Re: [openpgp] Clarifiction on v5 signatures
Werner Koch <wk@gnupg.org> Wed, 24 October 2018 15:20 UTC
Return-Path: <wk@gnupg.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 647C7130DFC for <openpgp@ietfa.amsl.com>; Wed, 24 Oct 2018 08:20:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.001
X-Spam-Level:
X-Spam-Status: No, score=-7.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gnupg.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T32kz12rrMwc for <openpgp@ietfa.amsl.com>; Wed, 24 Oct 2018 08:20:11 -0700 (PDT)
Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [IPv6:2001:aa8:fff1:100::22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E90C123FFD for <openpgp@ietf.org>; Wed, 24 Oct 2018 08:20:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnupg.org; s=20181017; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date: References:Subject:To:From:Sender:Reply-To:Cc:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=eRR/dpk9pA6jyIyxQGsBUIcJjboJmNL66gmw7V+uLQQ=; b=NIDBV9sUB3QsRurzXrZIqlimq7 XNhxS5qTGOZWVcjsxwaITO88wGQiOdyMDBD1bMSIaFF1jOiFYfl/xZkoVtouH9t+GhYhyyM+1mScz PDW30dMBwEP9qvX+AJXCPBsjak3HLUtHWs4Qa8tSmCXY7EG+nBOMMEN1zbwYrx1HCW1c=;
Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.89 #1 (Debian)) id 1gFKx7-00045Z-6f for <openpgp@ietf.org>; Wed, 24 Oct 2018 17:20:09 +0200
Received: from wk by wheatstone.g10code.de with local (Exim 4.84 #3 (Debian)) id 1gFKt9-0006ul-VV for <openpgp@ietf.org>; Wed, 24 Oct 2018 17:16:04 +0200
From: Werner Koch <wk@gnupg.org>
To: openpgp@ietf.org
References: <877ei9szyc.fsf@wheatstone.g10code.de>
Organisation: GnuPG e.V.
X-message-flag: Mails containing HTML will not be read! Please send only plain text.
Mail-Followup-To: openpgp@ietf.org
Date: Wed, 24 Oct 2018 17:15:58 +0200
In-Reply-To: <877ei9szyc.fsf@wheatstone.g10code.de> (Werner Koch's message of "Tue, 23 Oct 2018 12:46:19 +0200")
Message-ID: <878t2npe8h.fsf@wheatstone.g10code.de>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=AMEMB_e-cash_spy_BLU-97_A/B_Delta_Force_IRA_nitrate_Etacs_FTS2000_MD"; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/K2ba8G2xO5sAoxBUh-WqfdMxFwA>
Subject: Re: [openpgp] Clarifiction on v5 signatures
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Oct 2018 15:20:15 -0000
On Tue, 23 Oct 2018 12:46, wk@gnupg.org said: > by requirung that a v5 key must use a v5 signature. That v5 signature > now includes the meta data from the Literal Data packet. I revisted the new scheme and changed it to make it easier to adapt by existing implementations. I also reworked the section on how to create the the final trailer. The new text reads: --8<---------------cut here---------------start------------->8--- 5.2.4. Computing Signatures [...] Once the data body is hashed, then a trailer is hashed. This trailer depends on the version of the signature. o A V3 signature hashes five octets of the packet body, starting from the signature type field. This data is the signature type, followed by the four-octet signature time. o A V4 signature hashes the packet body starting from its first field, the version number, through the end of the hashed subpacket data and a final extra trailer. Thus, the hashed fields are: * the signature version (0x04), * the signature type, * the public-key algorithm, * the hash algorithm, * the hashed subpacket length, * the hashed subpacket body, * the two octets 0x04 and 0xFF, * a four-octet big-endian number that is the length of the hashed data from the Signature packet stopping right before the 0x04, 0xff octets. The four-octet big-endian number is considered to be an unsigned integer modulo 2^32. o A V5 signature hashes the packet body starting from its first field, the version number, through the end of the hashed subpacket data and a final extra trailer. Thus, the hashed fields are: * the signature version (0x05), * the signature type, * the public-key algorithm, * the hash algorithm, * the hashed subpacket length, * the hashed subpacket body, * Only for document signatures (type 0x00 or 0x01) the following three data items are hashed here: + the one-octet content format, + the file name as a string (one octet length, followed by the file name), + a four-octet number that indicates a date, * the two octets 0x05 and 0xFF, * a eight-octet big-endian number that is the length of the hashed data from the Signature packet stopping right before the 0x05, 0xff octets. The three data items hashed for document signatures need to mirror the values of the Literal Data packet. For detached signatures 6 zero bytes are hashed instead. After all this has been hashed in a single hash context, the resulting hash field is used in the signature algorithm and placed at the end of the Signature packet. --8<---------------cut here---------------end--------------->8--- A possible drawback of these new V5 signatures is that they make it impossible to convert a detached signatures into a standard signature. I am not aware of any actual attack due the possibility of converting From detached to standard signature but it seems to be more safe to inhibit this. And well, to protect the file name etc also by the signature. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
- [openpgp] Clarifiction on v5 signatures Werner Koch
- Re: [openpgp] Clarifiction on v5 signatures Werner Koch
- Re: [openpgp] Clarifiction on v5 signatures Heiko Stamer
- Re: [openpgp] Clarifiction on v5 signatures Werner Koch
- Re: [openpgp] Clarifiction on v5 signatures Wiktor Kwapisiewicz
- Re: [openpgp] Clarifiction on v5 signatures Werner Koch
- Re: [openpgp] Clarifiction on v5 signatures Wiktor Kwapisiewicz
- Re: [openpgp] Clarifiction on v5 signatures Heiko Stamer
- Re: [openpgp] Clarifiction on v5 signatures Wiktor Kwapisiewicz
- Re: [openpgp] Clarifiction on v5 signatures Werner Koch
- Re: [openpgp] Clarifiction on v5 signatures Wiktor Kwapisiewicz
- Re: [openpgp] Clarifiction on v5 signatures Werner Koch
- Re: [openpgp] Clarifiction on v5 signatures Paul Fawkesley
- Re: [openpgp] Clarifiction on v5 signatures Vincent Breitmoser
- Re: [openpgp] Clarifiction on v5 signatures Heiko Stamer
- Re: [openpgp] Clarifiction on v5 signatures Wiktor Kwapisiewicz
- Re: [openpgp] Clarifiction on v5 signatures Werner Koch