jchevali
commented
7 years ago Here's a useful read: SafeCurves: Introduction, by D. J. Bernstein.
Open krelml opened 7 years ago
jchevali
commented
7 years ago Here's a useful read: SafeCurves: Introduction, by D. J. Bernstein.
jsumners
commented
6 years ago I'd also like to know why ecdh-sha2-nistp521 is flagged. The linked article on safe curves does not mention it and I am unable to find any information supporting the flagging. Indeed, the only thing I can find is a passing mention that this may make the linked list -- https://www.reddit.com/r/netsec/comments/476g16/ecdh_keyextraction_via_lowbandwidth/d0b8xzv/
I think the key thing here is that citations would be very helpful in the report. I am currently writing an email explaining why all of these recommendations have been applied in my environment and why we should be resistant to a vendor insisting on using JSCH as a result. Citations would make this much easier to do.
hkopp
commented
4 years ago Obviously, the tool thinks the NIST curves are somehow unsafe. That is bullshit though and undermines the credibility of the whole ssh scanner. We have enough FUD in the crypto community.
@jchevali Your link proves nothing. That is just a comparison of curves by the creator of curve25519. Of course Bernstein thinks that his curves are the best. I would even argue that his comparison is at times very misleading. For example requiring rigidity for a curve to be secure is dubious at best.
See, e.g. https://crypto.stackexchange.com/questions/52983/why-is-there-the-option-to-use-nist-p-256-in-gnupg for a contrary view on the NIST curves.
Hey,
i cannot figure out why are you marking 'ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521' as weak. I checked out some distros and even OpenBSD have them enabled by default. Care to explain your reasoning behind it?
Thanks.