5

In FIPS 186-1 and 186-2 L could be any number between 512 and 1024 (inclusive) that was a multiple of 64. N was fixed at 160.

FIPS 186-3 changed it so that L and N could be any combination of the following:

  • L = 1024, N = 160
  • L = 2048, N = 224
  • L = 2048, N = 256
  • L = 3072, N = 256

RFC 4253 (SSH Transport Layer Protocol) says the following:

   The resulting signature is encoded as follows:

      string    "ssh-dss"
      string    dss_signature_blob

   The value for 'dss_signature_blob' is encoded as a string containing
   r, followed by s (which are 160-bit integers, without lengths or
   padding, unsigned, and in network byte order).

So I take it this means SSH does not support 2048-bit DSA? Are there no RFCs that add support for them? No vendor extensions?

Community
  • 1
neubert
  • 1,605
  • 3
  • 18
  • 36

1 Answers1

2

For the hash: Crossdupe https://crypto.stackexchange.com/questions/15051/why-does-openssh-use-only-sha1-for-signing-and-verifying-of-digital-signatures and https://crypto.stackexchange.com/questions/39983/which-hash-function-is-used-for-signatures-ssh-rsa-and-ssh-dss but probably better here.

A recent answer there links to https://www.openssh.com/txt/release-7.2 (of 2016-02-28) which refers to now-expired https://datatracker.ietf.org/doc/html/draft-rsa-dsa-sha2-256-03 which despite the name only upgrades RSA to SHA2, with section 6 explaining that DSA was dropped, as does its still-draft replacement https://datatracker.ietf.org/doc/html/draft-ietf-curdle-rsa-sha2-02 .

You can easily confirm no other RFC has changed this in the IANA registry for SSH.

And OpenSSH since 7.0 has deprecated and disabled by default (all) DSA. There were numerous Qs here and related stacks late last year about this e.g.:
Why OpenSSH deprecated DSA keys
https://unix.stackexchange.com/questions/247612/ssh-keeps-skipping-my-pubkey
https://superuser.com/questions/962918/pubkeyacceptedkeytypes-and-ssh-dsa-key-type
So they aren't likely to implement improvements to DSA, and anyone else who pushes something incompatible with OpenSSH usually finds it unused.

"Sorry, Charlie."

FWIW although FIPS 186-3 up encourages you to use a hash matching the DSA subgroup size (i.e. N) it doesn't actually require it. OpenSSH ssh-keygen won't generate a DSA key bigger than 1024, but if you generate such a key by other means (such as OpenSSL 1.0.0 up as of 2010, or Java 8 up as of 2014) OpenSSH ssh and sshd will use it (in 7.0 up once you undo the default disabling). But they use it with SHA1 as per the RFC, which basically discards the security benefit the new 186-3 sizes are intended to provide. (Accept no substitutes. OpenSSL 0.9.8 could generate a DSA key with then-nonstandard N=2048 or 3072 -- but still L=160.)

Community
  • 1
dave_thompson_085
  • 9,759
  • 1
  • 24
  • 28