Based on guidelines in NIST Special Publication 800-131A, "Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths" dated January 2011, the US Governement is pushing for stronger crypto in a number of different areas (encryption, digital signatures, random number generation, key agreement using diffie-hellman and MQC, etc.). The most recent version of OpenSSH is not able to meet the updated digital signature requirements based on the fact that it only implements support for the "ssh-dss" and "ssh-rsa" key formats. (Actually, I'm not sure if it implements the pgp-sign-rsa or pgp-sign-dss certificate format or not, but in either case, I don't believe that materially impacts the problem.) And according to RFC 4253, Section 6.6, both of these key formats are defined to use SHA-1 hash algorithm for signing/verifying. SP 800-131A *requires* the use of SHA-224, SHA-256, SHA-384, or SHA-512 in the generation of digital signatures (see Section 9, Hash Functions) starting January 1, 2014.
> The most recent version of OpenSSH is not able to meet the updated > digital signature requirements based on the fact that it only > implements support for the "ssh-dss" and "ssh-rsa" key formats That's not true. We implement ECDSA key formats too that seem well within the guidelines of 800-131A.
Ah, yes, I stand corrected. EC support is indeed there. My bad. This request is, therefore, specific to adding support for non-EC public key formats.
*** Bug 2115 has been marked as a duplicate of this bug. ***
Hi, Can we have a date on when this would be resolved? We are lookign for supporting ssh-rsa-sha256 on server side if the name is confirmed and also if openssh is releasing before Jan 1st 2014 ?
I don't think any of the OpenSSH developers have plans to implement RSA/SHA2 until a specification exists for it.
We've supported RSA-SHA256/512 for a while now.
closing resolved bugs as of 8.6p1 release