Re: Elliptic-Curve Algorithm Integration in the Secure Shell Transport Layer

To: Douglas Stebila <douglas%stebila.ca@localhost>
Subject: Re: Elliptic-Curve Algorithm Integration in the Secure Shell Transport Layer
From: Jan Pechanec <Jan.Pechanec%Sun.COM@localhost>
Date: Tue, 11 Nov 2008 16:59:19 +0100 (CET)

On Wed, 1 Oct 2008, Douglas Stebila wrote:

> A new version of the ECC in SSH draft is now available for review.
>
> http://www.ietf.org/internet-drafts/draft-green-secsh-ecc-03.txt

	hi Douglas,

	I like the draft, and have some comments.

	- section 1, ECMQV has been dropped from the National Security
Agency's Suite B. I don't know when but it's not there now:

	http://www.nsa.gov/ia/industry/crypto_suite_b.cfm

	I'm wondering if an inclusion of that in this draft may not cast 
some shadow on it in general as including something that might have 
potential legal issues if used.

	- section 4, this might be just a language issue; does this imply 
that the remote key pair is ephemeral as well or not? Or would it be better 
to say "and ephemeral remote public key"?

   The Elliptic Curve Diffie-Hellman (ECDH) key exchange method
   generates a shared secret from an ephemeral elliptic curve local
   private key and remote public key.

	- section 4, you may want to reference RFC 4251, 4.1 (Host Keys) and
section 9.3.4 (Man-in-the-middle) in the "*" paragraph. Same in section 5.
Or it could be at one common place so that it's not duplicated.

	- section 4, "The exchange hash H is computed as the hash of the
concatenation of the following.", please change NL to LF. NL is EBCDIC's
notation, not ASCII.

	- section 4, you may want to change "version string" to
"identification string" since that's what RFC 4253 almost exclusively uses.
Same in 5.

	- section 5. I don't know very much about ECC so I have a question. 
I understand that we can use implicit server authentication since server's 
private key is already involved in the generation of the shared secret. So, 
HMAC instead of the ECDSA is then used just because it's faster?

	- is it needed to include shared secret in the hash input when we 
already use it in HMAC on the resulting hash? I'd say to break it is equally 
difficult whether the secret is there or not.

	- section 9.2, I like that you put the command sequence that
generates Base64(MD5(DER(OID))). However, claiming that you can run it on
many unix-like systems seems quite strong to me. "oid" is not found on any
system I tried, be it FreeBSD 6.1, Gentoo 1.12.11.1, or OpenSolaris. What's
more, "xxd" is part of ViM. Not sure if those details should be part of the
RFC but at least "oid" is quite generic name, I can't find what "oid -i" is
supposed to do exactly; I just guess "-i" means an input file, not a 
specific type of output.


	wrt the SSH protocol I think it should work as defined but obviously 
a reference implementation might reveal more.

	cheers, J.

--
Jan Pechanec

Follow-Ups:
- Re: Elliptic-Curve Algorithm Integration in the Secure Shell Transport Layer
  - From: Douglas Stebila
- Re: Elliptic-Curve Algorithm Integration in the Secure Shell Transport Layer
  - From: der Mouse

Prev by Date: Re: I-D ACTION:draft-igoe-secsh-suiteb-00.txt (fwd)
Next by Date: Re: Elliptic-Curve Algorithm Integration in the Secure Shell Transport Layer
Previous by Thread: I-D ACTION:draft-igoe-secsh-suiteb-00.txt (fwd)
Next by Thread: Re: Elliptic-Curve Algorithm Integration in the Secure Shell Transport Layer
Indexes:

Home | Main Index | Thread Index | Old Index