IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

SSH non-compliance with FIPS 186



Someone's just pointed out a problem with SSH's use of DSA keys: The RFC
claims that "signing and verifying using this key format is done according to
the Digital Signature Standard [FIPS-186-2]", but either the spec or many
(all?) implementations aren't actually compliant with FIPS 186.  RFC 4253
hardcodes r and s as 160 bits, but this is only valid for FIPS 186-2 with a
1024-bit key size.  Use of a key size > 1024 bits isn't allowed in FIPS 186-2.
FIPS 186-3 does allow keys > 1024 bits but requires a corresponding increase
in the size of q because increasing p while keeping q fixed at 160 bits
provides no increase in security.

The real problem is the problematic use of 'dss_signature_blob', which (unlike
all other public-key related formats) uses a fixed size for the fields, with
no provision for specifying length information.  Since it's unlikely that
everyone will change their implementations to limit DSA keys to 1024 bits as
is required for FIPS compliance when q = 160 bits, I'd like to propose a
correction to the spec with a new DSA sig format:

  string    "ssh-dss-fips"    // Or whatever
  mpint     r
  mpint     s

to allow use with with keys generated according to FIPS 186.  Comments?

Peter.



Home | Main Index | Thread Index | Old Index