[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RSA/DSA



Wim Bertels un jour écrivit:
On vr, 2011-11-25 at 11:31 +0000, Florian Weimer wrote:
* Wim Bertels:

So why isn't it possible to choose one the longer keylengths for DSA?
The original DSA standard explicitly required that key lengths did not
exceed 1024 bits.  Older OpenSSH versions implemented that standard.

True, but in 2009 FIPS 186-3 officially increased the DSA maximum keylength to 3072 bits.

The man page about ssh-keygen still talk about the old FIPS 186-2 standard even in OpenBSD 5.0, so perhaps I could ask them what are their plans about it. Perhaps they keep it just for backward compatibility reasons and want people to move away from DSA.

For those interested, you can read the official NIST document on page 15 (actually the 25th page of this PDF document):
http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf


tnx, i wonder then if using 1024 on squeeze (or lenny) is still secure?

AFAIK, DSA and RSA 1024 are still not considered broken. But if you need to use a fingerprint that will need to be still valid for a lot more than 5 years, I would certainly avoid it. And I wouldn't use it at all for generating a new remote logging key.

Actually, I wonder if we should remove completely the DSA host key in Debian unstable and just stick with RSA, which is now patent free and used by almost everyone.

Except for backward compatibility, I see few reasons to still use DSA. I notice that openssl started supporting DSA 2048 years before it became part of the official standard, but OpenSSH still don't (and maybe won't).

As a host key, I guess it is probably still secure enough for most people, but I see few reasons to still use DSA if you don't have to. As a remote logging key, I wouldn't use a DSA-1024 key as they tend to be used for much longer than originally planed.


do u know if ssh can work without DSA, using only RSA?

Yes it can. I started disabling DSA in sshd_config at least 3 years ago (because of the keylength) and never had any problem.

What is important to know, is that DSA was used because RSA was patented. Once the patent expired in years 2000, OpenSSH quickly supported it (and I guess the few other implementation that didn't already).

Also, it seems that the OpenSSH client first try RSA and fallback to DSA only if it is not supported by the server (or perhaps it just use the longest available key). Don't know about others implementation, but they are more than likely to default to RSA or not to support DSA at all.

Unless you have to deal with very old systems (8+ years) that support only DSA (and are probably full of security issues anyway) I don't think you will have any problem.


If you want to be sure, you can increase the verbosity of OpenSSH and check in the logs if any connection ever used something else than RSA. If after few months no host ever used DSA, you'll know you probably can disable it completely.


Simon Valiquette


Reply to: