[Sugar-devel] [PATCH 2/2 sugar] Create new owner keys as RSA keys instead of DSA

Samuel Greenfeld greenfeld at laptop.org
Tue Nov 15 09:23:58 EST 2011

Previous message: [Sugar-devel] [PATCH 2/2 sugar] Create new owner keys as RSA keys instead of DSA
Next message: [Sugar-devel] [PATCH 2/2 sugar] Create new owner keys as RSA keys instead of DSA
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

My last two jobs significantly involved encryption, but I am not that good
of an amateur cryptographer.

Has anyone in the security field (such as Ivan Krstić) reviewed this
proposal?  Are there any potential performance impacts by switching key
types for slower systems such as the XO-1?

We may also want to support handling an ECDSA SSH key if we see one,
although generating one may not always be possible (some distributions
remove this algorithm due to patent concerns).

---
SJG


On Tue, Nov 15, 2011 at 7:35 AM, Sascha Silbe <silbe at activitycentral.com>wrote:

> Sugar currently uses the owner key as an opaque string, not as an actual
> key.
> This means the key type does not yet matter, we can just as easily use an
> RSA
> key. The most important reason to prefer DSA over RSA, the RSA patent, has
> expired in 2000 [1]. While DSA is considered secure when used correctly, it
> relies on certain properties (e.g. a cryptographically secure PRNG [1])
> that
> have not always been met in practice [3], with secret key exposure as a
> result [4]. RSA is less problematic in this regard.
>
> RSA keys are also more readily usable with other tools (e.g. monkeysphere
> only
> supports RSA keys [5]), enabling Sugar to use a single key to identify the
> user for other protocols and purposes than just Collaboration. Examples
> that
> come to mind instantly are web browsing (think a.sl.o) and email (OpenPGP).
>
> [1] http://en.wikipedia.org/wiki/RSA
> [2] http://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/
> [3] http://www.debian.org/security/2008/dsa-1571
> [4]
> http://rdist.root.org/2009/05/17/the-debian-pgp-disaster-that-almost-was/
> [5] http://web.monkeysphere.info/news/release-0.24-1/
>
> Signed-off-by: Sascha Silbe <silbe at activitycentral.com>
> ---
>  src/jarabe/intro/window.py |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/src/jarabe/intro/window.py b/src/jarabe/intro/window.py
> index f7937b1..6cf1481 100644
> --- a/src/jarabe/intro/window.py
> +++ b/src/jarabe/intro/window.py
> @@ -47,7 +47,7 @@ def create_profile(name, color=None):
>     import commands
>     keypath = os.path.join(env.get_profile_path(), 'owner.key')
>     if not os.path.isfile(keypath):
> -        cmd = "ssh-keygen -q -t dsa -f %s -C '' -N ''" % keypath
> +        cmd = "ssh-keygen -q -t rsa -f %s -C '' -N ''" % keypath
>         (s, o) = commands.getstatusoutput(cmd)
>         if s != 0:
>             logging.error('Could not generate key pair: %d %s', s, o)
> --
> 1.7.7.1
>
> _______________________________________________
> Sugar-devel mailing list
> Sugar-devel at lists.sugarlabs.org
> http://lists.sugarlabs.org/listinfo/sugar-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sugarlabs.org/archive/sugar-devel/attachments/20111115/7d5651a1/attachment.html>

Previous message: [Sugar-devel] [PATCH 2/2 sugar] Create new owner keys as RSA keys instead of DSA
Next message: [Sugar-devel] [PATCH 2/2 sugar] Create new owner keys as RSA keys instead of DSA
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Sugar-devel mailing list