The length of an RSA signature sent during the handshake

Damien Miller djm at mindrot.org
Wed Aug 25 18:17:51 EST 2010


On Tue, 24 Aug 2010, JCA wrote:

> I have noticed that OpenSSH clients (at least version 5.1p1)
> occasionally send an RSA signature during the handshake phase such
> that if the RSA key pair used to generate it happens to be associated
> to an N-byte long modulus, the signature is N - 1 bytes long. My
> question is, Is this behavior correct? I mean, an RSA signature is an
> unstructured byte string, and therefore any leading zeros should be
> considered part of the signature, and a signature created with an RSA
> key pair such that its associated modulus is N bytes long ought to be
> N bytes long as well.

How are you measuring length? The size of the signature blob is always
the same length as rsa->n (search for "memmove" in ssh-rsa.c), but if
you are decoding the blob to a bignum then its length will occasionally
be shorter.

If you consider RSA signing to function as a random mapping into
integers of log2(n)/8 bytes, then the first byte will be zero with
probability roughly equal to 1/256.

-d


More information about the openssh-unix-dev mailing list