RE: Experimental server for RSA SHA-2

[Damien Miller <djm%mindrot.org@localhost>]

On Tue, 10 Nov 2015, Peter Gutmann wrote:

> So I figured this would be the quickest RFC (draft) implementation ever, one
> line of code:
> 
>   { "rsa-sha2-256", 12, CRYPT_ALGO_RSA, CRYPT_ALGO_RSA, CRYPT_ALGO_SHA2 },
> 
> However, this doesn't work, for several reasons... the biggest problem
> is that the hash algorithm HASH is already specified in the keyex
> method, for "diffie- hellman-group-exchange-sha1" it's SHA-1 and for
> "diffie-hellman-group- exchange-sha256" it's SHA2-256. So specifying
> "rsa-sha2-256" for "diffie- hellman-group-exchange- sha1" doesn't make
> sense, and specifying it for "diffie-hellman-group-exchange-sha256" is
> redundant.

I don't think this is right: the hash used in the signature algorithm has
always been independent of the key exchange hash. Moreover, the key
exchange hash is only tangentially involved for publickey authentication.

> Another problem is shown up by the argument about naming, that since
> this is a standard SSH signature, the "ssh-" isn't needed. Looking
> at the draft, this isn't anything like any other SSH signature, it
> uses RSA-PSS not PKCS #1, which no other SSH signature uses. So it
> needs some indicator in the name that it's a nonstandard signature
> type, not a standard SSH signature, e.g. "ssh-rsa-pss" to contrast
> with the standard "ssh-rsa". It also means that you need to do an
> implementation of RSA-PSS just to support this signature type.
>
> The result is that the draft is really "Use of RSA-PSS with
> SSH", not "Use of RSA Keys with SHA-2 256 and 512 in Secure
> Shell (SSH)", since they're already in use with SHA-2 when
> "diffie-hellman-group-exchange-sha256" is used.

IMO it's both. I don't really care for bikeshedding names, but if
I were picking it, then it would be "rsa-pss-sha256".

-d