RE: rsa-sha2-256/512: handling of incorrect signature encoding

[Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>]

denis bider (Bitvise) <ietf-ssh3%denisbider.com@localhost> writes:

>The invariants our implementation currently expects are:
>- name 1, in the USERAUTH request, can be any of the RSA signature algorithm names
>- name 2, in the public key blob, must be "ssh-rsa"
>- name 3, in the signature blob, must match name 1

My code writes "ssh-rsa" for all three, and accepts whatever it finds (along
with a sarcastic comment about why you need to specify the same thing three
times in a row in case the server has gone deaf or something :-).  For the
first one:

/* Skip the first of the three copies of the algorithm name (see the comment
   in ssh2_cli.c for more on this).  We don't do anything with it because
   we're about to get two more copies of the same thing, and the key and
   signature information take precedence over anything that we find here */

Then for the second one it looks for ssh-rsa (or ssh-dss, or whatever, since
it's needed to decode the key), and finally it again ignores the last one
because it already knows what it should be.

Why is there a need for "rsa-sha2-256" and other complications when "ssh-rsa"
is perfectly OK for everything else?

>My questions are:
>[...]

I would use (C) ignore everything except the key blob name.  This situation is
confusing enough that you're going to get implementations screwing things up
in all sorts of ways, meaning you'll find who knows what in those ID strings.
Apart from having to know what format the key is in the rest is irrelevant,
you know the key is RSA, you've been hashing with SHA-1 or SHA-256 or
whatever, it doesn't matter what the ID strings say.

>Regardless of what we think is best - should we put a paragraph about this in
>the rsa-sha2 draft?

I would change the rsa-sha2 draft to say that the same ID string should be
used throughout, i.e. "ssh-rsa" for RSA sigs and keys.

Peter.