Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

Java Development

Reply
Developer
Posts: 155
Registered: ‎01-22-2010
My Device: PlayBook -> 9900, 9810, 9800, 9700,9000, 8800, 8700...
My Carrier: AT&T

FIPS-186-3 DSS standards - 2048 bit keys

Hi,

I was wondering if anyone knew of plans for support FIPS-186-3, which was approved as the latest DSS in June 2009?

 

I ask because I'm encountering a problem that's growing in frequency: BBSSH (the ssh client I develop) has moved over to using BB's DSACryptoSystem for verifying host keys during the key exchange portion of an SSH connection.

 

The FIPS-186-2 DSS standard stated that modulus bit lengths from 512-1024, in increments of 64 bits can be accepted  FIPS-186-3 states that modulus bit lengths can be from 512- 3072 bits.

 

Blackberry Crypto is compatible with only FIPS-186-2 -- which means that any host key that uses more than 1024 bits fails to be created correctly using the DSACryptoSystem constructor, with an InvalidCryptoSystemException. 

 

This is becoming a problem withj increasing frequency for SSH users, as more and more hosts update their keys, or in some cases default to using 2048 bit keys from the start -- because BBSSH is using the BB Crypto library, any server withj a 2048 bit key can't be connected to.

 

So - is relief on the way? And if so, will it be available in any OS earlier than 5.0? I have been trying to remove the custom crypto libraries from BBSSH and replace them with RIM Crypto; but it looks like for this piece, at least, I won't have that option.  



Try out BBSSH, a free Blackberry SSH client.
  • If you like my post, please let me know by Liking it!
  • If my post solved your problem please click on the Accept as Solution button.

Developer
Posts: 1,474
Registered: ‎04-14-2009
My Device: Not Specified

Re: FIPS-186-3 DSS standards - 2048 bit keys

I don't know about the native support for longer keys, but you could bundle your own (e.g., BouncyCastle-based) DSA code with your app as a workaround.

Developer
Posts: 155
Registered: ‎01-22-2010
My Device: PlayBook -> 9900, 9810, 9800, 9700,9000, 8800, 8700...
My Carrier: AT&T

Re: FIPS-186-3 DSS standards - 2048 bit keys

Thanks for the suggestion.

 

I actually already had a custom version based on Ganymed ssh library.  As I'm trying to get rid of as much third party content as possible (mostly to keep it maintainable), I replaced the group of classes used for that validation with simplified custom method that just implements the DSA validation itself, since it's a fairly trivial validation. 

 

I also took the opportunity to switch over to CryptoInteger, instead of the custom and rather inefficient BigInteger implementation  the Ganymed implementation used. 


(Of course, there are other Ganymed and home-rolled crypto elements still present... replacing them slowly but surely with native BB calls when possible; or more efficient implementations  when not)

 



Try out BBSSH, a free Blackberry SSH client.
  • If you like my post, please let me know by Liking it!
  • If my post solved your problem please click on the Accept as Solution button.