RE: Experimental server for RSA SHA-2

[Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>]

Damien Miller <djm%mindrot.org@localhost> writes:

>The signature methods *also* have implicit (or explicit in the ecdsa cases)
>input hashes.

Ah, OK, I missed this bit:

   Most signature algorithms include hashing and additional padding (e.g.,
   "ssh-dss" specifies SHA-1 hashing).  In that case, the data is first hashed
   with HASH to compute H, and H is then hashed with SHA-1 as part of the
   signing operation.

So the new IDs just signal a switch of the hash from SHA-1 to SHA-256.

>Please no; I was counting the absence of ASN.1 formatting in the proposed
>signature scheme as a significant improvement.

What the formatting is isn't a big deal since it's already present in the
code.  Every version of SSH over the last 20 years has used PKCS #1.  The only
change for SHA-256 support is to add an OID to a table somewhere.  If you're
using a general crypto library, chances are it'll already support this out of
the box.

OTOH for RSA-PSS sigs you need to implement, debug, and test a completely new
signature scheme that's incompatible with pretty much everything else (PGP,
TLS, etc) out there.

Peter.