IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

RE: SSH key algorithm updates



> I'm strongly opposed to keeping DSA, for the reasons given earlier.

On the CFRG mailing list, there was one (!) good reason provided. That is DSA's susceptibility to PRNG mismanagement. This argument is completely countered by deterministic signatures, which have an RFC (RFC 6979), which includes test vectors directly applicable to the discussed dsa-sha2-256.

All the tools and specs are there to implement DSA securely.

Besides this, there has been no argument other than "it's no better than RSA". But it is better in this aspect: a 3072-bit DSA signature is 4x faster than 3072-bit RSA. This means potentially 4x as many connections that can be served by busy servers.

Of course, if you are looking for performance, today you would use ECDSA. But if there is a problem with elliptic crypto; DSA provides a backstop that's a 5x slowdown compared to 256-bit ECDSA, providing equivalent security. In comparison, 3072-bit RSA is a 20x slowdown, or a security downgrade.

I definitely think dsa-sha2-256 should be OPTIONAL, not RECOMMENDED. I think instead rsa-sha2-256 should be RECOMMENDED or REQUIRED, since it's the least objectionable of all algorithms. Every other algorithm has someone who hates it, RSA is just... kinda slow.


> Since neither the PGP nor the X.509 formats as used in SSH were
> ever defined, I'd just remove them.

I agree. I've never implemented the PGP ones, or seen them used. Someone who knows those algorithms should do a writeup - if there is someone.


----- Original Message -----
From: Peter Gutmann
Sent: Saturday, October 31, 2015 19:02
To: Jeffrey Hutzelman ; Mark D. Baushke
Cc: denis bider ; ietf-ssh%NetBSD.org@localhost ; nisse%lysator.liu.se@localhost ; stephen.farrell%cs.tcd.ie@localhost ; jon%siliconcircus.com@localhost
Subject: RE: SSH key algorithm updates

Jeffrey Hutzelman <jhutz%cmu.edu@localhost> writes:

>- Add dsa-sha2-256 as RECOMMENDED

I'm strongly opposed to keeping DSA, for the reasons given earlier.  It's dead
everywhere except SSH, it'd be nice to get rid of this one holdout as well.

>Perhaps Denis wants to add pgp-sign-dsa-sha2-256 and/or x509v3-dsa-sha2-256
>to his document.

Since neither the PGP nor the X.509 formats as used in SSH were ever defined,
I'd just remove them.  Short of reverse-engineering someone else's
implementation to see what they do, I can't see how you'd create an
interoperable implementation of either of these.

Peter.



Home | Main Index | Thread Index | Old Index