Hi, Someone told me that DSA keys were being deprecated with OpenSSH 7.0. The only reference I could find about this topic on openSSH site is on the legacy page: ?OpenSSH 7.0 and greater similarly disable the ssh-dss (DSA) public key algorithm. It too is weak and we recommend against its use.? There is no explanation about the weakness. But more than that, I could not find any mention of this deprecation on OpenSSH 7.0, 7.1, 7.2 and 7.3 release notes. So my question is: are DSA keys really deprecated? Thank you in advance, -- Pedro Melo melo at simplicidade.org (e-mail, SIP, XMPP) https://www.simplicidade.org
Alexander Wuerstlein
2016-Nov-25 14:16 UTC
Inconsistency between legacy and release notes?
On 2016-11-25T10:58, Pedro Melo <melo at simplicidade.org> wrote:> Hi, > > > > Someone told me that DSA keys were being deprecated with OpenSSH 7.0. The only reference I could find about this topic on openSSH site is on the legacy page: > > > > ?OpenSSH 7.0 and greater similarly disable the ssh-dss (DSA) public key algorithm. It too is weak and we recommend against its use.? > > > > There is no explanation about the weakness. But more than that, I could not find any mention of this deprecation on OpenSSH 7.0, 7.1, 7.2 and 7.3 release notes. > > > > So my question is: are DSA keys really deprecated?Afaik its because DSA key size has (for very weird reasons admittedly: FIPS 186-4) been limited to 1024 bits which is considered weak nowadays. Also, DSA has the inherent weakness that a random number is used in producing a DSA signature. If such a random number were ever reused, an attacker could easily calculate the secret key from just looking at the signatures. This means that DSA together with a weak source of randomness endangers your keys and therefore your machines. There is a workaround for the weak randomness problem (derive the 'random' number deterministically from the message and the secret key), and I think its implemented in OpenSSH. But that doesn't take care of all the old installations and different SSH implementations. Therefore since DSA keys are too small anyways, its just better to get rid of it altogether. Ciao, Alexander Wuerstlein.
On Sat, Nov 26, 2016 at 1:16 AM, Alexander Wuerstlein <arw at cs.fau.de> wrote: [...]> Afaik its because DSA key size has (for very weird reasons admittedly: > FIPS 186-4) been limited to 1024 bits which is considered weak nowadays.Use of DSA within the SSH protocol requires the use of SHA1, which is 160 bits (80 bits against a birthday attack) and is reaching its use-by date. This is probably why FIPS requires stronger hashes for DSA key sizes >1k, but those can't be used in SSH because it specifies only SHA1. There's some more info in https://bugzilla.mindrot.org/show_bug.cgi?id=1647 -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.