/ go Public
crypto/dsa: deprecate and remove from crypto/x509 and x/crypto/ssh #40337
The path to resolution is known, but the work has not been done.
Proposal related to crypto packages or other security issues
DSA is an obsolete, fragile, insecure, and mostly unused signature scheme. I'm proposing that we deprecate (but not remove) the
crypto/dsapackage, recommending a modern alternative such as
crypto/ed25519, and drop support for DSA keys in the
The problem with DSA
First, DSA suffers of what we now know is a design mistake: it requires each key to bring along its own parameters, instead of setting globally accepted ones. Parameters are slow to generate, large to encode, and most importantly very hard to validate. This caused a remote DoS in Go 1.13 (CVE-2019-17596, #34960) exploitable through both TLS and SSH.
Second, DSA was initially standardized with a max key size of 1024 bits, which is now universally acknowledged as insecure against real-world attackers. While larger key sizes were standardized years later, by then it made no sense to use DSA in new systems anymore, so the systems that kept using DSA did it for backwards compatibility and didn't adopt larger keys. It's also been almost 20 years.
I wrote more about this in a newsletter issue.
DSA and X.509
The Mozilla Root Store policy rejects DSA keys in X.509 certificates, so they are completely absent from the WebPKI, which is what
crypto/x509targets. Anecdotally, they are also not in use in any private PKI I am aware of. (This is obviously a hard assertion to substantiate.)
crypto/x509is exposed to the world for most Go applications through
crypto/tls, and supporting DSA is a liability in terms of attack surface, as proved by CVE-2019-17596.
Also note that
crypto/tlsdoesn't itself support DSA certificates, so they already can't be used as website certificates, only as intermediate or root CAs.
DSA and SSH
ssh-keygenonly ever supported insecure 1024-bit keys. 94% of the DSA keys on GitHub are 1024-bit. The golang.org/x/crypto/ssh package only supports 1024-bit keys. DSA as used in SSH is insecure.
There is reason to think removing DSA support will actually help compatibility, by preferring other key types and avoiding connection failures for key sizes other than 1024-bit (#23751). OpenSSH 7.0 disabled DSA support in 2015. Dropping DSA support will also help align the host keys observed by x/crypto/ssh with the ones in an OpenSSH
Edited to add: NIST is deprecating DSA
DSA is specified in FIPS 186 by NIST. The draft of the next version of the specification, FIPS 186-5, removes all text about DSA except for a paragraph stating that DSA may only be used to verify existing legacy signatures. We risk being behind the FIPS standards!
The text was updated successfully, but these errors were encountered: