DSA harmful for remote authentication to compromised hosts?

Simon Kirby sim at netnation.com
Sat Jan 3 13:12:39 EST 2009

On Tue, Dec 09, 2008 at 05:55:05PM -0800, Joshua Hill wrote:

> This is true for DSA because a DSA signature features a per-signature
> random 'k' variable which is used in the signing calculation and then
> discarded.
> RSA does not suffer from this particular problem.  There is no
> non-deterministic element to the basic RSA signature generation (though
> certain padding methods do feature non-deterministic elements)
> In either case the private key resides on the client, so a client
> vulnerability can result in the private key being compromised.
> An insecure RNG is just one sort of host vulnerability in this context.

Just to confirm, the client (which has the private key) supplies this
random 'k' variable, or does the server (running sshd) generate it? 
If the latter, then I'd better stop using DSA keys in authorized_keys;
otherwise, it should be OK.

Thanks for the explanation!


More information about the openssh-unix-dev mailing list