On 2016-11-25T10:58, Pedro Melo <melo@xxxxxxxxxxxxxxxx> wrote: > Hi, > > > > Someone told me that DSA keys were being deprecated with OpenSSH 7.0. The only reference I could find about this topic on openSSH site is on the legacy page: > > > > “OpenSSH 7.0 and greater similarly disable the ssh-dss (DSA) public key algorithm. It too is weak and we recommend against its use.” > > > > There is no explanation about the weakness. But more than that, I could not find any mention of this deprecation on OpenSSH 7.0, 7.1, 7.2 and 7.3 release notes. > > > > So my question is: are DSA keys really deprecated? Afaik its because DSA key size has (for very weird reasons admittedly: FIPS 186-4) been limited to 1024 bits which is considered weak nowadays. Also, DSA has the inherent weakness that a random number is used in producing a DSA signature. If such a random number were ever reused, an attacker could easily calculate the secret key from just looking at the signatures. This means that DSA together with a weak source of randomness endangers your keys and therefore your machines. There is a workaround for the weak randomness problem (derive the 'random' number deterministically from the message and the secret key), and I think its implemented in OpenSSH. But that doesn't take care of all the old installations and different SSH implementations. Therefore since DSA keys are too small anyways, its just better to get rid of it altogether. Ciao, Alexander Wuerstlein. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
