Konrad Rosenbaum wrote:
On Sunday 03 April 2005 18:41, Ben Laurie wrote:
Oh, yes. This left me with an unresolved issue: how does one use
SHA{256,384,512} with DSA (which requires a 160 bit hash).
Simple: you don't. DSA was designed to be used with SHA-1, which is 160 bit.
Since SHA-1 is theoretically broken (practically will probably follow in a
few months) one should see what the NIST makes of it. Supplanting a broken
hash with another hash doesn't make much sense with DSA, since it does not
contain the ID of the hash (as PKCS#1 does for RSA) - so any attacker could
find a collission with the broken hash and then simply change the hash ID
in the signature packet.
I would agree with that. There was some discussion
on the user's list about an attempt at producing a
code path to use SHA256... which seemed to confuse
the issue.
Would it be a good idea to put in a statement
explicitly limiting OpenPGP's view of DSS to be
SHA1 only? And add a comment perhaps that in the
light of weaknesses in SHA1, that RSA with a fatter
digest be used instead as a workaround?
(SHA1 will remain a current issue until "something
is done". When it was debated a month back, did we
reach a consensus to do something about it? I got
the feeling that we didn't, but I might be just
remembering one side.)
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/