Re: draft-harris-ssh-rsa-kex-02 and a possible future change

[der Mouse <mouse%Rodents.Montreal.QC.CA@localhost>]

> I've uploaded a new version of my RSA KEX draft. 
> <http://www.ietf.org/internet-drafts/draft-harris-ssh-rsa-kex-02.txt>

> 1: Using SHA-512 in place of SHA-256.

I'm not sure I like this.  SHA-256 is reasonably good for 32-bit
machines; SHA-512 (and SHA-384) are basically 64-bit algorithms,
calling for eight 64-bit temporaries in their core loops.

I think this change will disproportionately hurt exactly those machines
where your kex is most beneficial - old, slow, half-lung machines,
which are usually 32-bit.

>    Plus of course it gives us headroom in case decent collision
>    attacks are found against the higher SHAs.

True, though I'd prefer to address this by defining variants using
block-cipher-based hash functions.

> 2: Including the encrypted secret in the data hashed to generate the
>    exchange hash.

My reaction here is basically "shrug".  I don't really see the hazard
in the client managing to generate two sessions with the same exchange
hash in the first place.

> I'd like to make another change, to move the transmission of K_S, the
> server's host key, from SSH_MSG_KEXRSA_DONE to SSH_MSG_KEXRSA_PUBKEY.
> [...].  Would any client imeplementors find it a problem?

Tentatively, I wouldn't.  I'll have to look at my code, though, and
make sure I do indeed have (or can easily arrange to have) the host key
at hand at that point.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse%rodents.montreal.qc.ca@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B