Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Dev
X448 Key Exchange (RFC 8731)
jtesta at positronsecurity
Jul 3, 2020, 11:11 AM
Post #1 of 3 (428 views)
Permalink
Hi all,

Back in September 2018, I started a thread about implementing the
X448 key exchange (see
https://lists.mindrot.org/pipermail/openssh-unix-dev/2018-September/037183.html).

In February 2020, RFC 8731 (formally specifying X448 in SSH) has
been finalized: https://www.ietf.org/rfc/rfc8731.txt. I thought I'd
start this conversation up again to see if the interest level has
changed for implementing this in OpenSSH.

During the last conversation, the point was brought up that
post-quantum crypto would be more interesting than X448. Well in almost
two years, I have yet to personally gain faith in any new post-quantum
algorithm. Meanwhile, X448 has been a part of TLS 1.3 since August 2018
and has been through much more testing.

Not only am I still interested in using X448 since it provides ~224
bit security level, but I'd still be happy to write the initial
implementation for it as well. I'd need assurance that it has a chance
of being merged before I get started on it, however.

Thanks!
- Joe

--
Joseph S. Testa II
Founder & Principal Security Consultant
Positron Security
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: X448 Key Exchange (RFC 8731) [ In reply to ]
mdb at juniper
Jul 3, 2020, 2:34 PM
Post #2 of 3 (428 views)
Permalink
Hi Joseph,

To the best of my understanding, the only SSH iplementation supporting
ssh-ed448 is AsyncSSH.

OpenSSL has support for x448/ed448/curve448

LibreSSL does not yet have this support see
https://github.com/libressl-portable/portable/issues/552

I would hope that offering to do the X448 implementation for LibreSSL
and patches to OpenSSH to enable either OpenSSL or LibreSSL for X448
would be well received.

I am not an OpenSSH developer, so I cannot reasssure you that OpenSSH
will ever embrace X448.

For what it is worth, FIPS 186-5 includes both Edwards25519 and
Edwards448 as approved new elliptic curves. They have also approved a
deterministic ECDSA.

NIST seems to be plugging away at Post-Quantum Cryptography (PQC)
https://csrc.nist.gov/projects/post-quantum-cryptography I suspect they
have a long way to go yet before they standardize on anything.

Be safe, stay healthy,
-- Mark
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: X448 Key Exchange (RFC 8731) [ In reply to ]
jtesta at positronsecurity
Jul 3, 2020, 4:03 PM
Post #3 of 3 (428 views)
Permalink
On 7/3/20 5:34 PM, Mark D. Baushke wrote:
> I would hope that offering to do the X448 implementation for LibreSSL
> and patches to OpenSSH to enable either OpenSSL or LibreSSL for X448
> would be well received.

I wouldn't mind doing this if there was a good chance of X448 being
included into OpenSSH as a result. But I wouldn't take up that project
otherwise.


> NIST seems to be plugging away at Post-Quantum Cryptography (PQC)
> https://csrc.nist.gov/projects/post-quantum-cryptography I suspect they
> have a long way to go yet before they standardize on anything.

Right... and it would take even longer before I'd have enough faith in
PQC for everyday use. Whereas X448 is available now and has undergone a
lot of testing already.

- Joe

--
Joseph S. Testa II
Founder & Principal Security Consultant
Positron Security
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal