06-04-2010 10:58 PM
I was wondering if anyone knew of plans for support FIPS-186-3, which was approved as the latest DSS in June 2009?
I ask because I'm encountering a problem that's growing in frequency: BBSSH (the ssh client I develop) has moved over to using BB's DSACryptoSystem for verifying host keys during the key exchange portion of an SSH connection.
The FIPS-186-2 DSS standard stated that modulus bit lengths from 512-1024, in increments of 64 bits can be accepted FIPS-186-3 states that modulus bit lengths can be from 512- 3072 bits.
Blackberry Crypto is compatible with only FIPS-186-2 -- which means that any host key that uses more than 1024 bits fails to be created correctly using the DSACryptoSystem constructor, with an InvalidCryptoSystemException.
This is becoming a problem withj increasing frequency for SSH users, as more and more hosts update their keys, or in some cases default to using 2048 bit keys from the start -- because BBSSH is using the BB Crypto library, any server withj a 2048 bit key can't be connected to.
So - is relief on the way? And if so, will it be available in any OS earlier than 5.0? I have been trying to remove the custom crypto libraries from BBSSH and replace them with RIM Crypto; but it looks like for this piece, at least, I won't have that option.
06-11-2010 01:21 PM
Thanks for the suggestion.
I actually already had a custom version based on Ganymed ssh library. As I'm trying to get rid of as much third party content as possible (mostly to keep it maintainable), I replaced the group of classes used for that validation with simplified custom method that just implements the DSA validation itself, since it's a fairly trivial validation.
I also took the opportunity to switch over to CryptoInteger, instead of the custom and rather inefficient BigInteger implementation the Ganymed implementation used.
(Of course, there are other Ganymed and home-rolled crypto elements still present... replacing them slowly but surely with native BB calls when possible; or more efficient implementations when not)