Suggested changes for DSA2
David Shaw <dshaw@jabberwocky.com> Wed, 22 March 2006 00:14 UTC
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FLqzf-0004EA-4G for openpgp-archive@lists.ietf.org; Tue, 21 Mar 2006 19:14:31 -0500
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FLqsI-0002jG-KO for openpgp-archive@lists.ietf.org; Tue, 21 Mar 2006 19:06:56 -0500
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k2LNjop3095916; Tue, 21 Mar 2006 16:45:50 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k2LNjoeS095915; Tue, 21 Mar 2006 16:45:50 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from foobar.cs.jhu.edu (foobar.cs.jhu.edu [128.220.13.173]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k2LNjnAp095908 for <ietf-openpgp@imc.org>; Tue, 21 Mar 2006 16:45:50 -0700 (MST) (envelope-from dshaw@jabberwocky.com)
Received: from walrus.hsd1.ma.comcast.net (walrus.hsd1.ma.comcast.net [24.60.132.70]) by foobar.cs.jhu.edu (8.11.6/8.11.6) with ESMTP id k2LNjdk14930 for <ietf-openpgp@imc.org>; Tue, 21 Mar 2006 18:45:44 -0500
Received: from grover.jabberwocky.com (grover.jabberwocky.com [172.24.84.28]) by walrus.hsd1.ma.comcast.net (8.12.8/8.12.8) with ESMTP id k2LNje6c013530 for <ietf-openpgp@imc.org>; Tue, 21 Mar 2006 18:45:40 -0500
Received: from grover.jabberwocky.com (grover.jabberwocky.com [127.0.0.1]) by grover.jabberwocky.com (8.13.1/8.13.1) with ESMTP id k2LNjXAH015637 for <ietf-openpgp@imc.org>; Tue, 21 Mar 2006 18:45:33 -0500
Received: (from dshaw@localhost) by grover.jabberwocky.com (8.13.1/8.13.1/Submit) id k2LNjWti015636 for ietf-openpgp@imc.org; Tue, 21 Mar 2006 18:45:32 -0500
Date: Tue, 21 Mar 2006 18:45:32 -0500
From: David Shaw <dshaw@jabberwocky.com>
To: ietf-openpgp@imc.org
Subject: Suggested changes for DSA2
Message-ID: <20060321234532.GA15554@jabberwocky.com>
Mail-Followup-To: ietf-openpgp@imc.org
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc
User-Agent: Mutt/1.5.11
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: b7b9551d71acde901886cc48bfc088a6
Here are some suggested changes for DSA2. I'm sure this will prompt other suggestions - think of this as a starting point. ================================== Section 5.2.2 (Version 3 Signature Packet Format) says: DSA signatures MUST use hashes with a size of 160 bits, to match q, the size of the group generated by the DSA key's generator value. The hash function result is treated as a 160 bit number and used directly in the DSA signature algorithm. change to: DSA signatures MUST use hashes that are equal to or larger than the size of q, the group generated by the DSA key's generator value. If the chosen hash is larger than the size of q, the hash result is truncated to fit by taking the appropriate number of leftmost bits. This (possibly truncated) hash function result is treated as a number and used directly in the DSA signature algorithm. ================================== Section 12.5. (DSA) says: An implementation SHOULD NOT implement DSA keys of size less than 1024 bits. Note that present DSA is limited to a maximum of 1024 bit keys, which are recommended for long-term use. Also, DSA keys MUST be an even multiple of 64 bits long. change to: An implementation SHOULD NOT implement DSA keys of size less than 1024 bits. DSA keys MUST be an even multiple of 64 bits long. The Digital Signature Standard (DSS) specifies that DSA be used in one of the following ways: * 1024-bit key, 160-bit q, SHA-1 hash * 2048-bit key, 224-bit q, SHA-224, SHA-256, SHA-384 or SHA-512 hash * 2048-bit key, 256-bit q, SHA-256, SHA-384 or SHA-512 hash * 3072-bit key, 256-bit q, SHA-256, SHA-384 or SHA-512 hash Other key size and hash combinations are usable in OpenPGP, but would not be compliant to DSS. Note that earlier versions of this standard only supported a 160-bit q, so earlier implementations may not be able to handle a signature with a different q size. DSA keys are a multiple of 64 bits. Are there similar requirements with regards to the size of q that are worth mentioning here? I don't mean the NIST DSS requirements, but rather inherent requirements of the algorithm. ================================== Section 13. (Security Considerations) says: * The DSA algorithm will work with any 160-bit hash, but it is sensitive to the quality of the hash algorithm, if the hash algorithm is broken, it can leak the secret key. The Digital Signature Standard (DSS) specifies that DSA be used with SHA-1. RIPEMD-160 is considered by many cryptographers to be as strong. An implementation should take care which hash algorithms are used with DSA, as a weak hash can not only allow a signature to be forged, but could leak the secret key. change to: * The DSA algorithm will work with any hash, but it is sensitive to the quality of the hash algorithm. An implementation should take care which hash algorithms are used with DSA, as a weak hash can not only allow a signature to be forged, but could leak the secret key. Hal has expressed concern with the "weak hash can leak the secret key" warning in the past, so perhaps he'll comment here. ================================== David
- Suggested changes for DSA2 David Shaw
- Re: Suggested changes for DSA2 "Hal Finney"
- Re: Suggested changes for DSA2 David Shaw
- Re: Suggested changes for DSA2 Ben Laurie
- Re: Suggested changes for DSA2 "Hal Finney"
- Re: Suggested changes for DSA2 David Shaw
- Re: Suggested changes for DSA2 Ian G
- Re: Suggested changes for DSA2 David Shaw
- Re: Suggested changes for DSA2 David Shaw
- Re: Suggested changes for DSA2 Daniel A. Nagy
- Re: Suggested changes for DSA2 Jon Callas
- Re: Suggested changes for DSA2 "Hal Finney"
- Re: Suggested changes for DSA2 David Shaw
- Re: Suggested changes for DSA2 "Hal Finney"
- Re: Suggested changes for DSA2 David Shaw
- Re: Suggested changes for DSA2 Daniel A. Nagy
- Re: Suggested changes for DSA2 "Hal Finney"
- Re: Suggested changes for DSA2 "Hal Finney"
- Re: Suggested changes for DSA2 David Shaw
- Re: Suggested changes for DSA2 David Shaw
- Cost-benefit analysis of algorithm substitution Ian G