SSH non-compliance with FIPS 186

To: ietf-ssh%NetBSD.org@localhost
Subject: SSH non-compliance with FIPS 186
From: pgut001%cs.auckland.ac.nz@localhost (Peter Gutmann)
Date: Tue, 15 Apr 2008 19:16:03 +1200

Someone's just pointed out a problem with SSH's use of DSA keys: The RFC
claims that "signing and verifying using this key format is done according to
the Digital Signature Standard [FIPS-186-2]", but either the spec or many
(all?) implementations aren't actually compliant with FIPS 186.  RFC 4253
hardcodes r and s as 160 bits, but this is only valid for FIPS 186-2 with a
1024-bit key size.  Use of a key size > 1024 bits isn't allowed in FIPS 186-2.
FIPS 186-3 does allow keys > 1024 bits but requires a corresponding increase
in the size of q because increasing p while keeping q fixed at 160 bits
provides no increase in security.

The real problem is the problematic use of 'dss_signature_blob', which (unlike
all other public-key related formats) uses a fixed size for the fields, with
no provision for specifying length information.  Since it's unlikely that
everyone will change their implementations to limit DSA keys to 1024 bits as
is required for FIPS compliance when q = 160 bits, I'd like to propose a
correction to the spec with a new DSA sig format:

  string    "ssh-dss-fips"    // Or whatever
  mpint     r
  mpint     s

to allow use with with keys generated according to FIPS 186.  Comments?

Peter.

Follow-Ups:
- Re: SSH non-compliance with FIPS 186
  - From: Damien Miller
- Re: SSH non-compliance with FIPS 186
  - From: Niels Möller

Prev by Date: Re: Q on X.509 authentication in SSH draft
Next by Date: Re: SSH non-compliance with FIPS 186
Previous by Thread: Q on X.509 authentication in SSH draft
Next by Thread: Re: SSH non-compliance with FIPS 186
Indexes:

Home | Main Index | Thread Index | Old Index