Re-using RSA1 keys as RSA

Dan Kaminsky dan at doxpara.com
Fri Aug 22 15:39:07 EST 2003


Frank Cusack wrote:

>Is there a security issue with turning an RSA1 key into an RSA key?  One
>might want to do this, e.g., to move to protocol 2 without having to
>update authorized_keys files.
>
>I thought there was a problem with this, but Google doesn't find anything.
>
>thanks
>/fc
>
>_______________________________________________
>openssh-unix-dev mailing list
>openssh-unix-dev at mindrot.org
>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>
It's been a while since I went over this, but I believe the reason you 
can't do this is:

SSHv1 uses RSA keys for encryption -- I send you data encrypted with 
your pubkey, you send it back to me decrypted.
SSHv2 uses RSA keys for verification -- I send you data, you send it 
back to me signed, I test to see if the data was signed correctly.

There are potential attacks involving the use of one mode against the 
other.  They're not as simple as what I once thought they were; i.e. the 
private key for decrypting is the public key for verifying -- but I 
think it was a problem nonetheless.

That being said, there really needs to be a mode to check all known host 
key types for one that matches.  This is a _real_ security requirement, 
people!  If we checked the SSHv1 key before accepting a new SSHv2 key, 
we'd be _alot_ better off for the migrators.

--Dan





More information about the openssh-unix-dev mailing list