160-bit key limit - SSH

This is a discussion on 160-bit key limit - SSH ; >From PuTTy's SSH.c: /* * Work out the number of bits of key we will need from the key * exchange. We start with the maximum key length of either * cipher... */ { int csbits, scbits; csbits = s->cscipher_tobe->keylen; ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: 160-bit key limit

  1. 160-bit key limit

    >From PuTTy's SSH.c:

    /*
    * Work out the number of bits of key we will need from the key
    * exchange. We start with the maximum key length of either
    * cipher...
    */
    {
    int csbits, scbits;

    csbits = s->cscipher_tobe->keylen;
    scbits = s->sccipher_tobe->keylen;
    s->nbits = (csbits > scbits ? csbits : scbits);
    }
    /* The keys only have 160-bit entropy, since they're based on
    * a SHA-1 hash. So cap the key size at 160 bits. */
    if (s->nbits > 160)
    s->nbits = 160;

    I thought that the maximum key size was whatever the modulo for the
    diffie-hellman key exchange was. If you're using diffie-hellman-
    group1-sha1, that'd be 1024 bits. I don't see where SHA-1 factors
    into it. Diffie-hellman cetainly doesn't use SHA-1. The exchange
    hash does but the exchange hash doesn't have anything to do choosing
    the key - it just provides a signature that can be used to verify a
    servers identity.


  2. Re: 160-bit key limit

    yawnmoth wrote:
    > I thought that the maximum key size was whatever the modulo for the
    > diffie-hellman key exchange was. If you're using diffie-hellman-
    > group1-sha1, that'd be 1024 bits. I don't see where SHA-1 factors
    > into it.


    SHA-1 is used _after_ the key exchange, to convert the output of the
    key exchange into the session keys used to do the actual bulk
    symmetric data encryption. (This is the meaning of `sha1' in the key
    exchange method name you quote.)
    --
    Simon Tatham "I'm going to pull his head off. Ear by ear."
    - a games teacher

  3. Re: 160-bit key limit

    On Jul 12, 3:01 am, Simon Tatham wrote:
    > yawnmoth wrote:
    > > I thought that the maximum key size was whatever the modulo for the
    > > diffie-hellman key exchange was. If you're using diffie-hellman-
    > > group1-sha1, that'd be 1024 bits. I don't see where SHA-1 factors
    > > into it.

    >
    > SHA-1 is used _after_ the key exchange, to convert the output of the
    > key exchange into the session keys used to do the actual bulk
    > symmetric data encryption. (This is the meaning of `sha1' in the key
    > exchange method name you quote.)

    Hmmm. What, then, is the difference between aes256-cbc or aes192-
    cbc? My guess would be that the 160 bits of the SHA-1 hash are
    repeated in both cases.

    I'd look in the relevant RFC (4253), but didn't see anything about
    this at all. Maybe it was deleted with a newer revision? Such things
    wouldn't be unprecedented, as this post elaborates:

    http://groups.google.com/group/comp....7e121da0dddd53


  4. Re: 160-bit key limit

    In article <1184269547.728690.84560@d55g2000hsg.googlegroups.c om>,
    yawnmoth wrote:
    >On Jul 12, 3:01 am, Simon Tatham wrote:
    >> yawnmoth wrote:
    >> > I thought that the maximum key size was whatever the modulo for the
    >> > diffie-hellman key exchange was. If you're using diffie-hellman-
    >> > group1-sha1, that'd be 1024 bits. I don't see where SHA-1 factors
    >> > into it.

    >>
    >> SHA-1 is used _after_ the key exchange, to convert the output of the
    >> key exchange into the session keys used to do the actual bulk
    >> symmetric data encryption. (This is the meaning of `sha1' in the key
    >> exchange method name you quote.)

    >Hmmm. What, then, is the difference between aes256-cbc or aes192-
    >cbc? My guess would be that the 160 bits of the SHA-1 hash are
    >repeated in both cases.


    Not quite, but the shared secret, K, is the first thing fed to SHA-1
    every time it's used (except in generating the session ID, but that's
    not really secret), so all its entropy gets squashed down into the
    160-bit internal state of SHA-1.

    >I'd look in the relevant RFC (4253), but didn't see anything about
    >this at all.


    Um, the algorithm for generating symmetric keys is in section 7.2. That
    their entropy is limited is a consequence of that algorithm.

    --
    Ben Harris

  5. Re: 160-bit key limit

    On Jul 13, 5:55 pm, Ben Harris
    wrote:
    >
    > Um, the algorithm for generating symmetric keys is in section 7.2. That
    > their entropy is limited is a consequence of that algorithm.


    Hmmm - I completely missed that section - thanks for pointing it
    out!


+ Reply to Thread