RSA/DSA questions

[Dave Howe]

Damian Gerow wrote:
>     "For this reason we now believe PuTTY's DSA implementation is
>     probably OK. However, if you have the choice, we still recommend
>     you use RSA instead."
Indeed so - but saying that (in their opinion) RSA IS implimented better and
more securely in puTTY than DSA can hardly be the same as saying DSA should
be avoided. As I understand it, the problem with DSA is that it is *very*
dependent on the random number being random (collisions leading to
weaknesses) - and everyone knows that windows is bad at RNG. What (as I
understand it) the new putty scheme does is use the secret key to obfusc the
random value a little - hashing it with both the private key and the hash of
the message being signed - hoping to pull enough entropy out of those two to
reduce the possibility of discovery of the random value due to it being
limited to a subset of the "range" it should have. obviously, this approach
won't produce gold from straw - you still have a limited set of possible
values - but it should distribute them evenly across the range in a
key-dependent manner, so that knowlege of the limited possible values would
have to be per-key or involve knowledge of the private key (which is a
game-over scenario anyhow)
so my understanding of the above warning is that the games puTTY plays with
the keyspace is *probably* enough to fix the lousy randomness of the windows
platform - but they recommend that you use RSA where the randomness of a
prng is not an issue.