Here are proposed diffs.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
--- draft-ietf-openpgp-rfc2440bis-12.txt Tue Nov 23 18:36:41 2004
+++ draft-ietf-openpgp-rfc2440bis-12-ben.txt Sun Apr 3 15:29:31 2005
@@ -1137,13 +1137,6 @@
- One or more multiprecision integers comprising the signature.
This portion is algorithm specific, as described below.
- The data being signed is hashed, and then the signature type and
- creation time from the signature packet are hashed (5 additional
- octets). The resulting hash value is used in the signature
- algorithm. The high 16 bits (first two octets) of the hash are
- included in the signature packet to provide a quick test to reject
- some invalid signatures.
-
Algorithm Specific Fields for RSA signatures:
- multiprecision integer (MPI) of RSA signature value m**d mod n.
@@ -1154,80 +1147,10 @@
- MPI of DSA value s.
- The signature calculation is based on a hash of the signed data, as
- described above. The details of the calculation are different for
- DSA signature than for RSA signatures.
-
- The hash h is PKCS-1 padded exactly the same way as for the above
- described RSA signatures.
-
- With RSA signatures, the hash value is encoded as described in
- PKCS-1 section 9.2.1 encoded using PKCS-1 encoding type
- EMSA-PKCS1-v1_5 [RFC2437]. This requires inserting the hash value
- as an octet string into an ASN.1 structure. The object identifier
- for the type of hash being used is included in the structure. The
- hexadecimal representations for the currently defined hash
- algorithms are:
-
- - MD5: 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05
-
-
-
-Callas, et al. Expires May 23, 2005 [Page 21]
-INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004
-
- - RIPEMD-160: 0x2B, 0x24, 0x03, 0x02, 0x01
-
- - SHA-1: 0x2B, 0x0E, 0x03, 0x02, 0x1A
-
- - SHA256: 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01
-
- - SHA384: 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02
-
- - SHA512: 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03
-
- The ASN.1 OIDs are:
-
- - MD5: 1.2.840.113549.2.5
-
- - RIPEMD-160: 1.3.36.3.2.1
-
- - SHA-1: 1.3.14.3.2.26
-
- - SHA256: 2.16.840.1.101.3.4.2.1
-
- - SHA384: 2.16.840.1.101.3.4.2.2
-
- - SHA512: 2.16.840.1.101.3.4.2.3
-
- The full hash prefixes for these are:
-
- MD5: 0x30, 0x20, 0x30, 0x0C, 0x06, 0x08, 0x2A, 0x86,
- 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, 0x05, 0x00,
- 0x04, 0x10
-
- RIPEMD-160: 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x24,
- 0x03, 0x02, 0x01, 0x05, 0x00, 0x04, 0x14
-
- SHA-1: 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0E,
- 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14
-
- SHA256: 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
- 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
- 0x00, 0x04, 0x20
-
- SHA384: 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
- 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05,
- 0x00, 0x04, 0x30
-
- SHA512: 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
- 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05,
- 0x00, 0x04, 0x40
-
- DSA signatures MUST use hashes with a size of 160 bits, to match q,
- the size of the group generated by the DSA key's generator value.
- The hash function result is treated as a 160 bit number and used
- directly in the DSA signature algorithm.
+ The signature calculation is based on a hash of the signed
+ data. This is described in detail in section 5.2.4. The high 16
+ bits (first two octets) of the hash are included in the signature
+ packet to provide a quick test to reject some invalid signatures.
Callas, et al. Expires May 23, 2005 [Page 22]
INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004
@@ -1263,20 +1186,16 @@
- One or more multiprecision integers comprising the signature.
This portion is algorithm specific, as described above.
- The data being signed is hashed, and then the signature data from
- the version number through the hashed subpacket data (inclusive) is
- hashed. The resulting hash value is what is signed. The left 16
- bits of the hash are included in the signature packet to provide a
- quick test to reject some invalid signatures.
-
There are two fields consisting of signature subpackets. The first
field is hashed with the rest of the signature data, while the
second is unhashed. The second set of subpackets is not
cryptographically protected by the signature and should include only
advisory information.
- The algorithms for converting the hash function result to a
- signature are described in a section below.
+ The algorithms for calculating the hash and converting the result
+ to a signature are described in section 5.2.4. The left 16 bits of
+ the hash are included in the signature packet to provide a quick
+ test to reject some invalid signatures.
5.2.3.1. Signature Subpacket Specification
@@ -1936,7 +1855,72 @@
resulting hash field is used in the signature algorithm, and placed
at the end of the signature packet.
-5.2.4.1. Subpacket Hints
+5.2.4.1. Signature Algorithms
+
+5.2.4.1.1. DSA Signatures
+
+ A DSA signature is performed as specified in [FIPS-186-2] on the
+ value of the hash, calculated as above.
+
+ DSA signatures MUST use hashes with a size of 160 bits, to match q,
+ the size of the group generated by the DSA key's generator value.
+ The hash function result is treated as a 160 bit number and used
+ directly in the DSA signature algorithm.
+
+5.2.4.1.2. RSA Signatures
+
+ With RSA signatures, the hash value is encoded as described in
+ PKCS #1 section 9.2.1 encoded using PKCS #1 encoding type
+ EMSA-PKCS1-v1_5 [RFC2437]. This requires inserting the hash value
+ as an octet string into an ASN.1 structure. The object identifier
+ for the type of hash being used is included in the structure.
+
+ The ASN.1 OIDs are:
+
+ - MD5: 1.2.840.113549.2.5
+
+ - RIPEMD-160: 1.3.36.3.2.1
+
+ - SHA-1: 1.3.14.3.2.26
+
+ - SHA256: 2.16.840.1.101.3.4.2.1
+
+ - SHA384: 2.16.840.1.101.3.4.2.2
+
+ - SHA512: 2.16.840.1.101.3.4.2.3
+
+ In practice this amounts to prefixing the hash with one of the
+ following, then padding as described in PKCS #1:
+
+ MD5: 0x30, 0x20, 0x30, 0x0C, 0x06, 0x08, 0x2A, 0x86,
+ 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, 0x05, 0x00,
+ 0x04, 0x10
+
+ RIPEMD-160: 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x24,
+ 0x03, 0x02, 0x01, 0x05, 0x00, 0x04, 0x14
+
+ SHA-1: 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0E,
+ 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14
+
+ SHA256: 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
+ 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
+ 0x00, 0x04, 0x20
+
+ SHA384: 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
+ 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05,
+ 0x00, 0x04, 0x30
+
+ SHA512: 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
+ 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05,
+ 0x00, 0x04, 0x40
+
+ The value emLen needed for the padding is equal to the length in
+ bytes of the RSA public modulus, n.
+
+ Once the hash has been encoded and padded, the resulting string is
+ encrypted with the RSA private key as described in [RSA].
+
+5.2.4.2. Subpacket Hints
It is certainly possible for a signature to contain conflicting
information in subpackets. For example, a signature may contain
@@ -3084,7 +3068,7 @@
2 - RSA Encrypt-Only
3 - RSA Sign-Only
16 - Elgamal (Encrypt-Only), see [ELGAMAL]
- 17 - DSA (Digital Signature Algorithm) [SCHNEIER]
+ 17 - DSA (Digital Signature Algorithm) [DSA]
18 - Reserved for Elliptic Curve
19 - Reserved for ECDSA
20 - Reserved (formerly Elgamal Encrypt or Sign)
@@ -3946,6 +3930,10 @@
1983, August 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Level", BCP 14, RFC 2119, March 1997.
+ [FIPS186-2] "Digital Signature Standard", FIPS 186-2, January
+ 2000.
+ [RSA] Menezes, A., et al. "Handbook of Applied
+ Cryptography", Section 8.2., October 1996.