ietf-openpgp
[Top] [All Lists]

How to Calculate Signatures?

2005-04-02 09:51:54

Once more referring to 2440bis-12...

The sections on calculating signatures are really confusing. I can't currently suggest alternate text for most of it because its far from clear to me what the actual algorithms are. If someone explains, I'll do my best to write clarifying text.

Firstly:

5.2.2 says:

   The signature calculation is based on a hash of the signed data, as
   described above.

Until I wrote this email, I though this sentence meant the signature calculation was described above. I've just realised it means that the hash is described above. I suggest instead:

   The signature calculation is based on the hash of the signed data
   described above.

Though since the hash is described much more usefully in 5.2.4, perhaps it should simply refer to that instead?

It then goes on to say:

   The details of the calculation are different for
   DSA signature than for RSA signatures.

   The hash h is PKCS-1 padded exactly the same way as for the above
   described RSA signatures.

For the life of me, I can't see an "above described RSA signature" - where is that? PKCS-1 is mentioned before, but for encryption, not signing.

It then goes on to describe truly revolting nastiness about PKCS-1 (shouldn't that be written PKCS#1, incidentally?) for doing RSA signatures, but never, as far as I can see, says how to do a DSA signature. From experiment, it seems to me that a DSA signature is done directly on the hash, without any manipulation at all. Correct?

Then in 5.2.3:

   The algorithms for converting the hash function result to a
   signature are described in a section below.

Firstly, it would be much more friendly to say _which_ section below, rather than leaving the reader to guess. I'd fill that in if I could find the section, but I can't. The nearest I can get is 5.2.4, which says:

   After all this has been hashed in a single hash context the
   resulting hash field is used in the signature algorithm, and placed
   at the end of the signature packet.

And that appears to be it, as far as signature algorithms are concerned. Reading between the lines, I'm assuming that what this really means is that the algorithms used are exactly what I'd expect, i.e. DSA directly on the hash, and RSA with PKCS#1 padding and the, err, other stuff. But references to further descriptions that I can't find leave me in doubt!

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff