Re: SSH non-compliance with FIPS 186

[pgut001%cs.auckland.ac.nz@localhost (Peter Gutmann)]

nisse%lysator.liu.se@localhost (Niels =?iso-8859-1?Q?M=F6ller?=) writes:

>> At the moment there's only SHA-1 and SHA-256 specified, so I'd
>> suggest:
>>
>>   "ssh-dsa"        // Implies the traditional "with SHA-1"
>
>I'm not sure it makes much sense to introduce this alternative to the old
>"ssh-dss" now, even if we all agree the old way is ugly.

I can think of two reasons, firstly it's a general-purpose mechanism so the
only extra overhead in supporting "ssh-dsa-sha1" alongside "ssh-dsa-sha256" is
the addition of an extra string to a lookup table (that is, the same code that
does "ssh-dsa-sha256" also does "ssh-dsa-sha1"), and secondly because FIPS 186
doesn't say that the hash size has to match q exactly but merely that you use
the leftmost (sizeof-q) bits of the hash, so that you could use e.g. a 1536-
bit DSA key with SHA-1.  Another way of looking at this is that you need about
2800 bits of key to match 256 bits of security in your hash function, so you
may not want to default to SHA-256 for all keys over 1024 bits.

(Actually I'm not terribly fussed over this, it just seemed that since support
for "ssh-dsa-sha1" comes free with "ssh-dsa-sha256" there didn't seem to be a
strong reason not to do it).

>And if you really want to introduce it, why not use "ssh-dsa-sha1", to be
>explicit?

Sure, sounds good to me.

der Mouse <mouse%Rodents.Montreal.QC.CA@localhost> writes:

>> SHA-512 is awkward to implement on non-64-bit processors
>
>Hmm?  I didn't find it so.  It would have been awkward without an at-
>least-64-bit integer data type, but, given that, it doesn't much matter -
>well, not to awkwardness, at least - how much juggling the compiler has to do

Sorry, I meant "systems where the compiler can't fake 64-bit support".  There
are still quite a number of non-mainstream and embedded systems where the
largest supported data type is 32 bits, and trying to build this yourself
using toothpicks and rubber bands isn't much fun.  It also becomes quite a
maintenance hassle because you end up having to support two lots of code, one
of which mostly only gets built on wierd platforms with limited debugging
support.

Peter.