Add key exchange algorithm curve25519-sha256@libssh.org

[dkocher]

Currently only diffie-hellman-group14-sha1 and diffie-hellman-group1-sha1 is implemented.

[hierynomus]

Hi David,

Could you link the RFC for the protocol? In both this one and #167? Thx!

[dkocher]

curve25519-sha256@libssh.org key exchange method

[dkocher]

Refer also to Specifications implemented by OpenSSH.

[grkvlt]

@hierynomus @dkocher same point as #167 basically, has there been any progress on this? I looked at the code, but I'm not sure where to start on implementing a new key exchange algorithm myself.

[hierynomus]

Started work on this on the ed25519 branch

[hierynomus]

@dkocher I'm not seeming to get it to work yet. Maybe you can have a look at the branch also. Probably missing something very stupid here during the signature verification :(.

Current status is:

net.schmizz.sshj.transport.TransportException: KeyExchange signature verification failed
    at net.schmizz.sshj.transport.kex.Curve25519.next(Curve25519.java:126) ~[main/:na]
    at net.schmizz.sshj.transport.KeyExchanger.handle(KeyExchanger.java:367) ~[main/:na]
    at net.schmizz.sshj.transport.TransportImpl.handle(TransportImpl.java:493) ~[main/:na]

SSHD configuration on linux box used:

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

[dkocher]

I can reproduce the signature verification failure. Note that when I leave the other HostKey settings uncommented, there is an issue with selecting the correct host key type and a resulting exception

java.lang.ClassCastException: org.bouncycastle.jcajce.provider.asymmetric.ec.BCECPublicKey cannot be cast to net.i2p.crypto.eddsa.EdDSAPublicKey
    at net.schmizz.sshj.transport.kex.Curve25519.next(Curve25519.java:108)
    at net.schmizz.sshj.transport.KeyExchanger.handle(KeyExchanger.java:367)
    at net.schmizz.sshj.transport.TransportImpl.handle(TransportImpl.java:493)
    at net.schmizz.sshj.transport.Decoder.decode(Decoder.java:107)
    at net.schmizz.sshj.transport.Decoder.received(Decoder.java:175)
    at net.schmizz.sshj.transport.Reader.run(Reader.java:60)

[hierynomus]

Some additional implementation info...

Nice scheme: https://blog.mozilla.org/warner/2011/11/29/ed25519-keys/
Page on ed25519: http://ed25519.cr.yp.to/software.html
Original ed25519 paper: http://ed25519.cr.yp.to/ed25519-20110926.pdf
Original curve25519 paper: http://cr.yp.to/ecdh/curve25519-20060209.pdf
Sodium: https://labs.opendns.com/2013/03/06/announcing-sodium-a-new-cryptographic-library

[hierynomus]

@dkocher Can you try it out and see whether it indeed works, verified it locally against a VM, but would be good to have a backup check before releasing into the wild 😄

[dkocher]

Tested against SSH-2.0-OpenSSH_6.6.1.

[hierynomus]

In that case I'm going to release! Stay tuned for 0.14.0