[OpenWrt-Devel] Dropbear DSA keys

Torsten Duwe duwe at suse.de
Thu Mar 31 07:41:10 EDT 2016

Hi Felix,

in svn commit 46814 / git commit 095c30687c75ede2d25918b
on Tue Sep 8 08:55:10 2015 +0000 you wrote:

    dropbear: disable 3des, cbc mode, dss support, saves about 5k gzipped
    While technically required by the RFC, they are usually completely
    unused (DSA), or have security issues (3DES, CBC)

While I agree with you on dropping 3DES and CBC modes, the claim that
DSA is "completely unused" is a fairly bold assumption IMHO.

First, as you mentioned, it is part of the standard(!) and has no technical

Second, it used to be the default type for keys generated by OpenSSH for
some extended time period, IIRC.

Wouldn't it save a lot more space to consolidate SSH, SSL, WPA and VPN
onto a single, shared crypto library? At least dropbear uses its own...

The main problem I see with this change however is that it needs to be
*documented* somewhere prominently, a ChangeLog at least, if not release
notes. While at it, why not switch to ECC completely? A few 4096-bit
RSA keys quickly outweight the smaller image size.

openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list