IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: SSH non-compliance with FIPS 186
pgut001%cs.auckland.ac.nz@localhost (Peter Gutmann) writes:
> Someone's just pointed out a problem with SSH's use of DSA keys: The RFC
> claims that "signing and verifying using this key format is done according to
> the Digital Signature Standard [FIPS-186-2]", but either the spec or many
> (all?) implementations aren't actually compliant with FIPS 186. RFC 4253
> hardcodes r and s as 160 bits, but this is only valid for FIPS 186-2 with a
> 1024-bit key size.
I haven't followed the updates of DSA, so my take has been that DSA
with key size larger than 1024 is non-standard, and of questionable
value since the size of the q subgroup is the same. I'd recommend
anybody who needs larger keys to use RSA instead.
> Use of a key size > 1024 bits isn't allowed in FIPS 186-2. FIPS
> 186-3 does allow keys > 1024 bits but requires a corresponding
> increase in the size of q because increasing p while keeping q fixed
> at 160 bits provides no increase in security.
Could you give a brief description? As far as I remember, the 160 bits
in DSA is intimately tied to the digest size of sha1. Do the updated
DSA specify other hash functions (sha-256 or sha-512)?
> The real problem is the problematic use of 'dss_signature_blob', which (unlike
> all other public-key related formats) uses a fixed size for the fields, with
> no provision for specifying length information.
I remember I commented on that wart in the early days of the wg, and
that it was motivated by compatibility with some existing crypto
toolkits.
> I'd like to propose a
> correction to the spec with a new DSA sig format:
>
> string "ssh-dss-fips" // Or whatever
> mpint r
> mpint s
>
> to allow use with with keys generated according to FIPS 186. Comments?
It ought to get a new signature algorithm id as well.
Regards,
/Niels
Home |
Main Index |
Thread Index |
Old Index