[Bug 2115] New: Support for DSA p=2048 q=256/224 bit keys
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Mon Jun 3 17:49:32 EST 2013
https://bugzilla.mindrot.org/show_bug.cgi?id=2115
Bug ID: 2115
Summary: Support for DSA p=2048 q=256/224 bit keys
Product: Portable OpenSSH
Version: 6.1p1
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh-keygen
Assignee: unassigned-bugs at mindrot.org
Reporter: dhanukumar1990 at gmail.com
Created attachment 2292
--> https://bugzilla.mindrot.org/attachment.cgi?id=2292&action=edit
sshd debug mode-connection failure with bad sig size error while using
2048 bit DSA keys
ssh-dss.c in openssh 6.1p1 limits sig parts to 20 bytes (matching a
SHA1 hash), consistent with RFC 4253 6.6 which specifies SHA1 and
160-bit (20-byte).
Whereas openssl starting from 1.0.0 creates DSA 2048 bit keys with
q=256(SHA2) incompatible with openssh which validates against
q=160(SHA1 hash).
Using openssl version 0.9.8 or less solves the issue since it generates
DSA 2048 keys with q=160, but there is no security benefit since
SP800-57 rates DSA=2048/160 as 80 bit strength which is less than the
nom 112 bits.
For more info:
http://openssl.6102.n7.nabble.com/openssl-1-0-1e-bad-sig-size-32-32-for-DSA-2048-keys-tc45189.html#a45246
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list