Konrad Rosenbaum wrote:
On Sunday 03 April 2005 18:41, Ben Laurie wrote:
Oh, yes. This left me with an unresolved issue: how does one use
SHA{256,384,512} with DSA (which requires a 160 bit hash).
Simple: you don't. DSA was designed to be used with SHA-1, which is 160 bit.
Since SHA-1 is theoretically broken (practically will probably follow in a
few months) one should see what the NIST makes of it. Supplanting a broken
hash with another hash doesn't make much sense with DSA, since it does not
contain the ID of the hash (as PKCS#1 does for RSA) - so any attacker could
find a collission with the broken hash and then simply change the hash ID
in the signature packet.
The hash does include the ID of the hash, and hence the signature does.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff