[Sugar-devel] [PATCH 2/2 sugar] Create new owner keys as RSA keys instead of DSA
Samuel Greenfeld
greenfeld at laptop.org
Tue Nov 15 09:23:58 EST 2011
My last two jobs significantly involved encryption, but I am not that good
of an amateur cryptographer.
Has anyone in the security field (such as Ivan Krstić) reviewed this
proposal? Are there any potential performance impacts by switching key
types for slower systems such as the XO-1?
We may also want to support handling an ECDSA SSH key if we see one,
although generating one may not always be possible (some distributions
remove this algorithm due to patent concerns).
---
SJG
On Tue, Nov 15, 2011 at 7:35 AM, Sascha Silbe <silbe at activitycentral.com>wrote:
> Sugar currently uses the owner key as an opaque string, not as an actual
> key.
> This means the key type does not yet matter, we can just as easily use an
> RSA
> key. The most important reason to prefer DSA over RSA, the RSA patent, has
> expired in 2000 [1]. While DSA is considered secure when used correctly, it
> relies on certain properties (e.g. a cryptographically secure PRNG [1])
> that
> have not always been met in practice [3], with secret key exposure as a
> result [4]. RSA is less problematic in this regard.
>
> RSA keys are also more readily usable with other tools (e.g. monkeysphere
> only
> supports RSA keys [5]), enabling Sugar to use a single key to identify the
> user for other protocols and purposes than just Collaboration. Examples
> that
> come to mind instantly are web browsing (think a.sl.o) and email (OpenPGP).
>
> [1] http://en.wikipedia.org/wiki/RSA
> [2] http://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/
> [3] http://www.debian.org/security/2008/dsa-1571
> [4]
> http://rdist.root.org/2009/05/17/the-debian-pgp-disaster-that-almost-was/
> [5] http://web.monkeysphere.info/news/release-0.24-1/
>
> Signed-off-by: Sascha Silbe <silbe at activitycentral.com>
> ---
> src/jarabe/intro/window.py | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/src/jarabe/intro/window.py b/src/jarabe/intro/window.py
> index f7937b1..6cf1481 100644
> --- a/src/jarabe/intro/window.py
> +++ b/src/jarabe/intro/window.py
> @@ -47,7 +47,7 @@ def create_profile(name, color=None):
> import commands
> keypath = os.path.join(env.get_profile_path(), 'owner.key')
> if not os.path.isfile(keypath):
> - cmd = "ssh-keygen -q -t dsa -f %s -C '' -N ''" % keypath
> + cmd = "ssh-keygen -q -t rsa -f %s -C '' -N ''" % keypath
> (s, o) = commands.getstatusoutput(cmd)
> if s != 0:
> logging.error('Could not generate key pair: %d %s', s, o)
> --
> 1.7.7.1
>
> _______________________________________________
> Sugar-devel mailing list
> Sugar-devel at lists.sugarlabs.org
> http://lists.sugarlabs.org/listinfo/sugar-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sugarlabs.org/archive/sugar-devel/attachments/20111115/7d5651a1/attachment.html>
More information about the Sugar-devel
mailing list