New version of rsa-sha2-512 draft posted: no more DSA

To: ietf-ssh%netbsd.org@localhost
Subject: New version of rsa-sha2-512 draft posted: no more DSA
From: denis bider <ietf-ssh3%denisbider.com@localhost>
Date: Thu, 5 Nov 2015 09:13:25 +0000

I have posted a new version of the draft: see details below.

As per multiple requests (Hanno Boeck, Peter Gutmann, Damien Miller), I have removed DSA.

I have taken into account Damien's suggestion for rsa-sha2-512, and observed that there appears to be no reason to have rsa-sha2-256, if we have rsa-sha2-512. As far as I can tell, SHA-2 512 should be reasonably available everywhere that SHA-2 256 is available. It is slower on 32-bit platforms, but the performance impact of hashing is negligible compared to the signing operation. It produces a larger digest than SHA-2 256, but this digest easily fits into all reasonable RSA key sizes.

Therefore, this new version of the draft removes both rsa-sha2-256 and dsa-sha2-256, and replaces them with only rsa-sha2-512.

In addition, this version adds a mechanism which the server can use to notify the client of signature algorithms supported, so that the client does not have to guess with authentication requests. Clients will still need to implement guessing due to servers that might not support this, but if the server cares to send this info, this can speed up authentication by one or more round trips.

Unfortunately, since:

- SSH does not have a proper extension negotiation; and since

- clients of at least one ubiquitous implementation will disconnect if any new fields are added to SSH_MSG_SERVICE_REQUEST, SSH_MSG_SERVICE_ACCEPT, or SSH_MSG_USERAUTH_FAILURE;

there seems to be little choice but to send this information in a specially crafted SSH_MSG_IGNORE message. Let us congratulate ourselves on that success. ;)

Let's think things through better with the next protocol.

----- Original Message -----

A new version of I-D, draft-rsa-dsa-sha2-256-01.txt
has been successfully submitted by Denis Bider and posted to the
IETF repository.

Name: draft-rsa-dsa-sha2-256
Revision: 01
Title: Use of RSA Keys with SHA-2 512 in Secure Shell (SSH)
Document date: 2015-11-05
Group: Individual Submission
Pages: 6
URL:            https://www.ietf.org/internet-drafts/draft-rsa-dsa-sha2-256-01.txt
Status:         https://datatracker.ietf.org/doc/draft-rsa-dsa-sha2-256/
Htmlized:       https://tools.ietf.org/html/draft-rsa-dsa-sha2-256-01
Diff:           https://www.ietf.org/rfcdiff?url2=draft-rsa-dsa-sha2-256-01

Abstract:
This memo defines an algorithm name, public key format, and signature
format for use of RSA keys with SHA-2 512 for server and client
authentication in SSH connections. A new mechanism is also defined
for servers to inform clients of supported signature algorithms during
client authentication.

Follow-Ups:
- RE: New version of rsa-sha2-512 draft posted: no more DSA
  - From: Peter Gutmann

Prev by Date: Re: OpenSSH sabotages protocol extension
Next by Date: Re: OpenSSH sabotages protocol extension
Previous by Thread: OpenSSH sabotages protocol extension
Next by Thread: RE: New version of rsa-sha2-512 draft posted: no more DSA
Indexes:

Home | Main Index | Thread Index | Old Index