IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Experimental server for RSA SHA-2



---- Original Message -----
From: "Peter Gutmann" <pgut001%cs.auckland.ac.nz@localhost>
Sent: Tuesday, November 10, 2015 8:53 AM

Damien Miller <djm%mindrot.org@localhost> writes:

>I don't think this is right: the hash used in the signature algorithm
has
>always been independent of the key exchange hash.

Is it?  I hope I'm not reading this wrong, but the exchange hash H is
what's
signed, and that's what's calculated using the hash algorithm HASH,
which is
specified by e.g. "diffie-hellman-group-exchange-sha256".  So
"server_host_key_algorithms" can say RSA or DSA or ECDSA, but not the
hash,
since that's implicit from "kex_algorithms".

>I don't really care for bikeshedding names, but if I were picking it,
then it
>would be "rsa-pss-sha256".

It definitely needs to indicate quite clearly that it uses a signature
form
that's not compatible with anything else that SSH has ever used.  I'd
vote for
"crunchy-raw-unboned-real-dead-frog-rsa-pss".

<tp>
Sounds appropriate:-)

My experience is that encoding semantics into identifiers generates long
term problems.  An identifier should be easy to use, easy to read and
write, hard to confuse with other identifiers in the name space.  Using
it to identify e.g. which version of which model of kitchen sink is used
leads to overlong and easy to get wrong identifiers which then engenders
mistakes.

Since in this case, we are naming a replacement for
ssh-rsa
it would seem sound to use
ssh-rsa-(something short and snappy to show it is an update)
e.g.
ssh-rsa-sha256

Yes, I know about
x509v3-ssh-dss
x509v3-ssh-rsa

Not sound, IMHO;
ssh-dss-x509v3
ssh-rsa-x509v3
would have been better or even
ssh-dss-x509
ssh-rsa-x509

Relevant for me, but perhaps heresy to mention here, is the fact the TLS
Cipher Suite names make extensive use of SHA256 and SHA384 as an element
thereof.

Tom Petch


Could I also suggest that the draft include a facility to use standard
PKCS #1
sigs?  I really don't want to have to implement a nonstandard (meaning
not
used by any other part of SSH, or any other protocol like PGP, S/MIME,
TLS,
etc) signature format just to be able to use SHA-256 in a sig.

Peter.

=




Home | Main Index | Thread Index | Old Index