2

In my hopes to use ssh-agent to generate a signature as password I implicitly assumed a deterministic signature. DSA is however supposed to take random value k for signing. However that randomness is merely required for preventing attackers from obtaining the private key from the signatures of different messages. I used this Python script (slightly modified the output) to obtain the signature of a test message. However even after reconnecting or restarting the ssh-agent (OpenSSH_4.6p1, OpenSSL 0.9.8e 23 Feb 2007 from msysgit 1.7.11), the signature of that message remains the same. But is this a behaviour I can rely on or could this change randomly e.g. when using a different ssh-agent?

Tobias Kienzler
  • 7,658
  • 11
  • 43
  • 68
  • (voting to close as too localized sinced I accidentally used an RSA key all the time...) – Tobias Kienzler Oct 29 '12 at 13:58
  • 1
    You may instead wish to just post your own answer, or delete the question altogether. – Iszi Oct 29 '12 at 16:03
  • 1
    @Iszi [Thomas' answer](http://security.stackexchange.com/a/23332/3272) did already figure this out, adding another answer would be pointles. The information provided by Thomas is too useful to be simply deleted, but allowing other answers to be added would be pointless again. That's why I suggested closing instead... – Tobias Kienzler Oct 29 '12 at 16:23
  • You do realize that your software is ancient? Your OpenSSL is nearly six years old... – Martin Schröder Oct 30 '12 at 09:10
  • @MartinSchröder I'm afraid so. But as mentioned, that's the version included in msysgit. Since I'm only using it inside a LAN I may have been a bit negligent here... – Tobias Kienzler Oct 30 '12 at 09:21

1 Answers1

4

I do not observe this behaviour here. I use ssh-agent from the openssh-client package of Ubuntu 12.04, i.e. "OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012". I modified the Python script to select my DSA key instead of my RSA key (did you do the same ?) and I get, as expected, randomized signatures (no need to even restart ssh-agent, two successive signatures are distinct).

It is theoretically possible to make deterministic DSA signatures through a process known as derandomization, which basically means that the random value k is no longer generated randomly, but with a deterministic PRNG seeded with both the message to be signed (or its hash) and a secret key (which can be the DSA private key itself, or a symmetric key stored along the DSA private key, if there is room fur such an extra key). There are a few subtleties to mind, because the k value must be selected with unpredictable uniform randomness. There is a draft RFC on that subject, but it is still quite new: I wrote the first version on March 2011. I am not aware of any other standardization effort on derandomization of DSA or ECDSA. Usually, when a DSA signature system appears to be deterministic, it is because of a very serious flaw in the random number generator (such as happened to Sony for the ECDSA signatures used in PS3 software).

Are you sure you are really using a DSA key ? A DSA signature has length 40 bytes in SSH (two 160-bit integers, since SHA-1 is used as hash function), whereas a RSA signature will be larger (128 bytes for a 1024-bit RSA key).

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
  • Absolutely my bad, sorry! Turns out I accidentally used a cached RSA key indeed (the length was the hint I needed). And that should be deterministic since it's basically "encrypting" a message hash in the "wrong" direction, right? (I saw that draft by the way, and was wondering how such an outdated ssh version would already implement it...) – Tobias Kienzler Oct 29 '12 at 13:54
  • 1
    @TobiasKienzler: standard "old style" RSA signature, as per [PKCS#1](http://www.rsa.com/rsalabs/node.asp?id=2125), happen to be deterministic. This is not a security issue with RSA; however, the "new style" RSA signature (with "PSS padding") include some randomness. – Thomas Pornin Oct 29 '12 at 13:59
  • I see, so before [my ssh-agent piping as password](http://security.stackexchange.com/q/23252/3272) question is only valid iff `ssh-agent` can be convinced to stay deterministic... Or does SSH _always_ use old-style RSA? – Tobias Kienzler Oct 29 '12 at 14:09
  • 1
    SSH is _currently_ defined to use old-style PKCS#1 signatures when using SSHv2 protocol and a RSA key. There is _for now_ little incentive to change that. – Thomas Pornin Oct 29 '12 at 14:32