Re: Proposal and intent to implement "dsa-sha2-256" SSH key algorithm

To: denis bider <ietf-ssh3%denisbider.com@localhost>
Subject: Re: Proposal and intent to implement "dsa-sha2-256" SSH key algorithm
From: Jeffrey Hutzelman <jhutz%cmu.edu@localhost>
Date: Thu, 29 Oct 2015 09:34:28 -0400

On Thu, 2015-10-29 at 00:25 +0000, denis bider wrote:
> I have whipped up a draft here:
> 
> http://www.denisbider.com/draft-dsa-sha2-256.txt

Not too bad.  A few comments, all minor:

- The use of SHA-256 is a departure from the original ssh-dss algorithm,
which
  specifies SHA-1.  Even though it's fairly obvious from the algorithm
name, I
  think that should be mentioned in the abstract and introduction.  It
might be
  appropriate to work it into the title, too, since that's all that
appears in
  the RFC index, but IMHO that's less important.

- The reference to FIPS-186-3 in the introduction seems superfluous.

- NIST SP 800-131A doesn't "suggest" or "consider" that 1024-bit DSA and
SHA-1
  are disallowed after 2013.  It disallows them for government use(*).
  I suggest an edit something like this...

OLD:
   The National Institute of Standards and Technology (NIST) Special
   Publication 800-131A [800-131A] suggests that DSA keys shorter than
   2048 bits, and with subgroup sizes under 224 bits, are considered
   to have an encryption strength of less than 112 bits, and are
   disallowed after 2013. DSA key sizes of 2048 bits or more, and with
   subgroup sizes of 224 bits or more, are considered acceptable.

NEW:
   National Institute of Standards and Technology (NIST) Special
   Publication 800-131A [800-131A] suggests that DSA keys shorter than
   2048 bits, and with subgroup sizes under 224 bits, are considered
   to have an encryption strength of less than 112 bits.  It disallows
   use of such keys for U.S. Government use after 2013. DSA key sizes
   of 2048 bits or more, and with subgroup sizes of 224 bits or more,
   are considered acceptable.

Similarly for the next paragraph.

> At this point, I'm most uncertain about whether we should allow the following option also:
> 
>    L = 2048, N = 224
> 
> Arguments for:
> 
> - No apparent interoperability reason to exclude it.
> - Perhaps there are DSA implementations that don't easily support
> setting subgroup size, and can only easily generate the N=224 option?
> Does anyone know of one?
> 
> Arguments against:
> 
> - Slightly weaker than N = 256
> 
> Any comments? Thoughts?

If you don't include it, then either implementors will support it
anyway, or users will be confused when their keys don't work.  I assume
that with N=224,
you'd want to actually use SHA-224.

For that matter, what about _larger_ key sizes?  What's to say that NIST
won't publish FIPS-186-5 with an (L=4096, N=512) option.  You'd want to
use SHA-512 with that, but wouldn't it be better not to constrain this
to the key sizes that are available today?

I'd suggest allowing arbitrary key sizes with L >= 2048 and N >= 224,
with the hash to be the largest of SHA-{224,256,384,512} that produces a
digest not larger than N bits.

-- Jeff

(*)  Or rather, it disallows use of all digital signature algorithms
with strength less than 112 bits.  While specific parameters are
mentioned for RSA and DSA, formally the strengths are defined in SP
800-57.  Hpwever, I think we can ignore the latter detail for our
purpose.

References:
- Re: Proposal and intent to implement "dsa-sha2-256" SSH key algorithm
  - From: denis bider

Prev by Date: Re: Proposal and intent to implement "dsa-sha2-256" SSH key algorithm
Next by Date: Re: Proposal and intent to implement "dsa-sha2-256" SSH key algorithm
Previous by Thread: Re: Proposal and intent to implement "dsa-sha2-256" SSH key algorithm
Next by Thread: Re: Proposal and intent to implement "dsa-sha2-256" SSH key algorithm
Indexes:

Home | Main Index | Thread Index | Old Index