Re: Suggested changes for DSA2, take 4
Jon Callas <jon@callas.org> Tue, 18 April 2006 23:05 UTC
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FVzFy-0000MP-0B for openpgp-archive@lists.ietf.org; Tue, 18 Apr 2006 19:05:14 -0400
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FVzFx-0004LP-2U for openpgp-archive@lists.ietf.org; Tue, 18 Apr 2006 19:05:13 -0400
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k3IMWAeM029401; Tue, 18 Apr 2006 15:32:10 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k3IMWA8v029400; Tue, 18 Apr 2006 15:32:10 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k3IMW9qt029393 for <ietf-openpgp@imc.org>; Tue, 18 Apr 2006 15:32:09 -0700 (MST) (envelope-from jon@callas.org)
Received: from keys.merrymeet.com (63.73.97.166) by merrymeet.com with ESMTP (Eudora Internet Mail Server X 3.2.7); Tue, 18 Apr 2006 15:32:07 -0700
Received: from [192.168.2.164] ([63.251.255.85]) by keys.merrymeet.com (PGP Universal service); Tue, 18 Apr 2006 15:32:07 -0700
X-PGP-Universal: processed; by keys.merrymeet.com on Tue, 18 Apr 2006 15:32:07 -0700
In-Reply-To: <20060329163756.GB1001@jabberwocky.com>
References: <20060329163756.GB1001@jabberwocky.com>
Mime-Version: 1.0 (Apple Message framework v749.3)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <C6F529EF-25AC-4A20-893C-A8A40DCC8436@callas.org>
Cc: ietf-openpgp@imc.org
Content-Transfer-Encoding: 7bit
From: Jon Callas <jon@callas.org>
Subject: Re: Suggested changes for DSA2, take 4
Date: Tue, 18 Apr 2006 15:32:16 -0700
To: David Shaw <dshaw@jabberwocky.com>
X-Mailer: Apple Mail (2.749.3)
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 3971661e40967acfc35f708dd5f33760
On 29 Mar 2006, at 8:37 AM, David Shaw wrote:
>
> Here is round four. Only little fiddle changes at this point.
>
> ==================================
>
> Section 5.2.2 (Version 3 Signature Packet Format) says:
>
> DSA signatures MUST use hashes with a size of 160 bits, to
> match q,
> the size of the group generated by the DSA key's generator value.
> The hash function result is treated as a 160 bit number and used
> directly in the DSA signature algorithm.
>
> change to:
>
> DSA signatures MUST use hashes that are equal in size to the
> number of bits of q, the group generated by the DSA key's
> generator value. If the output size of the chosen hash is larger
> than the number of bits of q, the hash result is truncated to fit
> by taking the number of leftmost bits equal to the number of bits
> of q. This (possibly truncated) hash function result is treated
> as a number and used directly in the DSA signature algorithm.
>
Done.
> No change.
>
> ==================================
>
> Section 12.5. (DSA) says:
>
> An implementation SHOULD NOT implement DSA keys of size less than
> 1024 bits. Note that present DSA is limited to a maximum of
> 1024 bit
> keys, which are recommended for long-term use. Also, DSA keys MUST
> be an even multiple of 64 bits long.
>
> change to:
>
> An implementation SHOULD NOT implement DSA keys of size less than
> 1024 bits or with a q size of less than 160 bits. DSA keys MUST
> also be a multiple of 64 bits, and the q size MUST be a multiple
> of 8 bits. The Digital Signature Standard (DSS) [FIPS186]
> specifies that DSA be used in one of the following ways:
>
> * 1024-bit key, 160-bit q, SHA-1, SHA-224, SHA-256, SHA-384 or
> SHA-512 hash
> * 2048-bit key, 224-bit q, SHA-224, SHA-256, SHA-384 or SHA-512
> hash
> * 2048-bit key, 256-bit q, SHA-256, SHA-384 or SHA-512 hash
> * 3072-bit key, 256-bit q, SHA-256, SHA-384 or SHA-512 hash
>
> The above key and q size pairs were chosen to best balance
> the strength of the key with the strength of the hash.
> Implementations SHOULD use one of the above key and q size pairs
> when generating DSA keys. If DSS compliance is desired, one
> of the specified SHA hashes must be used as well. [FIPS186]
> is the ultimate authority on DSS, and should be consulted for all
> questions of DSS compliance.
>
> Note that earlier versions of this standard only allowed a
> 160-bit q with no truncation allowed, so earlier implementations
> may not be able to handle signatures with a different q size or a
> truncated hash.
>
> Added a MUST that the q size is a multiple of 8. I don't think any of
> us want to deal with hashes that don't end on a byte boundary.
>
Done, but I said that you MUST not use a q less than 160 bits.
> ==================================
>
> Section 13. (Security Considerations) says:
>
> * The DSA algorithm will work with any 160-bit hash, but it is
> sensitive to the quality of the hash algorithm, if the hash
> algorithm is broken, it can leak the secret key. The Digital
> Signature Standard (DSS) specifies that DSA be used with SHA-1.
> RIPEMD-160 is considered by many cryptographers to be as
> strong.
> An implementation should take care which hash algorithms are
> used with DSA, as a weak hash can not only allow a signature to
> be forged, but could leak the secret key.
>
> change to:
>
> * The DSA algorithm will work with any hash, but is sensitive to
> the quality of the hash algorithm. Verifiers should be aware
> that even if the signer used a strong hash, an attacker could
> have modified the signature to use a weak one. Only signatures
> using acceptably strong hash algorithms should be accepted as
> valid.
>
> Also add:
>
> * As OpenPGP combines many different asymmetric, symmetric, and
> hash algorithms, each with different measures of strength, care
> should be taken that the weakest element of an OpenPGP message
> is still sufficiently strong for the purpose at hand. While
> consensus about the the strength of a given algorithm may
> evolve, at publication time, NIST Special Publication 800-57
> [SP800-57] recommended the following list of equivalent
> strengths:
>
> Asymmetric | Hash | Symmetric
> key size | size | key size
> ------------+--------+-----------
> 1024 160 80
> 2048 224 112
> 3072 256 128
> 7680 384 192
> 15360 512 256
>
> Added the key size reminder.
>
Done with various small edits. I had to fight with the formatting
program. Here's what I did:
* As OpenPGP combines many different asymmetric, symmetric, and
hash algorithms, each with different measures of strength, care
should be taken that the weakest element of an OpenPGP message
is still sufficiently strong for the purpose at hand. While
consensus about the the strength of a given algorithm may
evolve, NIST Special Publication 800-57 [SP800-57] recommends
the following list of equivalent strengths:
Asymmetric | Hash | Symmetric
key size | size | key size
------------+--------+-----------
1024 160 80
2048 224 112
3072 256 128
7680 384 192
15360 512 256
> ==================================
>
> David
>
Added in reference to SP800-57.
Jon
- Suggested changes for DSA2, take 4 David Shaw
- Re: Suggested changes for DSA2, take 4 Ben Laurie
- Re: Suggested changes for DSA2, take 4 "Hal Finney"
- Re: Suggested changes for DSA2, take 4 Ben Laurie
- Re: Suggested changes for DSA2, take 4 Jon Callas