From b973ca90ec5e2e415e96db3b350023d45ae2a0c7 Mon Sep 17 00:00:00 2001 From: "Alexander Harrison (aleharri)" Date: Fri, 21 Nov 2025 14:59:58 -0600 Subject: [PATCH] Updating to respond to comments from Allie B, Quynh and Casey --- draft-harrison-sshm-mlkem.md | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/draft-harrison-sshm-mlkem.md b/draft-harrison-sshm-mlkem.md index 6e192b7..560d95c 100644 --- a/draft-harrison-sshm-mlkem.md +++ b/draft-harrison-sshm-mlkem.md @@ -3,7 +3,7 @@ title: "Module-Lattice Key Exchange in SSH" abbrev: "TODO - Abbreviation" category: std -docname: draft-harrison-sshm-mlkem-00 +docname: draft-harrison-sshm-mlkem-01 submissiontype: IETF # also: "independent", "editorial", "IAB", or "IRTF" number: date: @@ -115,11 +115,23 @@ When using ML-KEM as the Key Exchange Method, the following private namespace me #define SSH_MSG_KEX_KEM_REPLY 31 # Key Exchange Method: ML-KEM -The client sends SSH_MSG_KEX_KEM_INIT. With this, the client sends C_INIT which is the ephemeral client ML-KEM public key, C_PK. C_PK represents the 'pk' output of the post-quantum KEM's 'KeyGen' at the client. +The client sends SSH_MSG_KEX_KEM_INIT with the following structure: -The server sends SSH_MSG_KEX_KEM_REPLY. With this, the server sends S_REPLY which is the concatenation of S_CT. S_CT is the ciphertext 'ct' output of the 'Encaps' algorithm generated by the server which encapsulates a secret to the client public key C_PK. Before producing S_CT, the server MUST perform the encapsulation key checks defined in Section 6.2 of [FIPS203], and abort using a disconnect message (SSH_MSG_DISCONNECT) with a SSH_DISCONNECT_KEY_EXCHANGE_FAILED as the reason, if they fail. + byte SSH_MSG_KEX_KEM_INIT + string C_INIT -C_PK and S_CT are used to establish the shared secret, K_PQ. K_PQ is the post-quantum shared secret decapsulated from S_CT. Before decapsulating, the client MUST check if the ciphertext S_CT length matches the selected ML-KEM variant. The client MUST abort using a disconnect message (SSH_MSG_DISCONNECT) with a SSH_DISCONNECT_KEY_EXCHANGE_FAILED as the reason if the S_CT length does not match the ML-KEM variant or decapsulation fails for any other reason. +where C_INIT is the ephemeral client ML-KEM public key (C_PK). C_PK represents the public key 'pk' of the client's KeyGen. + +The server sends SSH_MSG_KEX_KEM_REPLY with the following structure: + + byte SSH_MSG_KEX_KEM_REPLY + string K_S, server's public host key + string S_REPLY + string The signature of hash 'H' + +where S_REPLY is the ML-KEM ciphertext (S_CT) from the encapsulation of the client's ML-KEM ephemeral public key. + +C_PK and S_CT are used to establish the shared secret, K_PQ. K_PQ is the post-quantum shared secret decapsulated from S_CT. Before decapsulating, the client MUST check if the ciphertext S_CT length matches the selected ML-KEM variant. The client MUST abort using a disconnect message (SSH_MSG_DISCONNECT) with a SSH_DISCONNECT_KEY_EXCHANGE_FAILED as the reason if any of the 3 checks specified in Section 7.3 of FIPS 203 fail. The derivation of encryption keys is done from the shared secret K_PQ according to Section 7.2 in [RFC4253] with a modification on the exchange hash H. The hash H is the result of computing the HASH, where HASH is the hash algorithm specified in the named key exchange method name, over the concatenation of the following