Re: SSH non-compliance with FIPS 186

[Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>]

nisse%lysator.liu.se@localhost (Niels =?iso-8859-1?Q?M=F6ller?=) writes:

>So I'd recommend to instead use rsa or dsa-256 with key size of at least 1536
>bits. Is this a resonable interpretation of the current state of the art?

That's DSA2, which is on pretty unstable ground, AFAIK nothing of any
significance implements this (in fact only OpenPGP really mentions it, and
it's disabled by default in implementations of that because interoperability
is likely to be... limited).

>I'm about to implement this. Does anybody have a server that already
>implements it, and a spec for the details? Otherwise, here's what I'm
>considering implementing:

I could implement it fairly quickly.

>(I'd prefer to depart from this "signature_blob" thing and instead use
>separate mpints for r and s, but I think it's more important to stay
>consistent with the other signature algorithms.

I would be a lot happier with proper mpints, otherwise for each new hash
function (well, hash block size) you need to define a new signature-blob
format.  If you use mpints then they'll automatically adjust themselves to any
size of hash function.

>I have not been able to find any official or agreed upon test vectors for
>dsa-sha256. This is a serious problem for testing. If anybody on this list
>knows about official test vectors, or can provide some test signatures from
>some other implementation, I'd be grateful.

Yup, see above.  Despite the security concerns, I'd recommend, for interop-
testing purposes, using standard DSA with SHA1, otherwise you're going to end
up having to interop-test both DSA2 and the new signature format at the same
time.

Peter.