Ed25519 and Ed448 Public Key Algorithms for the Secure Shell (SSH) Protocol
2A Eachard Road
Cambridge
CB3 0HY
United Kingdom
bjh21@bjh21.me.uk
cyberstorm.mu
88, Avenue De Plevitz
Roches Brunes
Mauritius
logan@cyberstorm.mu
curdle
This document describes the use of the Ed25519 and Ed448 digital
signature algorithms in the Secure Shell (SSH) protocol. Accordingly,
this RFC updates RFC 4253.
Introduction
Secure Shell (SSH) is a secure
remote-login protocol. It provides for an extensible variety of
public key algorithms for identifying servers and users to one
another. Ed25519 is a digital
signature system. OpenSSH 6.5
introduced support for using Ed25519 for server and user
authentication and was then followed by other SSH implementations.
This document describes the method implemented by OpenSSH and others
and formalizes the use of the name "ssh-ed25519". Additionally,
this document describes the use of Ed448 and formalizes the use of the
name "ssh-ed448".
Conventions Used in This Document
The descriptions of key and signature formats use the notation
introduced in and the string data type from .
Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14
when, and only when, they appear in all capitals, as shown here.
Public Key Algorithm
This document describes a public key algorithm for use with SSH,
as per . The name of the algorithm is "ssh-ed25519". This
algorithm only supports signing and not encryption.
Additionally, this document describes another public key algorithm.
The name of the algorithm is "ssh-ed448". This algorithm only supports
signing and not encryption.
Standard implementations of SSH SHOULD implement these signature algorithms.
Public Key Format
The "ssh-ed25519" key format has the following encoding:
- string
- "ssh-ed25519"
- string
- key
Here, 'key' is the 32-octet public key described in
.
The "ssh-ed448" key format has the following encoding:
- string
- "ssh-ed448"
- string
- key
Here, 'key' is the 57-octet public key described in
.
Signature Algorithm
Signatures are generated according to the procedure in Sections
and of .
Signature Format
The "ssh-ed25519" key format has the following encoding:
- string
- "ssh-ed25519"
- string
- signature
Here, 'signature' is the 64-octet signature produced in
accordance with .
The "ssh-ed448" key format has the following encoding:
- string
- "ssh-ed448"
- string
- signature
Here, 'signature' is the 114-octet signature produced in
accordance with .
Verification Algorithm
Ed25519 signatures are verified according to the procedure in
.
Ed448 signatures are verified according to the procedure in
.
SSHFP DNS Resource Records
Usage and generation of the SSHFP DNS resource record
is described in .
The generation of SSHFP resource records for "ssh-ed25519" keys is described
in .
This section illustrates the generation of SSHFP resource records for "ssh-ed448" keys, and
this document also specifies the corresponding Ed448 code point to "SSHFP RR
Types for public key algorithms" in the "DNS SSHFP Resource Record Parameters"
IANA registry .
The generation of SSHFP resource records for "ssh-ed448" keys
is described as follows.
The encoding of Ed448 public keys is described in . In brief,
an Ed448 public key is a 57-octet value representing a 455-bit y-coordinate
of an elliptic curve point, and a sign bit indicating the corresponding
x-coordinate.
The SSHFP Resource Record for the Ed448 public key with SHA-256 fingerprint
would, for example, be:
example.com. IN SSHFP 6 2 ( a87f1b687ac0e57d2a081a2f2826723
34d90ed316d2b818ca9580ea384d924
01 )
The '2' here indicates SHA-256 .
IANA Considerations
This document augments the Public Key Algorithm Names in .
IANA has added the following entry to "Public Key Algorithm Names" in the
"Secure Shell (SSH) Protocol Parameters"
registry :
| Public Key Algorithm Name |
Reference |
| ssh-ed25519 |
RFC 8709 |
| ssh-ed448 |
RFC 8709 |
IANA has added the following entry to "SSHFP RR Types for public
key algorithms" in the "DNS SSHFP Resource Record Parameters" registry
:
| Value |
Description |
Reference |
| 6 |
Ed448 |
RFC 8709 |
Security Considerations
The security considerations in apply to all SSH
implementations, including those using Ed25519 and Ed448.
The security considerations in and apply to all uses of
Ed25519 and Ed448, including those in SSH.
References
Normative References
Informative References
Secure Shell (SSH) Protocol Parameters
IANA
DNS SSHFP Resource Record Parameters
IANA
OpenSSH 6.5 release notes
Ed448-Goldilocks, a new elliptic curve
Acknowledgements
The OpenSSH implementation of Ed25519 in SSH was written by
. We are also grateful to , , and
for their comments.