ssh-keygen DSA keylenght limit

Aaron Zauner azet at azet.org
Tue Nov 5 21:57:04 EST 2013


Dear OpenSSH Developers,

I am wondering as to why there is a 1024 bit limitation in the `ssh-keygen` tool up until the current CVS version. There seem to be far higher bit rates when it comes to ECDSA. This effectively limits e.g. DSA host key generation on all BSD and Linux systems as of today.

ssh-keygen.c (CVS) - starting with line 181:
```
	if (type == KEY_DSA && *bitsp != 1024)
		fatal("DSA keys must be 1024 bits");
	else if (type != KEY_ECDSA && *bitsp < 768)
		fatal("Key must at least be 768 bits");
	else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(*bitsp) == -1)
		fatal("Invalid ECDSA key length - valid lengths are "
		    "256, 384 or 521 bits”);
```

Now the current NIST/FIPS recommendation for 2010 and onwards suggests using 2048bit+ keys: 
http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf - 4.2 Selection of Parameter Sizes and Hash Functions for DSA

I might be missing something so I am curious if there was a specific reason to disable generation of 1024+bit keys or if that was just forgotten during development?


Thanks for your time,
Aaron
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1091 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20131105/65599d96/attachment.bin>


More information about the openssh-unix-dev mailing list