Eugene Bright
2015-Feb-25 12:12 UTC
Does ssh-keygen really allow 521 bit ECDSA key generation?
Hello! I found strange sentence in ssh-keygen man page. There is may be a misprint. *-b* *bits*Specifies the number of bits in the key to create. For RSA keys, the minimum size is 768 bits and the default is 2048 bits. Generally, 2048 bits is considered sufficient. DSA keys must be exactly 1024 bits as specified by FIPS 186-2. For ECDSA keys, the *-b* flag determines the key length by selecting from one of three elliptic curve sizes: 256, 384 or 521 bits. Attempting to use bit lengths other than these three values for ECDSA keys will fail. Ed25519 keys have a fixed length and the *-b* flag will be ignored. Regards, Eugene Bright.
Christian Hesse
2015-Feb-25 12:56 UTC
Does ssh-keygen really allow 521 bit ECDSA key generation?
Eugene Bright <hexumg at gmail.com> on Wed, 2015/02/25 16:12:> Hello! > > I found strange sentence in ssh-keygen man page. There is may be a misprint.You are referring the fact that 521 is not the power of base 2? Looks like this is valid nevertheless. % ssh-keygen -t ecdsa -b 512 Invalid ECDSA key length - valid lengths are 256, 384 or 521 bits % ssh-keygen -t ecdsa -b 521 Generating public/private ecdsa key pair. [...] Wikipedia adds a note about this as well: http://en.wikipedia.org/wiki/Elliptic_curve_cryptography#cite_note-25 -- main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/* Chris get my mail address: */=0;b=c[a++];) putchar(b-1/(/* gcc -o sig sig.c && ./sig */b/42*2-3)*42);} -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150225/24b83358/attachment.bin>
James Cloos
2015-Feb-25 13:49 UTC
Does ssh-keygen really allow 521 bit ECDSA key generation?
>>>>> "EB" == Eugene Bright <hexumg at gmail.com> writes:EB> I found strange sentence in ssh-keygen man page. There is may be a misprint. No, that is correct. They couldn't find a good prime slightly under 512 bits, so chose the Mersenne prime 2^521 - 1. -JimC -- James Cloos <cloos at jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6