RFC Errata
RFC 9142, "Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH)", January 2022
Source of RFC: curdle (sec)See Also: RFC 9142 w/ inline errata
Errata ID: 7799
Status: Verified
Type: Technical
Publication Format(s) : TEXT, PDF, HTML
Reported By: Ben S
Date Reported: 2024-02-07
Verifier Name: Paul Wouters
Date Verified: 2024-02-07
Section 1.2.1 says:
+============+=============================+ | Curve Name | Estimated Security Strength | +============+=============================+ | nistp256 | 128 bits | +------------+-----------------------------+ | nistp384 | 192 bits | +------------+-----------------------------+ | nistp521 | 512 bits | +------------+-----------------------------+ | curve25519 | 128 bits | +------------+-----------------------------+ | curve448 | 224 bits | +------------+-----------------------------+
It should say:
+============+=============================+ | Curve Name | Estimated Security Strength | +============+=============================+ | nistp256 | 128 bits | +------------+-----------------------------+ | nistp384 | 192 bits | +------------+-----------------------------+ | nistp521 | 256 bits | +------------+-----------------------------+ | curve25519 | 128 bits | +------------+-----------------------------+ | curve448 | 224 bits | +------------+-----------------------------+
Notes:
P-521 has approximately 256 bits of security (rather than 512), as per Table 1 of Section 6.1.1 of FIPS 186-5, and Section 9 Paragraph 5 of RFC 5656.