[Top] [All Lists]

Re: How to Calculate Signatures?

2005-04-03 11:54:56

Ian G wrote:

Konrad Rosenbaum wrote:

On Sunday 03 April 2005 18:41, Ben Laurie wrote:

Oh, yes. This left me with an unresolved issue: how does one use
SHA{256,384,512} with DSA (which requires a 160 bit hash).

Simple: you don't. DSA was designed to be used with SHA-1, which is 160 bit. Since SHA-1 is theoretically broken (practically will probably follow in a few months) one should see what the NIST makes of it. Supplanting a broken hash with another hash doesn't make much sense with DSA, since it does not contain the ID of the hash (as PKCS#1 does for RSA) - so any attacker could find a collission with the broken hash and then simply change the hash ID in the signature packet.

I would agree with that.  There was some discussion
on the user's list about an attempt at producing a
code path to use SHA256... which seemed to confuse
the issue.

Would it be a good idea to put in a statement
explicitly limiting OpenPGP's view of DSS to be
SHA1 only?  And add a comment perhaps that in the
light of weaknesses in SHA1, that RSA with a fatter
digest be used instead as a workaround?

The cost of that is that anyone with a DSA key is screwed. Seems like a last resort to me.


"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff