I have noticed that OpenSSH clients (at least version 5.1p1) occasionally send an RSA signature during the handshake phase such that if the RSA key pair used to generate it happens to be associated to an N-byte long modulus, the signature is N - 1 bytes long. My question is, Is this behavior correct? I mean, an RSA signature is an unstructured byte string, and therefore any leading zeros should be considered part of the signature, and a signature created with an RSA key pair such that its associated modulus is N bytes long ought to be N bytes long as well.
Damien Miller
2010-Aug-25 08:17 UTC
The length of an RSA signature sent during the handshake
On Tue, 24 Aug 2010, JCA wrote:> I have noticed that OpenSSH clients (at least version 5.1p1) > occasionally send an RSA signature during the handshake phase such > that if the RSA key pair used to generate it happens to be associated > to an N-byte long modulus, the signature is N - 1 bytes long. My > question is, Is this behavior correct? I mean, an RSA signature is an > unstructured byte string, and therefore any leading zeros should be > considered part of the signature, and a signature created with an RSA > key pair such that its associated modulus is N bytes long ought to be > N bytes long as well.How are you measuring length? The size of the signature blob is always the same length as rsa->n (search for "memmove" in ssh-rsa.c), but if you are decoding the blob to a bignum then its length will occasionally be shorter. If you consider RSA signing to function as a random mapping into integers of log2(n)/8 bytes, then the first byte will be zero with probability roughly equal to 1/256. -d