FIPS186-3 and NIST SP800-57 support

Darren Tucker dtucker at zip.com.au
Tue Feb 16 18:29:46 EST 2010


Gerardo Petti wrote:
> I saw from OpenSSH man pages that the DSA key length must be 1024 bytes
> (according to the standard FIPS 186-2).
> 
> According to the FIPS186-3 and NIST SP800-57, DSA key length could be
> greater than 1024 bytes (2048, 3072).

FIPS 186-3 also specifies hashes other than SHA-1 for key lengths >1024.

> Will OpenSSH be compliant with this new standard?

As far as DSA key length goes I think it's already compliant with FIPS 
186-3 as far as is possible within the SSH protocol spec.  See 
https://bugzilla.mindrot.org/show_bug.cgi?id=1647 for details.

If you want keys stronger than 1024 bits then use RSA.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list