| Bug ID |
12532
|
| Summary |
Gerrit still offers DSA keys
|
| Product |
Web sites
|
| Version |
N/A
|
| Hardware |
All
|
| OS |
All
|
| Status |
UNCONFIRMED
|
| Severity |
Major
|
| Priority |
Low
|
| Component |
Code review - code.wireshark.org
|
| Assignee |
[email protected]
|
| Reporter |
[email protected]
|
Build Information:
Gerrit 2.11.8
--
Wireshark's Gerrit server still offers an "ssh-dss" key as authentication.
There is a fairly recent attack against OpenSSL where DSA keys can be recovered
in 260 handshakes. DSA keys have been considered deprecated for quite a while,
but this makes offering DSA keys dangerous.
https://eprint.iacr.org/2016/594
Although this particular attack is against OpenSSL, this attack can most likely
be applied to Java-based DSA implementations as well given that variable timing
can be even more pronounced.
To check whether the server offers ssh-dss keys:
ssh-keyscan -p 29418 -t dsa code.wireshark.org
# code.wireshark.org:29418 SSH-2.0-GerritCodeReview_2.11.8 (SSHD-CORE-0.14.0)
[code.wireshark.org]:29418 ssh-dss
AAAAB3NzaC1kc3MAAACBAIyiSKHFJVA2h6lkGMhNHPxaB35eu+eGAgzl+wLjeix80pk+FmUuKQQMfzhYZDlO4r+qKImdK0ex1udFRDRQu8U2MO9CUFsRCD2tDqS0DXf2DivdQ1IK53W7ArohnT+6RJR5rsFYZa7nazdGo5xDLRJNdX6JWaExPlpcElWYS31PAAAAFQCoSO0sfac6FaR/eLjRD3HCw8DnFwAAAIBGlvCptIj5LYjizprkbxYzA5TK5c32pkFlGjDa1ccOsBnvjM8HOHbS4DY2FIcezVOras4uMuoWNG4vw/kjYjNapFJ65MZQ/fLNN1ByBbGnCwVEylcEwGQbnpo+kZAc4oxLUbHdzv5Ds/eAGH0SgURueNnilj0f9djnLU03FblzuAAAAIBQFFEKxiD1lQRcXczGoY7T4+BJag9NB6kmmpSPS0rlD8Foto6X7OCare/+pgYVm/Fl2v+tQxUPf3BU46OP/UV1xD7bD2Vh+k6vYEzGBuF59+CwYfrqjvQhwdZsaHKX2K5G5Jr4E+pGOXvtsSdKk6E+pSyQQEtEoXna/GNOJ1xxcg==
You are receiving this mail because:
- You are watching all bug changes.
