derivepassphrase.git

Marco Ricci commited on 2024-09-21 12:17:48
Zeige 1 geänderte Dateien mit 0 Einfügungen und 7 Löschungen.

DSA and ECDSA keys use a nonce during signing, and it is well-known that
reusing the nonce for another signature allows the private key to be
derived directly from those two signatures.  Because of this, many
implementations choose the nonce via a high-quality random number
generator.  This leads to DSA and ECDSA signatures being non-repeatable,
i.e. signing the same document twice leads to two different
signatures/binary strings.  OpenSSH's agent behaves this way.

However, various implementations of DSA or DSA variants have attempted
to find a way to avoid the random number generator by choosing the nonce
deterministically (but still unpredictably, for an attacker): EdDSA
mandates a specific nonce as part of the specification, and RFC 6979
outlines a different deterministic nonce scheme for all (other) DSA
variants.  All versions of PuTTY/Pageant use deterministic nonce
generation (a homegrown system in 0.80 and lower, RFC 6979 afterwards),
so DSA and ECDSA signatures by Pageant *are* repeatable.  And there is
no reason why OpenSSH couldn't adopt RFC 6979 in the future.

Therefore, remove the check for repeatability in the tests.  The `Vault`
class check for key suitability remains unchanged, because while
DSA/ECDSA keys *can* use repeatable signatures, such use is not
*guaranteed*.