RE: Experimental server for RSA SHA-2

[Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>]

denis bider <ietf-ssh3%denisbider.com@localhost> writes:

>I have set up a server where we can test support for RSA SHA-2.
>
>You can connect to it at:
>
>experiment.bitvise.com:10712

So I figured this would be the quickest RFC (draft) implementation ever, one
line of code:

  { "rsa-sha2-256", 12, CRYPT_ALGO_RSA, CRYPT_ALGO_RSA, CRYPT_ALGO_SHA2 },

However, this doesn't work, for several reasons... the biggest problem is that
the hash algorithm HASH is already specified in the keyex method, for "diffie-
hellman-group-exchange-sha1" it's SHA-1 and for "diffie-hellman-group-
exchange-sha256" it's SHA2-256.  So specifying "rsa-sha2-256" for "diffie-
hellman-group-exchange- sha1" doesn't make sense, and specifying it for
"diffie-hellman-group-exchange-sha256" is redundant.

Another problem is shown up by the argument about naming, that since this is a
standard SSH signature, the "ssh-" isn't needed.  Looking at the draft, this
isn't anything like any other SSH signature, it uses RSA-PSS not PKCS #1,
which no other SSH signature uses.  So it needs some indicator in the name
that it's a nonstandard signature type, not a standard SSH signature, e.g.
"ssh-rsa-pss" to contrast with the standard "ssh-rsa".  It also means that you
need to do an implementation of RSA-PSS just to support this signature type.

The result is that the draft is really "Use of RSA-PSS with SSH", not "Use of
RSA Keys with SHA-2 256 and 512 in Secure Shell (SSH)", since they're already
in use with SHA-2 when "diffie-hellman-group-exchange-sha256" is used.

Peter.