Re-using RSA1 keys as RSA
Dan Kaminsky
dan at doxpara.com
Fri Aug 22 15:39:07 EST 2003
Frank Cusack wrote:
>Is there a security issue with turning an RSA1 key into an RSA key? One
>might want to do this, e.g., to move to protocol 2 without having to
>update authorized_keys files.
>
>I thought there was a problem with this, but Google doesn't find anything.
>
>thanks
>/fc
>
>_______________________________________________
>openssh-unix-dev mailing list
>openssh-unix-dev at mindrot.org
>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>
It's been a while since I went over this, but I believe the reason you
can't do this is:
SSHv1 uses RSA keys for encryption -- I send you data encrypted with
your pubkey, you send it back to me decrypted.
SSHv2 uses RSA keys for verification -- I send you data, you send it
back to me signed, I test to see if the data was signed correctly.
There are potential attacks involving the use of one mode against the
other. They're not as simple as what I once thought they were; i.e. the
private key for decrypting is the public key for verifying -- but I
think it was a problem nonetheless.
That being said, there really needs to be a mode to check all known host
key types for one that matches. This is a _real_ security requirement,
people! If we checked the SSHv1 key before accepting a new SSHv2 key,
we'd be _alot_ better off for the migrators.
--Dan
More information about the openssh-unix-dev
mailing list