> From: owner-openssl-us...@openssl.org On Behalf Of no_spam...@yahoo.com > Sent: Monday, 03 June, 2013 11:18 > To: openssl-users@openssl.org > Subject: Re: openssl 1..0.1e -bad sig size 32 32 for DSA 2048 keys > > My understanding is that 2048-bit DSA keys (with |q|=256) are > currently supported - at least they seem to be in 1.0.1e and > fips-2.0.2. And "by supported" I mean that they can be 1) > generated and 2) used with TLS provided the > signature_algorithms extension is used so that SHA256 can be > specified as the algorithm to use in digital signatures. > The primitives for DSA-2048/256, 2048/224 *except* generation as you correctly note, and 3072/256 are supported since 1.0.0. (0.9.8 actually supported DSA-(>1024)/160 with SHA1, but that wasn't and isn't standard because the strength is unbalanced.)
Certs/keys using those signatures could already be used in SSL3/TLS1.0/1.1 if both endpoints support. TLS1.2 adds the nominal ability to negotiate this in the extension, and 1.0.1 implements TLS1.2, but the way openssl configures the server key/cert so this doesn't get you much. Without sigalg extension, openssl server may use DSA-2048 for a DSA suite and an incapable client cannot verify; with sigalg the handshake fails because the cert does not qualify. Only if you also have another key/cert for a different algorithm, for a mutually acceptable but lower priority suite, can this help. But the original post 5/20 was about DSA-2048 *in SSH* (and openssh). AFAICS still-current SSH specs use 186-2 (old-DSA-512-to-1024) and current openssh implements that. Nothing openssl does can add the new 186-3 sizes to SSH. > If you specify you want a key length of 2048-bits, the > OpenSSL implementation gives you one with |q|=256| which > meets FIPS 186-3. (As a side note, even though FIPS 186-3 > also allows 2048-bit with |q|=224, it doesn't look like you > can actually get OpenSSL to produce such a key. If I'm wrong > on this point, someone please correct me.) You're right -- unless you cheat and call the internal routine directly, or patch it. > > From: Cipher <dhanukumar1...@gmail.com> > >To: openssl-users@openssl.org > >Sent: Monday, June 3, 2013 2:12 AM > >Subject: RE: openssl 1..0.1e -bad sig size 32 32 for DSA 2048 keys > > > > > >Thanks for the quick reply. > >Since FIPS-140-3 may limit DSA key limit to be not less than > 2048, Is there > >a chance of 2048 DSA key support in the near future upstream > versions of > >openssl? Nit: I see no hint 140-3 itself will specify sizes. I expect sizes will continue to be specified as now for 140-2 in CMVP guidance, probably as now largely by reference to 800-131A and/or 800-57 (part1 updated to rev3 last fall). But if you really meant FIPS-140 *validation and approved use* will require DSA >= 2048/224, yes. And if the SSH folks care about "FIPS" usage (and users), they'll need to change. FWIW I note 800-57 part3 from 2009 which has specifics for several "applications" (really protocols) includes TLS but not SSH. Page 6 includes SSH in a list of "additional subjects" for "[f]uture versions" but so far I've seen no public evidence of work on an update. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
