(I'll admit it, I'm a crypto weenie. I know enough to spell RSA and DSA correctly, and that's about it.) Does anyone have any pointers to informative papers (especially analyses and critiques) to RSA and DSA in particular, and in general, signature algorithms? The only page I've found is in the RSA Labs FAQ, and (obviously) digs into DSA. A co-worker is generating some SSH keys, and it's been some time since I actually looked into either algorithm. PuTTY recommends you avoid DSA, which was a bit of a surprise to me, and prompted this thus-far fruitless search for comparisons/critiques.
Damian Gerow wrote:
PuTTY recommends you avoid DSA, which was a bit of a surprise to me, and prompted this thus-far fruitless search for comparisons/critiques. This is no longer true - link: http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html#A.7.3
Thus spake Dave Howe (DaveHowe@gmx.co.uk) [23/05/03 13:09]:
Damian Gerow wrote:
PuTTY recommends you avoid DSA, which was a bit of a surprise to me, and prompted this thus-far fruitless search for comparisons/critiques. This is no longer true - link: http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html#A.7.3
From which I quote:
"For this reason we now believe PuTTY's DSA implementation is probably OK. However, if you have the choice, we still recommend you use RSA instead."
Damian Gerow wrote:
"For this reason we now believe PuTTY's DSA implementation is probably OK. However, if you have the choice, we still recommend you use RSA instead."
Indeed so - but saying that (in their opinion) RSA IS implimented better and more securely in puTTY than DSA can hardly be the same as saying DSA should be avoided. As I understand it, the problem with DSA is that it is *very* dependent on the random number being random (collisions leading to weaknesses) - and everyone knows that windows is bad at RNG. What (as I understand it) the new putty scheme does is use the secret key to obfusc the random value a little - hashing it with both the private key and the hash of the message being signed - hoping to pull enough entropy out of those two to reduce the possibility of discovery of the random value due to it being limited to a subset of the "range" it should have. obviously, this approach won't produce gold from straw - you still have a limited set of possible values - but it should distribute them evenly across the range in a key-dependent manner, so that knowlege of the limited possible values would have to be per-key or involve knowledge of the private key (which is a game-over scenario anyhow) so my understanding of the above warning is that the games puTTY plays with the keyspace is *probably* enough to fix the lousy randomness of the windows platform - but they recommend that you use RSA where the randomness of a prng is not an issue.
Thus spake Dave Howe (DaveHowe@gmx.co.uk) [23/05/03 14:54]:
Damian Gerow wrote:
"For this reason we now believe PuTTY's DSA implementation is probably OK. However, if you have the choice, we still recommend you use RSA instead."
Indeed so - but saying that (in their opinion) RSA IS implimented better and more securely in puTTY than DSA can hardly be the same as saying DSA should be avoided. As I understand it, the problem with DSA is that it is *very*
And the context of what I was talking about was PuTTY.
dependent on the random number being random (collisions leading to weaknesses) - and everyone knows that windows is bad at RNG. What (as I understand it) the new putty scheme does is use the secret key to obfusc the random value a little - hashing it with both the private key and the hash of the message being signed - hoping to pull enough entropy out of those two to reduce the possibility of discovery of the random value due to it being limited to a subset of the "range" it should have. obviously, this approach won't produce gold from straw - you still have a limited set of possible values - but it should distribute them evenly across the range in a key-dependent manner, so that knowlege of the limited possible values would have to be per-key or involve knowledge of the private key (which is a game-over scenario anyhow) so my understanding of the above warning is that the games puTTY plays with the keyspace is *probably* enough to fix the lousy randomness of the windows platform - but they recommend that you use RSA where the randomness of a prng is not an issue.
Alrighty, that makes more sense. Thanks.
At 07:44 PM 5/23/03 +0100, Dave Howe wrote: ...
Indeed so - but saying that (in their opinion) RSA IS implimented better and more securely in puTTY than DSA can hardly be the same as saying DSA should be avoided. As I understand it, the problem with DSA is that it is *very* dependent on the random number being random (collisions leading to weaknesses) - and everyone knows that windows is bad at RNG. What (as I understand it) the new putty scheme does is use the secret key to obfusc the random value a little - hashing it with both the private key and the hash of the message being signed - hoping to pull enough entropy out of those two to reduce the possibility of discovery of the random value due to it being limited to a subset of the "range" it should have. obviously, this approach won't produce gold from straw - you still have a limited set of possible values - but it should distribute them evenly across the range in a key-dependent manner, so that knowlege of the limited possible values would have to be per-key or involve knowledge of the private key (which is a game-over scenario anyhow)
If you're willing to make some plausible assumptions about SHA1, you can do this with a lot of confidence. SHA1(secret_key || hash(message)) is deterministic, but an attacker who doesn't know secret_key cannot distinguish it from random, and so can't predict it. Conditioned on the attacker's knowledge and computing resources, the random number generated in this way is uniformly distributed. This depends on an (IMO) unprovable assumption about SHA1: that the expected work needed to predict its output is approximately bounded by the lower of 2^{160} or the expected work needed to guess its input. FIPS186 (the document that specifies DSA) proposes a cryptographic pseudorandom number generator for use with DSA. That PRNG depends on more-or-less the same property, though it only uses SHA1's compression function. There was a Eurocrypt article describing this kind of idea a couple of years back, though I think they did something a little more mathematically clean than relying on SHA1 directly. (I'm away from my books, so you'll have to look it up yourself if you're interested.)
so my understanding of the above warning is that the games puTTY plays with the keyspace is *probably* enough to fix the lousy randomness of the windows platform - but they recommend that you use RSA where the randomness of a prng is not an issue.
RSA doesn't need randomness in generating signatures, though if you're generating the keypair on the same device, you really need to have some confidence in your random numbers, or you'll shoot yourself in the foot. And if you want to blind RSA to prevent timing and some power analysis attacks, you'll need to have a source of random or cryptographic pseudorandom numbers. --John Kelsey, kelsey.j@ix.netcom.com PGP: FA48 3237 9AD5 30AC EEDD BBC8 2A80 6948 4CAA F259
On Fri, 23 May 2003, Damian Gerow wrote:
(I'll admit it, I'm a crypto weenie. I know enough to spell RSA and DSA correctly, and that's about it.)
Does anyone have any pointers to informative papers (especially analyses and critiques) to RSA and DSA in particular, and in general, signature algorithms? The only page I've found is in the RSA Labs FAQ, and (obviously) digs into DSA. A co-worker is generating some SSH keys, and it's been some time since I actually looked into either algorithm. PuTTY recommends you avoid DSA, which was a bit of a surprise to me, and prompted this thus-far fruitless search for comparisons/critiques.
You might find this interesting: http://csrc.nist.gov/CryptoToolkit/tkdigsigs.html I'd think a web search on buzz words found there would come up with something to read :-) Patience, persistence, truth, Dr. mike
Thus spake Mike Rosing (eresrch@eskimo.com) [23/05/03 13:32]:
You might find this interesting: http://csrc.nist.gov/CryptoToolkit/tkdigsigs.html
I'll check it out. Thanks.
I'd think a web search on buzz words found there would come up with something to read :-)
Wrong buzzwords -- Dynamic Systems Analyst, Dynamic Signal Acquisition, Decision Support and Analysis, Design Sensitivity Analysis, etc. etc.
On Fri, 23 May 2003, Damian Gerow wrote:
Wrong buzzwords -- Dynamic Systems Analyst, Dynamic Signal Acquisition, Decision Support and Analysis, Design Sensitivity Analysis, etc. etc.
Yeah, that looks like the "1 from each column" joke :-) Patience, persistence, truth, Dr. mike
----- Original Message ----- From: "Damian Gerow" <dgerow@afflictions.org> To: <cypherpunks@einstein.ssz.com> Sent: Friday, May 23, 2003 9:30 AM Subject: RSA/DSA questions It depends on what is meant by RSA signatures, 9796 is effectively dead, RSA PKCS 1 v1.5 is certainly no longer competitive securitywise, PSS is exceptional, and those are the first 3 that come to mind. Going from this I would recommend DSA above 9796, and PKCS #1 v1.5. DSA vs PSS though is significantly more complicated. Both DSA and PSS rely on the randomness of the RNG (contrary to popular belief Windows is not inherently bad at RNGs it's just that it doesn't come with a good one). Collisions in PSS are less critical than in DSA (an output collision reveals only that the RNG and hash spit out the same values twice), but PSS suffers from IFPs weakness versus DLP, this stems from several solid proofs that IFP (integer factoring) can be no harder than DLP (integer discrete logarithm), and may be mitigated if you believe that DLP and IFP will reduce to the same problem (the current algorithms indicate this may in deed be the case), but in the immediate future DLP is inherently more difficult than IFP. PSS gains though in that without breaking any standard that I'm aware of the modulus can be extended indefinitely whereas DSA1 (don't recall DSA2 immediately having such an issue, but I don't recall DSA2 specifics immediately) has a standard limit of 1024-bit (the maths scales indefinitely though). The other thing to consider is speed, since you're using this for SSH, it may be important that the server be capable of more connections per time, in which case DSA is the clear winner (RSA wins for verification though for a typcial implementation).
From most perspectives the two algorithms simply target different positions, neither one is inherently more secure than the other. Personally I have an affinity for DSA, but that is a personal preference without any fundamental reason. Pointes to the information itself is out of my immediate reach, I just upgraded my computer and have yet to completely restore the crypto data. Joseph Ashwood
Trust Laboratories Changing Software Development http://www.trustlaboratories.com
Although most of this was way above my head at first reading (subsequent readings make more sense)... Thus spake Joseph Ashwood (ashwood@msn.com) [23/05/03 19:32]:
future DLP is inherently more difficult than IFP. PSS gains though in that without breaking any standard that I'm aware of the modulus can be extended indefinitely whereas DSA1 (don't recall DSA2 immediately having such an issue, but I don't recall DSA2 specifics immediately) has a standard limit of 1024-bit (the maths scales indefinitely though). The other thing to
Thanks! This was definitely a followup item -- in relation to PGP, why DSA signatures are always 1024-bit, even if I've got a 4096-bit key.
consider is speed, since you're using this for SSH, it may be important that the server be capable of more connections per time, in which case DSA is the clear winner (RSA wins for verification though for a typcial implementation).
Again, thanks -- this was yet another followup question.
participants (5)
-
Damian Gerow -
Dave Howe -
John Kelsey -
Joseph Ashwood -
Mike Rosing