Re: [Cfrg] Fwd: Re: Proposal and intent to implement "dsa-sha2-256" SSH key algorithm

[denis bider <ietf-cfrg@denisbider.com>]

My understanding is it's common to feed the entropy of the message being signed into the RNG to prevent "k" reuse during e.g. VM state resumption.

Furthermore, RFC 6979 specifies how to implement deterministic DSA, which does not lose compatibility with unaware implementations.

I have updated the draft, which now additionally defines "rsa-sha2-256", which also requires a facelift:

http://www.denisbider.com/draft-rsa-dsa-sha2-256.txt

The Security Considerations section now references RFC 6979 and recommends deterministic signatures with DSA.

BTW - Hanno Boeck: Your messages are coming across in a way that requires an attachment to be opened in order to see message contents. I would not have opened the TXT attachment if it wasn't for Peter Gutmann's reply.

I believe this is due to the use of "Content-Type: multipart/signed", which is not recognized by all email software. 


----- Original Message -----
From: Damien Miller 
Sent: Friday, October 30, 2015 16:27
To: denis bider 
Cc: cfrg@irtf.org 
Subject: Re: [Cfrg] Fwd: Re: Proposal and intent to implement "dsa-sha2-256" SSH key algorithm

On Thu, 29 Oct 2015, denis bider wrote:

> Because variety is good. At Bitvise, our software supports ECDSA over NIST
> curves, and I'm going to implement EdDSA. However, if something turns out to
> be not-as-great-as-we-expected with elliptic crypto, RSA would be all we
> have left.
> 
> Everything in elliptic curve is too many eggs in one basket, I reckon.
> 
> What's wrong with large-key DSA?

It breaks in the most catastrophic possible way (private key leak) when a
less-than-perfect PRNG is used.

-d