From owner-cvs-all  Fri Apr 12  8:27:24 2002
Delivered-To: cvs-all@freebsd.org
Received: from yello.shallow.net (yello.shallow.net [203.18.243.120])
	by hub.freebsd.org (Postfix) with ESMTP
	id 7D22137B404; Fri, 12 Apr 2002 08:27:14 -0700 (PDT)
Received: by yello.shallow.net (Postfix, from userid 1001)
	id 3FCA02A6D; Sat, 13 Apr 2002 01:27:07 +1000 (EST)
Date: Sat, 13 Apr 2002 01:27:07 +1000
From: Joshua Goodall <joshua@roughtrade.net>
To: Garrett Wollman <wollman@lcs.mit.edu>
Cc: Archie Cobbs <archie@dellroad.org>, cvs-committers@FreeBSD.org,
	cvs-all@FreeBSD.org, des@freebsd.org
Subject: Re: cvs commit: src/crypto/openssh servconf.c
Message-ID: <20020412152707.GD8927@roughtrade.net>
References: <200204112204.g3BM4eK56395@freefall.freebsd.org> <200204120044.g3C0i7W08442@arch20m.dellroad.org> <200204120313.g3C3DnP83776@khavrinen.lcs.mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200204120313.g3C3DnP83776@khavrinen.lcs.mit.edu>
User-Agent: Mutt/1.3.28i
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

On Thu, Apr 11, 2002 at 11:13:49PM -0400, Garrett Wollman wrote:
> I'm not DES, but I can at least make a crack at it.
> 
> RSA and DSA are believed to be of comparable cryptographic strength,
> given the key sizes commonly used today.

At the recent Financial Cryptography '02 panel debates, it was put
forward that 1024-bit RSA cracking was now well within the cost
bounds of many governments and corporations. On the edge of paranoia,
some people are now revoking 1024-bit RSA keys and replacing them
with 2048-bit keys.

DSA's strength, like Diffie-Hellman's, is based on the problem of
finding discrete logs in finite fields. I'm no cryptographer, but
last I looked, the difficulty bounded RSA's; that is, if you have
a general algorithm to find those logs swiftly (i.e. broke DSA) then
you can also factor large primes (i.e. you broke RSA).

See also : http://www.scramdisk.clara.net/pgpfaq.html#SubRSADH

which appears to suggest that the discrete-logs-based publickey
systems are evaluating as "stronger", although falls shy of actually
recommending DSA over RSA.

> IIRC, when the SSHv2 protocol is officially blessed by the IETF,
> RSA will be required and DSA will be an option.

Other way around, I think - the current SecSH draft lists ssh-dss
(that is, DSA) as the only REQUIRED public key type, with RSA as
RECOMMENDED.

It's at:
http://www.ietf.org/internet-drafts/draft-ietf-secsh-transport-14.txt

I personally was happy with the 1024-bit DSA key choice that was
in place prior to the 3.1 import, and am less comfortable with the
1024-bit RSA that some bleeding-edge cypherpunks are already revoking.

Joshua


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message