Re: Can we disable diffie-hellman-group14-sha1 by default?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Yegor Ievlev <koops1997@xxxxxxxxx> writes:

> e.g. can we make it throw warnings etc. rsa-sha2-256 and rsa-sha2-512
> are fine, they use PSS.

I suggest you re-read RFC 8332 section 5.3 as they do NOT use PSS, they
use RSASSA-PKCS1-v1_5 signature padding.

| 5.3.  PKCS #1 v1.5 Padding and Signature Verification
| 
|    This document prescribes RSASSA-PKCS1-v1_5 signature padding because:
| 
|    (1)  RSASSA-PSS is not universally available to all implementations;
|    (2)  PKCS #1 v1.5 is widely supported in existing SSH
|         implementations;
|    (3)  PKCS #1 v1.5 is not known to be insecure for use in this scheme.
| 
|    Implementers are advised that a signature with RSASSA-PKCS1-v1_5
|    padding MUST NOT be verified by applying the RSA key to the
|    signature, and then parsing the output to extract the hash.  This may
|    give an attacker opportunities to exploit flaws in the parsing and
|    vary the encoding.  Verifiers MUST instead apply RSASSA-PKCS1-v1_5
|    padding to the expected hash, then compare the encoded bytes with the
|    output of the RSA operation.

	-- Mark
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux