Home
|
FAQ
|
Feedback
|
Licence
|
Updates
|
Mirrors
|
Keys
|
Links
|
Team
Download:
Stable
·
Snapshot
|
Docs
|
Privacy
|
Changes
|
Wishlist
The original specification for RSA signatures in SSH-2, with the
algorithm name ssh-rsa and including a SHA-1 hash of the
message being signed, specified that the RSA signature integer is
transmitted without padding: that is, with no leading zero
bytes. So if the signature integer fits into fewer bytes than the key
modulus – which happens somewhere between 1/128 and 1/256 of the
time, depending on the modulus itself – then the signature would
be one byte shorter than the rest of the time.
The newer specification for RSA which updated it
to SHA-2, with algorithm names rsa-sha2-256
and rsa-sha2-512, decided (I think rightly) that that was
a bad design decision, and that it was better to require the signature
to be the same length as the modulus always, in particular so that
traffic analysis didn't give a clue about when this shortening had
happened.
We didn't notice this change of the spec in amongst the more obvious changes, so PuTTY 0.81 and before still sometimes shorten RSA signatures. Most servers tolerate this, but just occasionally a picky one shows up, and it's not wrong to complain.
One particular picky server is the one in the Go cryptography libraries. This server will close the SSH connection without any explanation or error message if it receives a short RSA signature on a SHA-2 hash.