openssh unix dev - Sep 2013 - [Bug 1647] Implement FIPS 186-3 for DSA keys

https://bugzilla.mindrot.org/show_bug.cgi?id=1647

mackyle at gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mackyle at gmail.com

--- Comment #2 from mackyle at gmail.com ---
RFC 6668 [1] (2012-07) updated RFC 4253 adding the SHA-256 data
integrity algorithm as a new recommended algorithm.

FIPS 186-4 [2] (2013-07) section 4.2 includes the same DSA parameters
as FIPS 186-3:

L = 1024, N = 160 
L = 2048, N = 224 
L = 2048, N = 256 
L = 3072, N = 256

And it would seem that the L=2048,N=256 L=3072,N=256 selections are now
possible while remaining standards compliant.

It appears that OpenSSH has added support for SHA-256 and SHA-512 in
version 5.9p1 (2011-09).

[1] http://tools.ietf.org/html/rfc6668
[2] http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

<bugzilla-daemon at mindrot.org> writes:
> https://bugzilla.mindrot.org/show_bug.cgi?id=1647
> 
> mackyle at gmail.com changed:
> 
>            What    |Removed                     |Added
>
----------------------------------------------------------------------------
>                  CC|                            |mackyle at gmail.com
> 
> --- Comment #2 from mackyle at gmail.com ---
> RFC 6668 [1] (2012-07) updated RFC 4253 adding the SHA-256 data
> integrity algorithm as a new recommended algorithm.
> 
> FIPS 186-4 [2] (2013-07) section 4.2 includes the same DSA parameters
> as FIPS 186-3:
> 
> L = 1024, N = 160 
> L = 2048, N = 224 
> L = 2048, N = 256 
> L = 3072, N = 256
> 
> And it would seem that the L=2048,N=256 L=3072,N=256 selections are now
> possible while remaining standards compliant.
SHA-1 is not allowed in digital signatures per NIST SP 800-131A after
December 31, 2013.

The problem is in the way that ssh-dss is specified in RFC 4253 to use a
SHA-1 hash in the dss_signature_blob. The same problems exist for
x509v3-ssh-dss which also specifies the use of SHA-1. 

In order to use a DSA-2048 or DSA-3072 with SHA-256 or SHA-512, one
would likely need to move to the pgp-sign-dss public key algorithm of
RFC2440 as obsoleted by RFC 4880 section 13.6 which allows for

 L=1024, N=160 [not useful given NIST SP 800-131A]
 L=2048, N=224 with SHA-224, SHA-256, SHA-384, or SHA-512 hash
 L=2048, N=256 with SHA-256, SHA-384, or SHA-512 hash
 L=3072, N=256 with SHA-256, SHA-384, or SHA-512 hash

I am not aware of any pgp-sign-dss implementations that implement the
RFC 4880 updated types, but you could use it if you wished.

Other alternatives would mean writing another RFC to deal with a new
public key algorithm name or set of names to handle the key sizes and
hash algorithms you want to allow.
> 
> It appears that OpenSSH has added support for SHA-256 and SHA-512 in
> version 5.9p1 (2011-09).
RFC 6668 is good if you want to use something like the Cipher aes128-cbc
with hmac-sha2-256 or hmac-sha2-512 as the MAC instead of implementing
AEAD_AES_128_GCM or AEAD_AES_256_GCM.

The way that RFC 5647 is written makes it hard to do the right thing
when the Cipher and Macs are negotiated separately as both have to agree
and having one of the AEAD_* ciphers with some other MAC just makes no
sense, but has no provision for forcing the two to be sane during
negotiations.

The OpenSSH community implemented aes128-gcm at openssh.com and
aes256-gcm at openssh.com with specified semantics during negotiation to
ensure that a non-toxic selection is made and otherwise uses the RFC
5647 wire protocol for the traffic.
> 
> [1] http://tools.ietf.org/html/rfc6668
> [2] http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
> 
> -- 
> You are receiving this mail because:
> You are watching the assignee of the bug.
> You are watching someone on the CC list of the bug.
> _______________________________________________
> openssh-bugs mailing list
> openssh-bugs at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-bugs

On Tue, 10 Sep 2013, Mark D. Baushke wrote:
> Other alternatives would mean writing another RFC to deal with a new
> public key algorithm name or set of names to handle the key sizes and
> hash algorithms you want to allow.
Or just abandoning DSA for ECDSA. It has the advantages of already being
implemented, being faster and offering a better security level (assuming
NIST/NSA haven't some exquisite backdoor in the curves).

-d

https://bugzilla.mindrot.org/show_bug.cgi?id=1647

--- Comment #3 from Darren Tucker <dtucker at zip.com.au> ---
(In reply to mackyle from comment #2)
> RFC 6668 [1] (2012-07) updated RFC 4253 adding the SHA-256 data
> integrity algorithm as a new recommended algorithm.
> 
> FIPS 186-4 [2] (2013-07) section 4.2 includes the same DSA
> parameters as FIPS 186-3:
> 
> L = 1024, N = 160 
> L = 2048, N = 224 
> L = 2048, N = 256 
> L = 3072, N = 256
> 
> And it would seem that the L=2048,N=256 L=3072,N=256 selections are
> now possible while remaining standards compliant.
RFC 6668 adds a new HMAC (ie integrity) algorithm (RFC 4253 section
6.4) not a public key (ie authentication) algorithm (RFC 4253 section
6.6).

OpenSSH does in fact implement RFC 6668 (run ssh -vvv and look at the
MACS offered) but it doesn't change the situation with DSA
authentication.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1647

Petr Cerny [:hrosik] <pcerny at suse.cz> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |pcerny at suse.cz

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.