Question about nistp256 etc

[krelml]

Hey,

i cannot figure out why are you marking 'ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521' as weak. I checked out some distros and even OpenBSD have them enabled by default. Care to explain your reasoning behind it?

Thanks.

[jchevali]

Here's a useful read: SafeCurves: Introduction, by D. J. Bernstein.

[jsumners]

I'd also like to know why ecdh-sha2-nistp521 is flagged. The linked article on safe curves does not mention it and I am unable to find any information supporting the flagging. Indeed, the only thing I can find is a passing mention that this may make the linked list -- https://www.reddit.com/r/netsec/comments/476g16/ecdh_keyextraction_via_lowbandwidth/d0b8xzv/

I think the key thing here is that citations would be very helpful in the report. I am currently writing an email explaining why all of these recommendations have been applied in my environment and why we should be resistant to a vendor insisting on using JSCH as a result. Citations would make this much easier to do.

[hkopp]

Obviously, the tool thinks the NIST curves are somehow unsafe. That is bullshit though and undermines the credibility of the whole ssh scanner. We have enough FUD in the crypto community.

@jchevali Your link proves nothing. That is just a comparison of curves by the creator of curve25519. Of course Bernstein thinks that his curves are the best. I would even argue that his comparison is at times very misleading. For example requiring rigidity for a curve to be secure is dubious at best.

See, e.g. https://crypto.stackexchange.com/questions/52983/why-is-there-the-option-to-use-nist-p-256-in-gnupg for a contrary view on the NIST curves.