Bug 1647 - Implement FIPS 186-3 for DSA keys
Summary: Implement FIPS 186-3 for DSA keys
Status: CLOSED WONTFIX
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh-keygen (show other bugs)
Version: 5.2p1
Hardware: Other All
: P2 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-09-06 09:22 AEST by Fabio A. Correa
Modified: 2016-08-02 10:41 AEST (History)
4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Fabio A. Correa 2009-09-06 09:22:37 AEST 
Hello friends, keep up the great work with SSH.

The DSA has been expanded, allowing longer DSA keys. It would be great to have this implemented in SSH for better security.

http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf
https://secure.wikimedia.org/wikipedia/en/wiki/Digital_Signature_Algorithm
Comment 1 Darren Tucker 2009-09-06 14:30:47 AEST 
It's not as simple as just increasing the allowable key size.

look in FIPS-186-3 section 4.2 where it mandates the hash lengths for the various DSA key sizes:

L = 1024, N = 160 
L = 2048, N = 224 
L = 2048, N = 256 
L = 3072, N = 256 

Now look at RFC4253 section 6.6 where it defines the ssh-dss authentication type as:

"Digital Signature Standard [FIPS-186-2] using the SHA-1 hash"

SHA-1 is 160 bits and is mandated by RFC 4253, thus the only way to be compliant with both it and FIPS-186-{2,3} is to allow only 1024 bit keys (which is what ssh-keygen does right now).

There was some discussion about this on the ietf working group about defining a new authentication method (http://thread.gmane.org/gmane.ietf.secsh/6186/focus=6193) but AFAIK it never went anywhere.
Comment 2 mackyle 2013-09-10 18:28:41 AEST 
RFC 6668 [1] (2012-07) updated RFC 4253 adding the SHA-256 data integrity algorithm as a new recommended algorithm.

FIPS 186-4 [2] (2013-07) section 4.2 includes the same DSA parameters as FIPS 186-3:

L = 1024, N = 160 
L = 2048, N = 224 
L = 2048, N = 256 
L = 3072, N = 256

And it would seem that the L=2048,N=256 L=3072,N=256 selections are now possible while remaining standards compliant.

It appears that OpenSSH has added support for SHA-256 and SHA-512 in version 5.9p1 (2011-09).

[1] http://tools.ietf.org/html/rfc6668
[2] http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
Comment 3 Darren Tucker 2013-10-04 01:11:48 AEST 
(In reply to mackyle from comment #2)
> RFC 6668 [1] (2012-07) updated RFC 4253 adding the SHA-256 data
> integrity algorithm as a new recommended algorithm.
> 
> FIPS 186-4 [2] (2013-07) section 4.2 includes the same DSA
> parameters as FIPS 186-3:
> 
> L = 1024, N = 160 
> L = 2048, N = 224 
> L = 2048, N = 256 
> L = 3072, N = 256
> 
> And it would seem that the L=2048,N=256 L=3072,N=256 selections are
> now possible while remaining standards compliant.

RFC 6668 adds a new HMAC (ie integrity) algorithm (RFC 4253 section 6.4) not a public key (ie authentication) algorithm (RFC 4253 section 6.6).

OpenSSH does in fact implement RFC 6668 (run ssh -vvv and look at the MACS offered) but it doesn't change the situation with DSA authentication.
Comment 4 Damien Miller 2016-02-05 13:48:14 AEDT 
We're not interested in implementing support for DSA with larger keys, because DSA still suffers catastrophic failure when its nonce isn't random. We're instead pushing to deprecate DSA entriely - recent versions no longer offer or accept it by default.
Comment 5 Damien Miller 2016-08-02 10:41:04 AEST 
Close all resolved bugs after 7.3p1 release