[Bug 2115] Support for DSA p=2048 q=256/224 bit keys

Mark D. Baushke mdb at juniper.net
Wed Jun 5 16:44:56 EST 2013

> --- Comment #2 from Cipher <dhanukumar1990 at gmail.com> ---
> Thanks Damien.
> Yes we were creating the keys using openssl and also using
> ssh-keygen(After removing 1024 bit limit gate in the code).
> One of our third party applications support only DSA keys, so we cant
> use ECDSA. FIPS 140-2/3 requires 2048 with q=224/256. So how difficult
> it will be and how much sense will it make to change ssh-dss to use 32
> byte seg parts? 

NIST SP 800-131A also mandates you would need to use SHA2-256 instead of
SHA-1 for public key signature verification to meet FIPS 140-2/3

Given ssh-dss in RFC 4253 specifies ssh-dss format as

|   ssh-dss           REQUIRED     sign   Raw DSS Key
|   ...
|   Signing and verifying using this key format is done according to the
|   Digital Signature Standard [FIPS-186-2] using the SHA-1 hash
|   [FIPS-180-2].
|   The resulting signature is encoded as follows:
|      string    "ssh-dss"
|      string    dss_signature_blob
|   The value for 'dss_signature_blob' is encoded as a string containing
|   r, followed by s (which are 160-bit integers, without lengths or
|   padding, unsigned, and in network byte order).

It is the 160-bit SHA-1 hash that is your real problem.

The openssh-unix-dev list has a suggestion for adding ssh-rsa-sha256 and

I believe this has been filed as Bug 2109 by Geoff Lowe.

I therefore suggest that Bug 2115 is not a sufficient representation of
your issue and that you would also need to see Bug 2109 addressed as

	-- Mark

More information about the openssh-unix-dev mailing list