David Shaw wrote:
Here is round four. Only little fiddle changes at this point.
==================================
Section 5.2.2 (Version 3 Signature Packet Format) says:
DSA signatures MUST use hashes with a size of 160 bits, to match q,
the size of the group generated by the DSA key's generator value.
The hash function result is treated as a 160 bit number and used
directly in the DSA signature algorithm.
change to:
DSA signatures MUST use hashes that are equal in size to the
number of bits of q, the group generated by the DSA key's
generator value. If the output size of the chosen hash is larger
than the number of bits of q, the hash result is truncated to fit
by taking the number of leftmost bits equal to the number of bits
of q. This (possibly truncated) hash function result is treated
as a number and used directly in the DSA signature algorithm.
No change.
Slightly late to the party here, but I should note that hash truncation
is not an operation that is thoroughly approved of. In particular I
would worry that if it is permitted a cunning attacker might be able to
choose a new q s.t. the signature still validated on a much shorter
version of the hash, and thus show a valid signature on the wrong
document. I would therefore suggest that we do _not_ permit arbitrary
truncation of hashes.
Secondly, q is not a group, it is a prime.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff