
160bit key limit
>From PuTTy's SSH.c:
/*
* Work out the number of bits of key we will need from the key
* exchange. We start with the maximum key length of either
* cipher...
*/
{
int csbits, scbits;
csbits = s>cscipher_tobe>keylen;
scbits = s>sccipher_tobe>keylen;
s>nbits = (csbits > scbits ? csbits : scbits);
}
/* The keys only have 160bit entropy, since they're based on
* a SHA1 hash. So cap the key size at 160 bits. */
if (s>nbits > 160)
s>nbits = 160;
I thought that the maximum key size was whatever the modulo for the
diffiehellman key exchange was. If you're using diffiehellman
group1sha1, that'd be 1024 bits. I don't see where SHA1 factors
into it. Diffiehellman cetainly doesn't use SHA1. The exchange
hash does but the exchange hash doesn't have anything to do choosing
the key  it just provides a signature that can be used to verify a
servers identity.

Re: 160bit key limit
yawnmoth <terra1024@yahoo.com> wrote:[color=blue]
> I thought that the maximum key size was whatever the modulo for the
> diffiehellman key exchange was. If you're using diffiehellman
> group1sha1, that'd be 1024 bits. I don't see where SHA1 factors
> into it.[/color]
SHA1 is used _after_ the key exchange, to convert the output of the
key exchange into the session keys used to do the actual bulk
symmetric data encryption. (This is the meaning of `sha1' in the key
exchange method name you quote.)

Simon Tatham "I'm going to pull his head off. Ear by ear."
<anakin@pobox.com>  a games teacher

Re: 160bit key limit
On Jul 12, 3:01 am, Simon Tatham <ana...@pobox.com> wrote:[color=blue]
> yawnmoth <terra1...@yahoo.com> wrote:[color=green]
> > I thought that the maximum key size was whatever the modulo for the
> > diffiehellman key exchange was. If you're using diffiehellman
> > group1sha1, that'd be 1024 bits. I don't see where SHA1 factors
> > into it.[/color]
>
> SHA1 is used _after_ the key exchange, to convert the output of the
> key exchange into the session keys used to do the actual bulk
> symmetric data encryption. (This is the meaning of `sha1' in the key
> exchange method name you quote.)[/color]
Hmmm. What, then, is the difference between aes256cbc or aes192
cbc? My guess would be that the 160 bits of the SHA1 hash are
repeated in both cases.
I'd look in the relevant RFC (4253), but didn't see anything about
this at all. Maybe it was deleted with a newer revision? Such things
wouldn't be unprecedented, as this post elaborates:
[url]http://groups.google.com/group/comp.security.ssh/msg/7e7e121da0dddd53[/url]

Re: 160bit key limit
In article <1184269547.728690.84560@d55g2000hsg.googlegroups.com>,
yawnmoth <terra1024@yahoo.com> wrote:[color=blue]
>On Jul 12, 3:01 am, Simon Tatham <ana...@pobox.com> wrote:[color=green]
>> yawnmoth <terra1...@yahoo.com> wrote:[color=darkred]
>> > I thought that the maximum key size was whatever the modulo for the
>> > diffiehellman key exchange was. If you're using diffiehellman
>> > group1sha1, that'd be 1024 bits. I don't see where SHA1 factors
>> > into it.[/color]
>>
>> SHA1 is used _after_ the key exchange, to convert the output of the
>> key exchange into the session keys used to do the actual bulk
>> symmetric data encryption. (This is the meaning of `sha1' in the key
>> exchange method name you quote.)[/color]
>Hmmm. What, then, is the difference between aes256cbc or aes192
>cbc? My guess would be that the 160 bits of the SHA1 hash are
>repeated in both cases.[/color]
Not quite, but the shared secret, K, is the first thing fed to SHA1
every time it's used (except in generating the session ID, but that's
not really secret), so all its entropy gets squashed down into the
160bit internal state of SHA1.
[color=blue]
>I'd look in the relevant RFC (4253), but didn't see anything about
>this at all.[/color]
Um, the algorithm for generating symmetric keys is in section 7.2. That
their entropy is limited is a consequence of that algorithm.

Ben Harris

Re: 160bit key limit
On Jul 13, 5:55 pm, Ben Harris <bjhar...@chiark.greenend.org.uk>
wrote:[color=blue]
> <snip>
> Um, the algorithm for generating symmetric keys is in section 7.2. That
> their entropy is limited is a consequence of that algorithm.[/color]
Hmmm  I completely missed that section  thanks for pointing it
out! :)