# 160-bit key limit

• 10-03-2007, 04:18 AM
unix
160-bit key limit
>From PuTTy's SSH.c:

/*
* Work out the number of bits of key we will need from the key
* cipher...
*/
{
int csbits, scbits;

csbits = s->cscipher_tobe->keylen;
scbits = s->sccipher_tobe->keylen;
s->nbits = (csbits > scbits ? csbits : scbits);
}
/* The keys only have 160-bit entropy, since they're based on
* a SHA-1 hash. So cap the key size at 160 bits. */
if (s->nbits > 160)
s->nbits = 160;

I thought that the maximum key size was whatever the modulo for the
diffie-hellman key exchange was. If you're using diffie-hellman-
group1-sha1, that'd be 1024 bits. I don't see where SHA-1 factors
into it. Diffie-hellman cetainly doesn't use SHA-1. The exchange
hash does but the exchange hash doesn't have anything to do choosing
the key - it just provides a signature that can be used to verify a
servers identity.

• 10-03-2007, 04:18 AM
unix
Re: 160-bit key limit
yawnmoth <terra1024@yahoo.com> wrote:[color=blue]
> I thought that the maximum key size was whatever the modulo for the
> diffie-hellman key exchange was. If you're using diffie-hellman-
> group1-sha1, that'd be 1024 bits. I don't see where SHA-1 factors
> into it.[/color]

SHA-1 is used _after_ the key exchange, to convert the output of the
key exchange into the session keys used to do the actual bulk
symmetric data encryption. (This is the meaning of `sha1' in the key
exchange method name you quote.)
--
Simon Tatham "I'm going to pull his head off. Ear by ear."
<anakin@pobox.com> - a games teacher
• 10-03-2007, 04:18 AM
unix
Re: 160-bit key limit
On Jul 12, 3:01 am, Simon Tatham <ana...@pobox.com> wrote:[color=blue]
> yawnmoth <terra1...@yahoo.com> wrote:[color=green]
> > I thought that the maximum key size was whatever the modulo for the
> > diffie-hellman key exchange was. If you're using diffie-hellman-
> > group1-sha1, that'd be 1024 bits. I don't see where SHA-1 factors
> > into it.[/color]
>
> SHA-1 is used _after_ the key exchange, to convert the output of the
> key exchange into the session keys used to do the actual bulk
> symmetric data encryption. (This is the meaning of `sha1' in the key
> exchange method name you quote.)[/color]
Hmmm. What, then, is the difference between aes256-cbc or aes192-
cbc? My guess would be that the 160 bits of the SHA-1 hash are
repeated in both cases.

I'd look in the relevant RFC (4253), but didn't see anything about
this at all. Maybe it was deleted with a newer revision? Such things
wouldn't be unprecedented, as this post elaborates:

• 10-03-2007, 04:18 AM
unix
Re: 160-bit key limit
yawnmoth <terra1024@yahoo.com> wrote:[color=blue]
>On Jul 12, 3:01 am, Simon Tatham <ana...@pobox.com> wrote:[color=green]
>> yawnmoth <terra1...@yahoo.com> wrote:[color=darkred]
>> > I thought that the maximum key size was whatever the modulo for the
>> > diffie-hellman key exchange was. If you're using diffie-hellman-
>> > group1-sha1, that'd be 1024 bits. I don't see where SHA-1 factors
>> > into it.[/color]
>>
>> SHA-1 is used _after_ the key exchange, to convert the output of the
>> key exchange into the session keys used to do the actual bulk
>> symmetric data encryption. (This is the meaning of `sha1' in the key
>> exchange method name you quote.)[/color]
>Hmmm. What, then, is the difference between aes256-cbc or aes192-
>cbc? My guess would be that the 160 bits of the SHA-1 hash are
>repeated in both cases.[/color]

Not quite, but the shared secret, K, is the first thing fed to SHA-1
every time it's used (except in generating the session ID, but that's
not really secret), so all its entropy gets squashed down into the
160-bit internal state of SHA-1.
[color=blue]
>I'd look in the relevant RFC (4253), but didn't see anything about
>this at all.[/color]

Um, the algorithm for generating symmetric keys is in section 7.2. That
their entropy is limited is a consequence of that algorithm.

--
Ben Harris
• 10-03-2007, 04:18 AM
unix
Re: 160-bit key limit
On Jul 13, 5:55 pm, Ben Harris <bjhar...@chiark.greenend.org.uk>
wrote:[color=blue]
> <snip>
> Um, the algorithm for generating symmetric keys is in section 7.2. That
> their entropy is limited is a consequence of that algorithm.[/color]

Hmmm - I completely missed that section - thanks for pointing it
out! :)