JDK-8039921: SHA1WithDSA with key > 1024 bits not working

Valerie Peng valerie.peng at oracle.com
Fri Sep 19 00:04:58 UTC 2014 

Atsuhiko,

Back in Java7, SUN provider only supports DSA keys w/ up-to-1024 bit length.
The SHA1withDSA signature doesn't explicitly check and reject longer 
keys though, so I understand how this may be viewed as a regression.

At the time when the large DSA key support is added, we followed the 
recommendation by FIPS 186-3 since using a shorter hash weakens the 
security strength offered by the larger key. Regardless of entities, I'd 
think people prefer to be more secure rather than less.

However, if such (potentially insecure) practice is common, we may 
consider relax the restraint for the sake of being interoperable. Do you 
have any more info such as CA certs using large DSA keys with 
SHA1withDSA signature algorithm, etc.? This will help us decide whether 
and how to best accommodate this.

Regards,
Valerie

On 9/18/2014 1:51 AM, Atsuhiko Yamanaka wrote:
> Hi there,
>
> We have been developing pure java SSH2 client library named as JSch,
> and you may know that it has been integrated and used in Eclipse, NetBeans,
> IntelliJ IDEA, ant, Ivy, JGit, etc.
>
> Recently we have received feed backs that JSch has failed to connect
> to some sshd on Java8.
> After some investigations, we have found that the problem been caused
> by a problem  reported at JDK-8039921[1].
>
> It seems some sshds have been using long key for Digital Signature(SHA1WithDSA),
> and JSch can handle those key successfully on Java7, but, due to a
> change by JDK-8039921 on Java8,
> it can not connect to those sshds any more on Java8.  It means
> Eclipse, NetBeans, IntelliJ IDEA, ant, Ivy, JGit, etc,
> can not work for those sshds anymore.  That change has made huge
> impacts to those software.
>
> Some developer at Oracle has commented as follows[2],
>      For SHA1withDSA signature, DSA keys less than 1024 bits are allowed
>      for the sake of backward compatibility.  As for 2048-bit DSA key pairs,
>      they should be used with signature algorithms using the SHA-2 family
>      of message digests as specified in FIPS 186-3.
>
>  From my understanding, FIPS 186-3 is the standard to use Digital
> Signature in Federal Government entities.
> So, if JDK's JCE(SunJCE) has been used in other entities, it should
> been not influenced by that standard.
>
>
>
> [1] https://bugs.openjdk.java.net/browse/JDK-8039921
> [2] https://bugs.openjdk.java.net/browse/JDK-8039921?focusedCommentId=13486968&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13486968

More information about the security-dev mailing list