness in SHA256. Online key agreement protocols like SSH KEX are
the last thing affected by collisions, because the attacker has such a
limited window in which to generate one and limited degrees of freedom
to manipulate the colliding data.
Personally, I'm more interested in a post-quantum KEX than another of the
More information about the openssh-unix-dev