Re: SSH non-compliance with FIPS 186

[pgut001%cs.auckland.ac.nz@localhost (Peter Gutmann)]

Damien Miller <djm%mindrot.org@localhost> writes:
>Should this include the hash algorithm too? You could figure it out from the
>lengths of r and s, but things could become ambiguous if a future DSA spec
>lists new hashes with 160 or 256 bit digest lengths.

Good point, the current DSA spec (FIPS 186-3 [0]) already lists hashes other
than SHA-1 so yes, there should be a provision for extra hashes (this also
provides an escape hatch if the ongoing gnawing at SHA-1 is finally
successful).  At the moment there's only SHA-1 and SHA-256 specified, so I'd
suggest:

  "ssh-dsa"        // Implies the traditional "with SHA-1"
  "ssh-dsa-sha256" // Self-explanatory

with possibly a note to implementors to expect "ssh-dsa-sha512" at some point
in the future, and then "ssh-dsa-ahs" in 2011 when the Advanced Hash Standard
appears.  SHA-512 is awkward to implement on non-64-bit processors so I
wouldn't make it mandatory, as indeed FIPS 186 doesn't.

(If people don't object to excessive tinkering, defining an equivalent for RSA
by slipping in a "ssh-rsa-sha256" might also be useful).

Peter.

[0] The NIST web pages are somewhat out of date in places, the current 186-3
    is listed as a draft with comments closing in June 2006, but the
    rumblings I've heard are that either you need to be 186-3 ready now or
    very shortly.