Use of RSA Keys with SHA-256 and SHA-512 in Secure Shell (SSH)

Document Type Active Internet-Draft (curdle WG)
Last updated 2018-01-04 (latest revision 2017-10-12)
Replaces draft-rsa-dsa-sha2-256
Stream IETF
Intended RFC status Proposed Standard
Formats plain text pdf html bibtex
Reviews SECDIR, GENART will not review this version
Stream WG state Submitted to IESG for Publication
Document shepherd Daniel Migault
Shepherd write-up Show (last changed 2017-06-01)
IESG IESG state RFC Ed Queue
Consensus Boilerplate Yes
Telechat date
Responsible AD Eric Rescorla
Send notices to Daniel Migault <>
IANA IANA review state IANA OK - Actions Needed
IANA action state RFC-Ed-Ack
RFC Editor RFC Editor state EDIT
Internet-Draft                                                  D. Bider
Updates: 4252, 4253 (if approved)                        Bitvise Limited
Intended status: Standards Track                        October 12, 2017
Expires: April 12, 2018

      Use of RSA Keys with SHA-256 and SHA-512 in Secure Shell (SSH)


  This memo updates RFC 4252 and RFC 4253 to define new public key
  algorithms for use of RSA keys with SHA-256 and SHA-512 for server and
  client authentication in SSH connections.


  This Internet-Draft is submitted in full conformance with the
  provisions of BCP 78 and BCP 79.

  Internet-Drafts are working documents of the Internet Engineering Task
  Force (IETF), its areas, and its working groups.  Note that other
  groups may also distribute working documents as Internet-Drafts.

  Internet-Drafts are draft documents valid for a maximum of six months
  and may be updated, replaced, or obsoleted by other documents at any
  time. It is inappropriate to use Internet-Drafts as reference material
  or to cite them other than as "work in progress."

  The list of current Internet-Drafts can be accessed at
  The list of Internet-Draft Shadow Directories can be accessed at


  Copyright (c) 2017 IETF Trust and the persons identified as the
  document authors.  All rights reserved.

  This document is subject to BCP 78 and the IETF Trust's Legal
  Provisions Relating to IETF Documents
  ( in effect on the date of
  publication of this document.  Please review these documents
  carefully, as they describe your rights and restrictions with respect
  to this document.  Code Components extracted from this document must
  include Simplified BSD License text as described in Section 4.e of
  the Trust Legal Provisions and are provided without warranty as
  described in the Simplified BSD License.

Bider                                                           [Page 1]
Internet-Draft    RSA Keys with SHA-256, SHA-512 in SSH     October 2017

  This document may contain material from IETF Documents or IETF
  Contributions published or made publicly available before November 10,
  2008. The person(s) controlling the copyright in some of this material
  may not have granted the IETF Trust the right to allow modifications
  of such material outside the IETF Standards Process. Without obtaining
  an adequate license from the person(s) controlling the copyright in
  such materials, this document may not be modified outside the IETF
  Standards Process, and derivative works of it may not be created
  outside the IETF Standards Process, except to format it for
  publication as an RFC or to translate it into languages other than

1.  Overview and Rationale

  Secure Shell (SSH) is a common protocol for secure communication on
  the Internet. In [RFC4253], SSH originally defined the public key
  algorithms "ssh-rsa" for server and client authentication using RSA
  with SHA-1, and "ssh-dss" using 1024-bit DSA and SHA-1. These
  algorithms are now considered deficient. For US government use, NIST
  has disallowed 1024-bit RSA and DSA, and use of SHA-1 for signing
  This memo updates RFC 4252 and RFC 4253 to define new public key
  algorithms allowing for interoperable use of existing and new RSA keys
  with SHA-256 and SHA-512.

1.1.  Requirements Terminology

  The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
  document are to be interpreted as described in [RFC2119].

1.2.  Wire Encoding Terminology

  The wire encoding types in this document - "boolean", "byte",
  "string", "mpint" - have meanings as described in [RFC4251].

2.  Public Key Format vs. Public Key Algorithm

  In [RFC4252], the concept "public key algorithm" is used to establish
  a relationship between one algorithm name, and:
  A. Procedures used to generate and validate a private/public keypair.
  B. A format used to encode a public key.
  C. Procedures used to calculate, encode, and verify a signature.
  This document uses the term "public key format" to identify only A and
  B in isolation. The term "public key algorithm" continues to identify
  all three aspects A, B, and C.

Bider                                                           [Page 2]
Internet-Draft    RSA Keys with SHA-256, SHA-512 in SSH     October 2017

3.  New RSA Public Key Algorithms

  This memo adopts the style and conventions of [RFC4253] in specifying
  how use of a public key algorithm is indicated in SSH.

  The following new public key algorithms are defined:
    rsa-sha2-256        RECOMMENDED    sign    Raw RSA key
Show full document text