On Sat, Nov 26, 2016 at 1:16 AM, Alexander Wuerstlein <arw at cs.fau.de> wrote: [...]> Afaik its because DSA key size has (for very weird reasons admittedly: > FIPS 186-4) been limited to 1024 bits which is considered weak nowadays.Use of DSA within the SSH protocol requires the use of SHA1, which is 160 bits (80 bits against a birthday attack) and is reaching its use-by date. This is probably why FIPS requires stronger hashes for DSA key sizes >1k, but those can't be used in SSH because it specifies only SHA1. There's some more info in https://bugzilla.mindrot.org/show_bug.cgi?id=1647 -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Hi
On 28/11/16 00:14, "dtucker at dtucker.net on behalf of Darren Tucker"
<dtucker at dtucker.net on behalf of dtucker at zip.com.au> wrote:
On Sat, Nov 26, 2016 at 1:16 AM, Alexander Wuerstlein <arw at
cs.fau.de> wrote:
[...]
> Afaik its because DSA key size has (for very weird reasons admittedly:
> FIPS 186-4) been limited to 1024 bits which is considered weak
nowadays.
Use of DSA within the SSH protocol requires the use of SHA1, which is
160 bits (80 bits against a birthday attack) and is reaching its
use-by date. This is probably why FIPS requires stronger hashes for
DSA key sizes >1k, but those can't be used in SSH because it
specifies
only SHA1.
There's some more info in
https://bugzilla.mindrot.org/show_bug.cgi?id=1647
My initial email was not about why DSA was deprecated (although I do appreciate
the reasons, thank you), but more about the fact that this deprecation is not
mentioned on the OpenSSH release notes, so I would argue that DSA was not in
fact deprecated?
I think mentioning on the next release release notes would be important to make
it official.
Thank you,
On Mon, Nov 28, 2016 at 5:46 PM, Pedro Melo <melo at simplicidade.org> wrote:> Hi > > On 28/11/16 00:14, "dtucker at dtucker.net on behalf of Darren Tucker" <dtucker at dtucker.net on behalf of dtucker at zip.com.au> wrote:[...]> My initial email was not about why DSA was deprecated (although I do appreciate the reasons, thank you), but more about the fact that this deprecation is not mentioned on the OpenSSH release notes, so I would argue that DSA was not in fact deprecated?In the 7.0 release notes: * Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by default at run-time. These may be re-enabled using the instructions at http://www.openssh.com/legacy.html DSS = Digital Signature Standard, DSA = Digital Signature Algorithm but they refer to the same thing. Given that the SSH standards use ssh-dss, by rights keygen should refer to it as "dss" instead of "dsa" but that ship sailed long ago. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.