Ian G wrote:
Konrad Rosenbaum wrote:
On Sunday 03 April 2005 18:41, Ben Laurie wrote:
Oh, yes. This left me with an unresolved issue: how does one use
SHA{256,384,512} with DSA (which requires a 160 bit hash).
Simple: you don't. DSA was designed to be used with SHA-1, which is
160 bit. Since SHA-1 is theoretically broken (practically will
probably follow in a few months) one should see what the NIST makes of
it. Supplanting a broken hash with another hash doesn't make much
sense with DSA, since it does not contain the ID of the hash (as
PKCS#1 does for RSA) - so any attacker could find a collission with
the broken hash and then simply change the hash ID in the signature
packet.
I would agree with that. There was some discussion
on the user's list about an attempt at producing a
code path to use SHA256... which seemed to confuse
the issue.
Would it be a good idea to put in a statement
explicitly limiting OpenPGP's view of DSS to be
SHA1 only? And add a comment perhaps that in the
light of weaknesses in SHA1, that RSA with a fatter
digest be used instead as a workaround?
The cost of that is that anyone with a DSA key is screwed. Seems like a
last resort to me.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff