draft-harris-ssh-rsa-kex-02 and a possible future change

[Ben Harris <bjh21%bjh21.me.uk@localhost>]

I've uploaded a new version of my RSA KEX draft. 
<http://www.ietf.org/internet-drafts/draft-harris-ssh-rsa-kex-02.txt>

Notable changes are:

1: Using SHA-512 in place of SHA-256.  This is largely because I've got
   the impression that -dh-group-exchange is heading in the direction of
   using SHA-512, and it seems silly to require implementations to support
   both SHA-256 and SHA-512.  Plus of course it gives us headroom in case
   decent collision attacks are found against the higher SHAs.

2: Including the encrypted secret in the data hashed to generate the
   exchange hash.  This should make it much harder for a client to
   generate hash collisions, since they'd need to generate K such that K
   and its RSA encryption between them generate a collision.  I conjecture
   that for reasonable RSA key sizes this is infeasible.

I don't imagine that either of these will be controversial.

I'd like to make another change, to move the transmission of K_S, the 
server's host key, from SSH_MSG_KEXRSA_DONE to SSH_MSG_KEXRSA_PUBKEY.  The 
reason for this would be to ensure that even if the server can change its 
key (which I can imagine being possible for some kinds of certificate), it 
can't use this to mount a collision attack on the exchange hash because it 
doesn't know what secret the client is going to send.  While this is 
rather different from the way the current KEX methods work, I can't 
imagine it being any more difficult for server implementations.  Would any 
client imeplementors find it a problem?

--
Ben Harris