Re: SSH keys: DSA vs RSA (was: Alioth and SSH: restored)
On Thu, 15 May 2008, Steinar H. Gunderson wrote: On Wed, May 14, 2008 at 06:22:37PM -0500, Steve Greenland wrote: Therefore, anyone who had a DSA key has had it compromised... Shouldn't that be anyone who had a DSA key *created by the flawed version of openssl* has had it compromised...? Or are you asserting something stronger? No. Any key who had a single DSA signature created by the flawed version of OpenSSL should be considered compromised. DSA requires a secret, random number as part of the signature process; if someone figures it out, or you use the same number twice, the entire secret key falls. If I understand correctly, it means that if you use a good key with a flawed openssl to connect to an other host using that key, then that key can be considered compromised. But what about using a good key on a host with a good openssl, to connect to a server which use a bad openssl ? regards, Nicolas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SSH keys: DSA vs RSA (was: Alioth and SSH: restored)
On Fri, May 16, 2008 at 11:26 AM, nicolas vigier [EMAIL PROTECTED] wrote: On Thu, 15 May 2008, Steinar H. Gunderson wrote: No. Any key who had a single DSA signature created by the flawed version of OpenSSL should be considered compromised. DSA requires a secret, random number as part of the signature process; if someone figures it out, or you use the same number twice, the entire secret key falls. If I understand correctly, it means that if you use a good key with a flawed openssl to connect to an other host using that key, then that key can be considered compromised. But what about using a good key on a host with a good openssl, to connect to a server which use a bad openssl ? The reason the former fails is because DSA needs a random number to generate its signature (as Steinar describes). This signature is obviously generated with the local openssl. Connecting to a remote host with a bad openssl doesn't matter as the random number is generated with your local good openssl. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SSH keys: DSA vs RSA (was: Alioth and SSH: restored)
On Fri, May 16, 2008 at 05:26:09PM +0200, nicolas vigier wrote: If I understand correctly, it means that if you use a good key with a flawed openssl to connect to an other host using that key, then that key can be considered compromised. If I have a DSA key, and the client (my machine) has a bad OpenSSL, then I have exposed my secret key. This is because I generate the random data on the client. But what about using a good key on a host with a good openssl, to connect to a server which use a bad openssl ? Since the random data is generated on the client, I have not exposed my key. However, if Diffie-Hellman key exchange is used, the session key is probably insecure, and thus it is easy to sniff the messages. Note that this only applies to DSA. RSA keys only use random data to pad the signature (such as in PKCS #1), and so it is much less likely that you have exposed the secret key. (For the unlikely situation that you have, see Low Encryption Exponent Attack against RSA, Applied Cryptography, p.472). -- brian m. carlson / brian with sandals: Houston, Texas, US +1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only troff on top of XML: http://crustytoothpaste.ath.cx/~bmc/code/thwack OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature
Re: SSH keys: DSA vs RSA (was: Alioth and SSH: restored)
On Thu, May 15, 2008 at 08:09:12AM +1000, Ben Finney wrote: Could you explain the rationale for this? My impression was that DSA was recommended over RSA. DSA was recommended over RSA in years gone by for reasons of freedom, until late 2000 when MIT's 17-year US patent (4405829) expired on the c=(m^e)%n function and it was subsequently released into the public domain (though they actually released it into the PD two weeks ahead of the patent expiration, IIRC). -- { IRL(Jeremy_Stanley); PGP(9E8DFF2E4F5995F8FEADDC5829ABF7441FB84657); SMTP([EMAIL PROTECTED]); IRC([EMAIL PROTECTED]); ICQ(114362511); AIM(dreadazathoth); YAHOO(crawlingchaoslabs); FINGER([EMAIL PROTECTED]); MUD([EMAIL PROTECTED]:6669); WWW(http://fungi.yuggoth.org/); } -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SSH keys: DSA vs RSA (was: Alioth and SSH: restored)
On Thu, May 15, 2008 at 08:09:12AM +1000, Ben Finney wrote: Roland Mas [EMAIL PROTECTED] writes: - Keys submitted through the web interface are now filtered, and only RSA keys end up in your authorized_keys file. Don't even try putting DSA keys in your authorized_keys2 file, the use of that file has been disabled (and it'll be deleted anyway). Could you explain the rationale for this? My impression was that DSA was recommended over RSA. It used to be that RSA was patented in the United States, and so only DSA, DH, or ElGamal algorithms were appropriate for use in main. Another reason DSA may be preferred is that it produces smaller signatures than RSA. The reason DSA is preferred over RSA for GnuPG keys is because (AIUI) the keyring maintainers no longer accept v3 keys, but only v4, which for a while meant that DSA was the only option. (GnuPG now generates v4 RSA keys as well.) Still another reason DSA may be preferred over RSA is that it is conjectured that solving the hard problem underlying DSA (the Diffie-Hellman Problem) is as difficult as computing discrete logarithms (the Discrete Logarithm Problem), while the underlying hard problem for RSA (the RSA Problem) is conjectured to be as difficult as the Factoring Problem. If one can solve the Discrete Logarithm Problem, then one can factor, but the reverse is not true. Thus, it is conjectured that DSA is based on a harder problem than RSA. There are reasons not to prefer DSA. It has a short key size, usually limited to 1024 bits, which is not enough for continued security. Because all signatures are made in the field of q, a 160-bit prime, thus making them no longer than 160 bits, brute-forcing the algorithm is easier than with RSA. Also, DSA absolutely requires a good random number generator for every signature. If the nonce is not chosen randomly, it will leak bits of the key. This is true for all discrete logarithm algorithms. Therefore, anyone who had a DSA key has had it compromised, and RSA is just as good a choice for a new key. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only troff on top of XML: http://crustytoothpaste.ath.cx/~bmc/code/thwack OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature
Re: SSH keys: DSA vs RSA (was: Alioth and SSH: restored)
On Wed, May 14, 2008 at 11:12:26PM +, brian m. carlson wrote: Also, DSA absolutely requires a good random number generator for every signature. If the nonce is not chosen randomly, it will leak bits of the key. This is true for all discrete logarithm algorithms. Therefore, anyone who had a DSA key has had it compromised, and RSA is just as good a choice for a new key. I apologize. Using the same nonce more than once or revealing the nonce does not leak bits of the key; it immediately and trivially reveals the private key. See Applied Cryptography, page 492. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only troff on top of XML: http://crustytoothpaste.ath.cx/~bmc/code/thwack OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature
Re: SSH keys: DSA vs RSA (was: Alioth and SSH: restored)
On 14-May-08, 18:12 (CDT), brian m. carlson [EMAIL PROTECTED] wrote: Therefore, anyone who had a DSA key has had it compromised... Shouldn't that be anyone who had a DSA key *created by the flawed version of openssl* has had it compromised...? Or are you asserting something stronger? Steve -- Steve Greenland The irony is that Bill Gates claims to be making a stable operating system and Linus Torvalds claims to be trying to take over the world. -- seen on the net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SSH keys: DSA vs RSA (was: Alioth and SSH: restored)
On Wed, May 14, 2008 at 06:22:37PM -0500, Steve Greenland wrote: Therefore, anyone who had a DSA key has had it compromised... Shouldn't that be anyone who had a DSA key *created by the flawed version of openssl* has had it compromised...? Or are you asserting something stronger? No. Any key who had a single DSA signature created by the flawed version of OpenSSL should be considered compromised. DSA requires a secret, random number as part of the signature process; if someone figures it out, or you use the same number twice, the entire secret key falls. /* Steinar */ -- Homepage: http://www.sesse.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SSH keys: DSA vs RSA (was: Alioth and SSH: restored)
On Wed, May 14, 2008 at 11:12:26PM +, brian m. carlson wrote: If one can solve the Discrete Logarithm Problem, then one can factor, but the reverse is not true. This is the first time I've ever heard anyone claim this; I've seen people and textbooks claim they're roughly equivalent, but not that this is a one-way street. Do you have any references? /* Steinar */ -- Homepage: http://www.sesse.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SSH keys: DSA vs RSA (was: Alioth and SSH: restored)
On Thu, May 15, 2008 at 02:00:25AM +0200, Steinar H. Gunderson wrote: On Wed, May 14, 2008 at 11:12:26PM +, brian m. carlson wrote: If one can solve the Discrete Logarithm Problem, then one can factor, but the reverse is not true. This is the first time I've ever heard anyone claim this; I've seen people and textbooks claim they're roughly equivalent, but not that this is a one-way street. Do you have any references? I read it somewhere, probably on a PGP forum, but apparently that was incorrect. According to http://portal.acm.org/citation.cfm?id=894497 : To summarize: solving the discrete logarithm problem for a composite modulus is exactly as hard as factoring and solving it modulo primes. I stand corrected. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only troff on top of XML: http://crustytoothpaste.ath.cx/~bmc/code/thwack OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature