> From: owner-openssl-us...@openssl.org On Behalf Of Cipher > Sent: Monday, 20 May, 2013 11:07
> I built and installed openssl 1.0.1e. When i try to connect > using ssh with > 2048 DSA keys, i get *bad sig size 32 32* error. > Is this a bug? > Here is how i created the keys. > openssh (through 6.2) ssh-dss.c limits sig parts to 20 bytes (matching a SHA1 hash), consistent with RFC 4253 6.6 which specifies SHA1 and 160-bit (20-byte) r & s. Note 4253 was issued in 2006 well before DSS was updated by 186-3 in 2009 with groups>1k subgroups>160 (and SHA2). On checking I see 6668 less than a year ago defines new *data* hmacs for SHA-256/512, but no change to pubkey auth. So there doesn't appear to be any standard or interoperable SSH protocol using 186-3, nor any openssh extension. You may have hit the difference because openssl < 1.0.0 supported |p|>1024 as a then-nonstandard extension, but still |q|=160 and SHA1 for signing (because of API issue). Newer openssl does |q|=256 SHA-2 -- incompatible with (open)ssh. In 1.0.0 unless you use what is intended as an internal routine you can't generate parameters for 2048/160. But if you use parameters generated by 0.9.8 (or some other thing that can do 2048/160), and generate a key, the sign and verify logic and thus I expect (probably) openssh can use it. But you don't get any security benefit; SP800-57 rates 2048/224 or 2048/256 as 112-bit strength, but using 2048/160 will reduce it to 80-bit strength no better than 1024/160. And you may or may not be interoperable, because another implementation may have coded to FIPS 186-2 as specified. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
