[Cryptography] NSA’s FAQs Demystify the Demise of Suite B

Francisco Corella fcorella at pomcor.com
Fri Feb 12 00:20:21 EST 2016


> > The FAQs make sense, but do not explain one detail: why DSA has been
> > omitted from the CNSA Suite.  In the blog post I argue that DSA is
> > being dropped at the wrong time.
> 
> You miss two major reasons why people don't like DSA:
> 1. It's extremely fragile when it comes to bad random numbers. Use it
> once with a bad RNG: Your key is compromised.

You are right, I hadn't thought of that.  The per-message random
number used to randomize a signature (the "randomizer", usually called
"k") has to be kept secret because the private key can be computed
from the randomizer and the signature.  So if the RNG that used to
generate a signature is compromised, the adversary may be able to
obtain the randomizer and compute the private key.  But this is also
true for ECDSA.

> 2. DSA was limited to 1024 bit for a long time, a 2048 bit option was
> only added later. For many implementations this means either use it
> with 1024 bit or not at all.
> 
> Given that I find it reasonable to drop support (and I have strongly
> argued for the removal from TLS 1.3).

I haven't followed the discussions about TLS 1.3, so I don't know what
the arguments were for or against dropping DSA; I'm sure they were all
reasonable :-) TLS uses encryption for the traffic, so the fact that
DSA is encryption-free is not an advantage over RSA in the context of
TLS; but it's ironic that DSA is being dropped when RSA is loosing its
compelling advantage of providing key transport and server
authentication in one operation.

It may not matter much whether DSA or RSA is used in TLS, but I think
it's definitely a mistake to have omitted it in the Web Crypto API.  A
developer of software that uses digital signatures but no encryption
can avoid the hassle and expense of dealing with export regulations by
using DSA instead of RSA, and the mistrust of ECC in Europe and
elsewhere by using DSA instead of ECDSA.

Francisco


> On Feb 11, 2016, at 11:27 AM, Hanno Böck <hanno at hboeck.de> wrote:
> 
> On Thu, 11 Feb 2016 07:38:06 -0800
> Francisco Corella <fcorella at pomcor.com> wrote:
> 
>> The FAQs make sense, but do not explain one detail: why DSA has been
>> omitted from the CNSA Suite.  In the blog post I argue that DSA is
>> being dropped at the wrong time.
> 
> You miss two major reasons why people don't like DSA:
> 1. It's extremely fragile when it comes to bad random numbers. Use it
> once with a bad RNG: Your key is compromised.
> 2. DSA was limited to 1024 bit for a long time, a 2048 bit option was
> only added later. For many implementations this means either use it
> with 1024 bit or not at all.
> 
> Given that I find it reasonable to drop support (and I have strongly
> argued for the removal from TLS 1.3).
> 
> -- 
> Hanno Böck
> https://hboeck.de/
> 
> mail/jabber: hanno at hboeck.de
> GPG: BBB51E42
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography



More information about the cryptography mailing list