Bug 2109

Summary: Add support for ssh-rsa-sha256 and ssh-dsa-sha256 public key algorithms
Product: Portable OpenSSH Reporter: Geoff Lowe <Geoff_Lowe>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: enhancement CC: dhanukumar1990, djm, simon, tj, venrag78
Priority: P5    
Version: 5.2p1   
Hardware: All   
OS: FreeBSD   

Description Geoff Lowe 2013-05-28 10:33:44 AEST 
Based on guidelines in NIST Special Publication 800-131A, "Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths" dated January 2011, the US Governement is pushing for stronger crypto in a number of different areas (encryption, digital signatures, random number generation, key agreement using diffie-hellman and MQC, etc.).

The most recent version of OpenSSH is not able to meet the updated digital signature requirements based on the fact that it only implements support for the "ssh-dss" and "ssh-rsa" key formats.  (Actually, I'm not sure if it implements the pgp-sign-rsa or pgp-sign-dss certificate format or not, but in either case, I don't believe that materially impacts the problem.)  And according to RFC 4253, Section 6.6, both of these key formats are defined to use SHA-1 hash algorithm for signing/verifying.  SP 800-131A *requires* the use of SHA-224, SHA-256, SHA-384, or SHA-512 in the generation of digital signatures (see Section 9, Hash Functions) starting January 1, 2014.
Comment 1 Damien Miller 2013-05-28 11:01:22 AEST 
> The most recent version of OpenSSH is not able to meet the updated 
> digital signature requirements based on the fact that it only 
> implements support for the "ssh-dss" and "ssh-rsa" key formats

That's not true. We implement ECDSA key formats too that seem well within the guidelines of 800-131A.
Comment 2 Geoff Lowe 2013-05-28 11:20:10 AEST 
Ah, yes, I stand corrected.  EC support is indeed there.  My bad.

This request is, therefore, specific to adding support for non-EC public key formats.
Comment 3 Darren Tucker 2013-06-06 00:28:40 AEST 
*** Bug 2115 has been marked as a duplicate of this bug. ***
Comment 4 venrag78 2013-09-25 20:11:37 AEST 
Hi, 

Can we have a date on when this would be resolved? We are lookign for supporting ssh-rsa-sha256 on server side if the name is confirmed and also if openssh is releasing before Jan 1st 2014 ?
Comment 5 Damien Miller 2013-09-25 20:26:00 AEST 
I don't think any of the OpenSSH developers have plans to implement RSA/SHA2 until a specification exists for it.
Comment 6 Damien Miller 2018-05-24 12:20:45 AEST 
We've supported RSA-SHA256/512 for a while now.
Comment 7 Damien Miller 2021-04-23 14:57:01 AEST 
closing resolved bugs as of 8.6p1 release