IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: SSH non-compliance with FIPS 186
Damien Miller <djm%mindrot.org@localhost> writes:
>Should this include the hash algorithm too? You could figure it out from the
>lengths of r and s, but things could become ambiguous if a future DSA spec
>lists new hashes with 160 or 256 bit digest lengths.
Good point, the current DSA spec (FIPS 186-3 [0]) already lists hashes other
than SHA-1 so yes, there should be a provision for extra hashes (this also
provides an escape hatch if the ongoing gnawing at SHA-1 is finally
successful). At the moment there's only SHA-1 and SHA-256 specified, so I'd
suggest:
"ssh-dsa" // Implies the traditional "with SHA-1"
"ssh-dsa-sha256" // Self-explanatory
with possibly a note to implementors to expect "ssh-dsa-sha512" at some point
in the future, and then "ssh-dsa-ahs" in 2011 when the Advanced Hash Standard
appears. SHA-512 is awkward to implement on non-64-bit processors so I
wouldn't make it mandatory, as indeed FIPS 186 doesn't.
(If people don't object to excessive tinkering, defining an equivalent for RSA
by slipping in a "ssh-rsa-sha256" might also be useful).
Peter.
[0] The NIST web pages are somewhat out of date in places, the current 186-3
is listed as a draft with comments closing in June 2006, but the
rumblings I've heard are that either you need to be 186-3 ready now or
very shortly.
Home |
Main Index |
Thread Index |
Old Index