Inconsistency between legacy and release notes?

Alexander Wuerstlein arw at cs.fau.de
Sat Nov 26 01:16:43 AEDT 2016


On 2016-11-25T10:58, Pedro Melo <melo at simplicidade.org> wrote:
> Hi,
> 
>  
> 
> Someone told me that DSA keys were being deprecated with OpenSSH 7.0. The only reference I could find about this topic on openSSH site is on the legacy page:
> 
>  
> 
> “OpenSSH 7.0 and greater similarly disable the ssh-dss (DSA) public key algorithm. It too is weak and we recommend against its use.”
> 
>  
> 
> There is no explanation about the weakness. But more than that, I could not find any mention of this deprecation on OpenSSH 7.0, 7.1, 7.2 and 7.3 release notes.
> 
>  
> 
> So my question is: are DSA keys really deprecated?

Afaik its because DSA key size has (for very weird reasons admittedly:
FIPS 186-4) been limited to 1024 bits which is considered weak nowadays. 
Also, DSA has the inherent weakness that a random number is used in
producing a DSA signature. If such a random number were ever reused, an
attacker could easily calculate the secret key from just looking at the
signatures. This means that DSA together with a weak source of
randomness endangers your keys and therefore your machines.

There is a workaround for the weak randomness problem (derive the
'random' number deterministically from the message and the secret key),
and I think its implemented in OpenSSH. But that doesn't take care of
all the old installations and different SSH implementations. Therefore
since DSA keys are too small anyways, its just better to get rid of it
altogether.



Ciao,

Alexander Wuerstlein.


More information about the openssh-unix-dev mailing list