Re: New version of rsa-sha2-512 draft posted: no more DSA

To: Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>
Subject: Re: New version of rsa-sha2-512 draft posted: no more DSA
From: denis bider <ietf-ssh3%denisbider.com@localhost>
Date: Sat, 7 Nov 2015 02:22:14 +0000

Apologies for my ignorance about the embedded situation. That's interesting to know.

I was wondering how much SSH there is on embedded devices. I'm glad to hear you have that covered. :-)

I understand SHA-2 512 won't fit into P-256. It does fit into RSA, though, and I was figuring it would not be a problem for applications to support both hash types.

No problem if it's impractical, though. I appreciate the information!

I'll prepare new stuff hopefully tomorrow.

----- Original Message -----
From: Peter Gutmann
Sent: Friday, November 6, 2015 18:51
To: denis bider
Cc: ietf-ssh%netbsd.org@localhost
Subject: RE: New version of rsa-sha2-512 draft posted: no more DSA

denis bider <ietf-ssh3%denisbider.com@localhost> writes:

>From my perspective, SHA-2 512 seems like the clear winner in the RSA
>situation, due to 64-bit CPUs being destined for ubiquity (already ubiquitous
>on desktops, a few years away on mobile),

... and decades away on embedded. Most of my users are running SSH on
embedded platforms, for which the presence of 64-bit is close to zero, and no
plan to move to that. I probably have more SSH running on 16-bit embedded
than 64-bit embedded.

>why not have a larger hash output at no additional cost (it's embedded in the
>signature, anyway).

Not if you're using P-256 rather than RSA. Only SHA-256 will work with P-256
which (again from the Mozilla discussion) is the most widely-used parameter
set, with P-521 (needed for -512) being barely used:

lots of products can (and, it seems, are planning to, or already are)
omitting support for P-521.
(Comment from https://mozillians.org/en-US/u/briansmith/)

(You can truncate -512 to make it work with P-256, but I wouldn't want to take
any bets on how well-supported that will be in practice).

>However, if there are platforms where availability is a problem, then okay,
>let's have both versions. I'll update the draft to re-add rsa-sha2-256, and
>make that recommended, and -512 optional.

Thanks!

Peter.

Follow-Ups:
- RE: New version of rsa-sha2-512 draft posted: no more DSA
  - From: Peter Gutmann

Prev by Date: RE: New version of rsa-sha2-512 draft posted: no more DSA
Next by Date: DH group exchange (Re: SSH key algorithm updates)
Previous by Thread: RE: New version of rsa-sha2-512 draft posted: no more DSA
Next by Thread: RE: New version of rsa-sha2-512 draft posted: no more DSA
Indexes:

Home | Main Index | Thread Index | Old Index