3

Within our organization, we are allowed to use the Elliptic Curve Diffie-Hellman (ECDH) key exchange algorithm, with the requirement that key sizes be 384 bits or higher.

In this context, I found that many implementations of ECDH (especially in SSH) use NIST curves (like nistp384). However, there are well-known concerns about the trustworthiness of these curves, particularly because the origins of their constants are unclear, raising questions about potential backdoors or intentional weaknesses.

My question is: Is it possible to configure SSH to use ECDH with more trustworthy, non-NIST curves? Or is ECDH in SSH inherently tied to NIST curves only?

Improve this question

1 Answer 1

Reset to default
6

OpenSSH supports Curve25519 and Curve448 for ECDH, so you don't have to use the NIST P curves. However, X25519 (the ECDH function using Curve25519) has 256-bit keys and 128 bits of security. If you need more, that leaves you with X448 (Curve448) with 448-bit keys and 224 bits of security.

The identifiers for the OpenSSH key exchange algorithms are curve25519-sha256 and curve448-sha512.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.