Re: SSH non-compliance with FIPS 186

[nisse%lysator.liu.se@localhost (Niels Möller)]

pgut001%cs.auckland.ac.nz@localhost (Peter Gutmann) writes:

> Someone's just pointed out a problem with SSH's use of DSA keys: The RFC
> claims that "signing and verifying using this key format is done according to
> the Digital Signature Standard [FIPS-186-2]", but either the spec or many
> (all?) implementations aren't actually compliant with FIPS 186.  RFC 4253
> hardcodes r and s as 160 bits, but this is only valid for FIPS 186-2 with a
> 1024-bit key size.

I haven't followed the updates of DSA, so my take has been that DSA
with key size larger than 1024 is non-standard, and of questionable
value since the size of the q subgroup is the same. I'd recommend
anybody who needs larger keys to use RSA instead.

> Use of a key size > 1024 bits isn't allowed in FIPS 186-2. FIPS
> 186-3 does allow keys > 1024 bits but requires a corresponding
> increase in the size of q because increasing p while keeping q fixed
> at 160 bits provides no increase in security.

Could you give a brief description? As far as I remember, the 160 bits
in DSA is intimately tied to the digest size of sha1. Do the updated
DSA specify other hash functions (sha-256 or sha-512)?

> The real problem is the problematic use of 'dss_signature_blob', which (unlike
> all other public-key related formats) uses a fixed size for the fields, with
> no provision for specifying length information.

I remember I commented on that wart in the early days of the wg, and
that it was motivated by compatibility with some existing crypto
toolkits.

> I'd like to propose a
> correction to the spec with a new DSA sig format:
>
>   string    "ssh-dss-fips"    // Or whatever
>   mpint     r
>   mpint     s
>
> to allow use with with keys generated according to FIPS 186.  Comments?

It ought to get a new signature algorithm id as well.

Regards,
/Niels