Bug 1119

Summary:

Enhancement request for raising minimum acceptable key length.

Product:

Portable OpenSSH

Reporter:

senthilkumar <senthilkumar_sen>

Component:

ssh-keygen

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

CLOSED FIXED

Severity:

enhancement

CC:

t8m

Priority:

Version:

4.2p1

Hardware:

Other

OS:

All

URL:

http://www.rsasecurity.com/press_release.asp?doc_id=488&id=1034

Bug Depends on:

Bug Blocks:

1047

Attachments:

Description	Flags
Patch to update the minimum keylength bits to 1024	none

Description senthilkumar 2005-11-17 20:56:21 AEDT

The minimum key length recommended for RSA at the specified URL is 768. This is an enhancement request to raise the minimum level of key length from 512 to 768 in ssh-keygen. I will attach the patch for this enhancement

Comment 1 senthilkumar 2005-11-23 17:18:40 AEDT

Created attachment 1031 [details]
Patch to update the minimum keylength bits to 1024

I received an input from Tom, the author of libtomcrypt (http://libtomcrypt.org/) that minimum recommended key length is 1024 in general. So the patch is modified from the description of enhancement request #1, so that it checks for atleast 1024 bits.

Comment 2 Darren Tucker 2005-11-28 16:25:09 AEDT

As a compromise we increased the minimum RSA key size to 768 bits so it's still usable on older/slower machines.

We have also enforced a DSA key size of exactly 1024 bits since that's apparently what FIPS 186-2 specifies (and the SSH protocol specs reference that for the DSA definition).

Thanks.

Comment 3 Tomas Mraz 2005-11-28 22:02:08 AEDT

Well the FIPS may specify 1024 bits for DSA but is there any reason besides the FIPS why larger DSA keys should not be used? Are they less secure (probably not).
Maybe issuing a warning instead of fatal() would be much more appropriate.

Comment 4 Darren Tucker 2005-11-28 22:15:30 AEDT

(In reply to comment #3)
> Well the FIPS may specify 1024 bits for DSA but is there any reason besides the
> FIPS why larger DSA keys should not be used? Are they less secure (probably
> not).

They're not less secure, but they're apparently not (much?) more secure.  The security is apparently limited by the 160 bit subgroup that's part of the public key, and the use of SHA1 (again, 160 bits).

So there's no real security gain, and the larger keys can confuse other implementations which do adhere strictly to the spec.  If you want big keys, use RSA.

Comment 5 Darren Tucker 2006-10-07 11:43:10 AEST

Change all RESOLVED bug to CLOSED with the exception of the ones fixed post-4.4.