Dear OpenSSH Developers,
I am wondering as to why there is a 1024 bit limitation in the `ssh-keygen` tool
up until the current CVS version. There seem to be far higher bit rates when it
comes to ECDSA. This effectively limits e.g. DSA host key generation on all BSD
and Linux systems as of today.
ssh-keygen.c (CVS) - starting with line 181:
```
if (type == KEY_DSA && *bitsp != 1024)
fatal("DSA keys must be 1024 bits");
else if (type != KEY_ECDSA && *bitsp < 768)
fatal("Key must at least be 768 bits");
else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(*bitsp) == -1)
fatal("Invalid ECDSA key length - valid lengths are "
"256, 384 or 521 bits”);
```
Now the current NIST/FIPS recommendation for 2010 and onwards suggests using
2048bit+ keys:
http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf - 4.2 Selection of
Parameter Sizes and Hash Functions for DSA
I might be missing something so I am curious if there was a specific reason to
disable generation of 1024+bit keys or if that was just forgotten during
development?
Thanks for your time,
Aaron
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
On Tue, Nov 05, 2013 at 11:57:04AM +0100, Aaron Zauner wrote:> I am wondering as to why there is a 1024 bit limitation in the > `ssh-keygen` tool up until the current CVS version.[...] It''s deliberate. RFC4253 requires the use of SHA1 for DSA keys and FIPS-186-3 requires the use of a longer hash than SHA1 for keys larger than 1024 bits. The only way to comply with both is to allow only keys that are 1024 bits. See https://bugzilla.mindrot.org/show_bug.cgi?id=1647 for further info. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.