Hal Finney wrote:
I suggest that we do one of two things. We could change the spec to
require SHA-1 with DSA keys, and then when NIST comes out with DSA-2
which uses SHA-2 (which they have been promising for years now), we will
then support the larger hashes. Or we could change the spec to allow
any hash >= 160 bits to be used with DSA keys. We could follow the NIST
recommendation in
http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf
and use just the left 160 bits of the larger hash.
I lean towards the first solution, even though hash rollback attacks
require the ability to completely reverse hashes and not just find
collisions, so we really do seem safe from them. I feel uncomfortable
going out with a spec that intentionally opens itself up to a preventable
attack. But it's frustrating that NIST has dragged its feet and not
come up with a DSA standard that allows other hashes. It is tempting
to allow SHA-2 with DSA as an interim measure.
I also lean to the first solution. I do not
judge the size of the market in digital
signatures to be anywhere significant
enough to worry about, and the attacks
so far mooted are all in the theoretical,
unvalidated domain.
Secondly, if someone wants something
stronger than DSA, they can use RSA.
It's good to review the possibilities though.
(I'm sure NIST have also received their
wake up call by now ;-)
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/