All crypto fails in the presence of a compromised PRNG. You can't accuse DSA of that without also admitting it for everything else.
And since you lifted the "10-foot pole" comment from schneier.com, I'll lift Bruce's response to that very comment: "In general, I don't think there is a difference. Cryptanalytic advances against one transfer to the other." I don't really want to get argumentative or off-topic though. Alex's response is probably the most thorough piece in a single place on the subject, so I think we can safely put this tangent to rest. -- Brian Bennett Systems Engineer, Cloud Operations Joyent, Inc. | www.joyent.com > On Aug 31, 2015, at 12:59 PM, Steve <[email protected]> wrote: > > On 08/31/2015 02:33 AM, Brian Bennett wrote: >>> On Aug 28, 2015, at 8:41 PM, Steve <[email protected]> wrote: >>> >>> In my mind, it ought to be disabled by default so that you have to >>> know you are lowering, *almost* to the point of entirely loosing >>> your security, when you activate it. >> >> Not to get too far off topic, but is there actually any evidence to >> back up that statement? I've been searching for a number of years for >> someone who can speak intelligently on the topic. As I understand it, >> statements like this are parroted simply due to key sizes. While >> ssh-keygen can only create DSA keys of 1024 bits, openssl can >> generate arbitrarily large DSA keys that can be used with OpenSSH. >> >> Do you know of any specific weaknesses of DSA? If DSA is inherently >> weak, wouldn't that also render ECDSA similarly weak? > > DSA fails horribly if you ever use a key on a system with a broken PRNG. > Since PRNGs are obviously a prime target for subversion, my gut feeling > would be not to touch DSA with a 10-foot pole. > > > http://www.debian.org/security/2008/dsa-1571 "Furthermore, all DSA keys > ever used on affected Debian systems for signing or authentication > purposes should be considered compromised;" > > Good general view: > https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html > > Good read how PRNGs are compromised: > https://www.schneier.com/paper-yarrow.pdf > > Detail on DSA: > https://www.schneier.com/paper-prngs.pdf > > excerpts: > > The DSA PRNG > > Since this generator appears to come with an NSA stamp of approval, it > has been used and proposed for applications quite different than those > for which it was originally designed. > > Summary The DSA standard’s PRNG appears to be quite secure when used in > the application for which it was designed: DSA signature parameter > generation. However, it doesn’t perform well as a general-purpose > cryptographic PRNG because it handles its inputs poorly, and because it > recovers more slowly from state compromise than it should. > > > >> Bonus points if you work for the NSA and have something to disclose. > > Haha! No can't say I do or would for that matter. But you may have 2nd > thoughts about using anything they approve of. > > -- > Steve >
smime.p7s
Description: S/MIME cryptographic signature
------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
