IETF Logo Mail Archive

Re: [openpgp] Clarifiction on v5 signatures

Werner Koch <wk@gnupg.org> Wed, 24 October 2018 15:20 UTC

Return-Path: <wk@gnupg.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 647C7130DFC for <openpgp@ietfa.amsl.com>; Wed, 24 Oct 2018 08:20:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.001
X-Spam-Level:
X-Spam-Status: No, score=-7.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gnupg.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T32kz12rrMwc for <openpgp@ietfa.amsl.com>; Wed, 24 Oct 2018 08:20:11 -0700 (PDT)
Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [IPv6:2001:aa8:fff1:100::22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E90C123FFD for <openpgp@ietf.org>; Wed, 24 Oct 2018 08:20:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnupg.org; s=20181017; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date: References:Subject:To:From:Sender:Reply-To:Cc:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=eRR/dpk9pA6jyIyxQGsBUIcJjboJmNL66gmw7V+uLQQ=; b=NIDBV9sUB3QsRurzXrZIqlimq7 XNhxS5qTGOZWVcjsxwaITO88wGQiOdyMDBD1bMSIaFF1jOiFYfl/xZkoVtouH9t+GhYhyyM+1mScz PDW30dMBwEP9qvX+AJXCPBsjak3HLUtHWs4Qa8tSmCXY7EG+nBOMMEN1zbwYrx1HCW1c=;
Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.89 #1 (Debian)) id 1gFKx7-00045Z-6f for <openpgp@ietf.org>; Wed, 24 Oct 2018 17:20:09 +0200
Received: from wk by wheatstone.g10code.de with local (Exim 4.84 #3 (Debian)) id 1gFKt9-0006ul-VV for <openpgp@ietf.org>; Wed, 24 Oct 2018 17:16:04 +0200
From: Werner Koch <wk@gnupg.org>
To: openpgp@ietf.org
References: <877ei9szyc.fsf@wheatstone.g10code.de>
Organisation: GnuPG e.V.
X-message-flag: Mails containing HTML will not be read! Please send only plain text.
Mail-Followup-To: openpgp@ietf.org
Date: Wed, 24 Oct 2018 17:15:58 +0200
In-Reply-To: <877ei9szyc.fsf@wheatstone.g10code.de> (Werner Koch's message of "Tue, 23 Oct 2018 12:46:19 +0200")
Message-ID: <878t2npe8h.fsf@wheatstone.g10code.de>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=AMEMB_e-cash_spy_BLU-97_A/B_Delta_Force_IRA_nitrate_Etacs_FTS2000_MD"; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/K2ba8G2xO5sAoxBUh-WqfdMxFwA>
Subject: Re: [openpgp] Clarifiction on v5 signatures
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Oct 2018 15:20:15 -0000

On Tue, 23 Oct 2018 12:46, wk@gnupg.org said:

> by requirung that a v5 key must use a v5 signature.  That v5 signature
> now includes the meta data from the Literal Data packet.

I revisted the new scheme and changed it to make it easier to adapt by
existing implementations.  I also reworked the section on how to create
the the final trailer.  The new text reads:

--8<---------------cut here---------------start------------->8---
5.2.4.  Computing Signatures

   [...]
   Once the data body is hashed, then a trailer is hashed.  This trailer
   depends on the version of the signature.

   o  A V3 signature hashes five octets of the packet body, starting
      from the signature type field.  This data is the signature type,
      followed by the four-octet signature time.

   o  A V4 signature hashes the packet body starting from its first
      field, the version number, through the end of the hashed subpacket
      data and a final extra trailer.  Thus, the hashed fields are:

      *  the signature version (0x04),

      *  the signature type,

      *  the public-key algorithm,

      *  the hash algorithm,

      *  the hashed subpacket length,

      *  the hashed subpacket body,

      *  the two octets 0x04 and 0xFF,

      *  a four-octet big-endian number that is the length of the hashed
         data from the Signature packet stopping right before the 0x04,
         0xff octets.

      The four-octet big-endian number is considered to be an unsigned
      integer modulo 2^32.

   o  A V5 signature hashes the packet body starting from its first
      field, the version number, through the end of the hashed subpacket
      data and a final extra trailer.  Thus, the hashed fields are:

      *  the signature version (0x05),

      *  the signature type,

      *  the public-key algorithm,

      *  the hash algorithm,

      *  the hashed subpacket length,

      *  the hashed subpacket body,

      *  Only for document signatures (type 0x00 or 0x01) the following
         three data items are hashed here:

         +  the one-octet content format,

         +  the file name as a string (one octet length, followed by the
            file name),

         +  a four-octet number that indicates a date,

      *  the two octets 0x05 and 0xFF,

      *  a eight-octet big-endian number that is the length of the
         hashed data from the Signature packet stopping right before the
         0x05, 0xff octets.

      The three data items hashed for document signatures need to mirror
      the values of the Literal Data packet.  For detached signatures 6
      zero bytes are hashed instead.

   After all this has been hashed in a single hash context, the
   resulting hash field is used in the signature algorithm and placed at
   the end of the Signature packet.
--8<---------------cut here---------------end--------------->8---


A possible drawback of these new V5 signatures is that they make it
impossible to convert a detached signatures into a standard signature.
I am not aware of any actual attack due the possibility of converting
From detached to standard signature but it seems to be more safe to
inhibit this.  And well, to protect the file name etc also by the
signature.


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

v2.23.0 | Report a Bug | By Email