Passa al contenuto principale

4. Security Considerations

Questa sezione conserva il testo RFC per la SSH hybrid key exchange method, inclusi sntrup761, X25519, SHA-512, SSH message names, public value lengths, IANA registration, security considerations e test vectors.

4.  Security Considerations

The security considerations in [RFC4251], [RFC5656], [RFC7748], and
[RFC8731] are inherited.

Streamlined NTRU Prime sntrup761 aims for the standard goal of IND-
CCA2 security, is widely implemented with good performance on a wide
range of architectures, and has been studied by researchers for
several years. However, new cryptographic primitives should be
introduced and trusted conservatively, and new research findings may
be published at any time that may warrant implementation
reconsideration. The method described here to combine Curve25519
with sntrup761 (i.e., SHA-512 hashing the concatenated outputs) is
also available for the same kind of cryptographic scrutiny.

The increase in communication size and computational requirements may
be a concern for restricted computational devices, which would then
not be able to take advantage of the improved security properties
offered by this work.

Since sntrup761x25519-sha512 is expected to offer no reduction of
security compared to curve25519-sha256, it is recommended that it is
used and preferred whenever curve25519-sha256 is used today, if the
extra communication size and computational requirements are
acceptable.

As discussed in the security considerations of [RFC8731], the X25519
shared secret K is bignum-encoded in that document, and this raises
the potential for a side-channel attack that could leak one bit of
the secret due to the different length of the bignum sign pad. This
document resolves that problem by using string encoding instead of
bignum encoding.

The security properties of the protocol in this document, SSH itself,
and the cryptographic algorithms used (including Streamlined NTRU
Prime) depend on the availability and proper use of cryptographically
secure random data.