Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support ML-KEM key exchanges #606

Closed
tomaswolf opened this issue Sep 11, 2024 · 0 comments · Fixed by #629
Closed

Support ML-KEM key exchanges #606

tomaswolf opened this issue Sep 11, 2024 · 0 comments · Fixed by #629
Assignees
@tomaswolf
Labels
feature request A request for a new feature
Milestone
2.14.1

Comments

@tomaswolf
Copy link
Member

Description

Support the ML-KEM key exchanges described in a current draft RFC.

Motivation

ML-KEM was standardized by NIST; it is basically Crystals-Kyber with a few modifications. See FIPS 203

OpenSSH is in the process of implementing this.

Alternatives considered

No response

Additional context

This needs

  • An OpenSSH that implements at least one of the three ML-KEM variants defined in the draft RFC.
  • A Bouncy Castle that provides ML-KEM. (BC 1.79 should have it; they are in the process of changing their Crystals-Kyber to ML-KEM.)

I already have the code for Apache MINA sshd ready; it'll only need some interoperability testing with an OpenSSH that supports ML-KEM.
@tomaswolf tomaswolf added the feature request A request for a new feature label Sep 11, 2024
tomaswolf added a commit to tomaswolf/mina-sshd that referenced this issue Nov 3, 2024
@tomaswolf
apacheGH-606: ML-KEM key exchange implementation using Bouncy Castle
40f4009 
Refactor the KEM-based KEX paths a little bit; provide the ML-KEMs, and
add the DH factories combining the ML-KEMs with the base curves and
hashes.

KexTest tests that the new key exchanges do work between an Apache MINA
sshd client and server. Add an integration test that verifies that the
new ML-KEM kex works against an OpenSSH 9.9 server (it only has
mlkem768x25519, not the other two variants using ECDH nistp256/384, so
we can't test those).
tomaswolf added a commit to tomaswolf/mina-sshd that referenced this issue Nov 3, 2024
@tomaswolf
apacheGH-606: ML-KEM key exchange implementation using Bouncy Castle
0c50ee5 
Refactor the KEM-based KEX paths a little bit; provide the ML-KEMs, and
add the DH factories combining the ML-KEMs with the base curves and
hashes.

KexTest tests that the new key exchanges do work between an Apache MINA
sshd client and server. Add an integration test that verifies that the
new ML-KEM kex works against an OpenSSH 9.9 server (it only has
mlkem768x25519, not the other two variants using ECDH nistp256/384, so
we can't test those).
@tomaswolf tomaswolf mentioned this issue Nov 3, 2024
Merged
tomaswolf added a commit to tomaswolf/mina-sshd that referenced this issue Nov 3, 2024
@tomaswolf
apacheGH-606: ML-KEM key exchange implementation using Bouncy Castle
a71c329 
Refactor the KEM-based KEX paths a little bit; provide the ML-KEMs, and
add the DH factories combining the ML-KEMs with the base curves and
hashes.

KexTest tests that the new key exchanges do work between an Apache MINA
sshd client and server. Add an integration test that verifies that the
new ML-KEM kex works against an OpenSSH 9.9 server (it only has
mlkem768x25519, not the other two variants using ECDH nistp256/384, so
we can't test those).
tomaswolf added a commit to tomaswolf/mina-sshd that referenced this issue Nov 4, 2024
@tomaswolf
apacheGH-606: ML-KEM key exchange implementation using Bouncy Castle
cba02b3 
Refactor the KEM-based KEX paths a little bit; provide the ML-KEMs, and
add the DH factories combining the ML-KEMs with the base curves and
hashes.

KexTest tests that the new key exchanges do work between an Apache MINA
sshd client and server. Add an integration test that verifies that the
new ML-KEM kex works against an OpenSSH 9.9 server (it only has
mlkem768x25519, not the other two variants using ECDH nistp256/384, so
we can't test those).
tomaswolf added a commit to tomaswolf/mina-sshd that referenced this issue Nov 4, 2024
@tomaswolf
apacheGH-606: ML-KEM key exchange implementation using Bouncy Castle
38bb2c6 
Refactor the KEM-based KEX paths a little bit; provide the ML-KEMs, and
add the DH factories combining the ML-KEMs with the base curves and
hashes.

KexTest tests that the new key exchanges do work between an Apache MINA
sshd client and server. Add an integration test that verifies that the
new ML-KEM kex works against an OpenSSH 9.9 server (it only has
mlkem768x25519, not the other two variants using ECDH nistp256/384, so
we can't test those).
@tomaswolf tomaswolf self-assigned this Nov 5, 2024
@tomaswolf tomaswolf added this to the 2.14.1 milestone Nov 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tomaswolf tomaswolf

Labels
feature request A request for a new feature
Projects
None yet
Milestone
2.14.1
Development

Successfully merging a pull request may close this issue.

ML-KEM key exchanges using Bouncy Castle 1.79 tomaswolf/mina-sshd
1 participant
@tomaswolf