Re: SSL sans RSA

Niels Möller (nisse@lysator.liu.se)
27 Feb 1999 05:55:21 +0100

• Next message: EKR: "Re: SSL sans RSA"
• Previous message: Michael Froomkin - U.Miami School of Law: "Using crypto to solve a part of the DNS/TM mess"
• In reply to: Mail System Internal Data: "DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA"
• Next in thread: Eric Rescorla: "Re: SSL sans RSA"
• Reply: Eric Rescorla: "Re: SSL sans RSA"

EKR <ekr@rtfm.com> writes:

> nisse@lysator.liu.se (Niels Möller) writes:
>
> > 1. How are dsa signatures formatted, when used in the SSL protocol?
> > One reference to rsaref I have read says that it uses a
> > concatenation of r and s, each written as a 160 bit string. Is this
> > the same format used with SSL?
> It's the BER encoding of:
>
> DSSSignature ::= SEQUENCE {
> r INTEGER,
> s INTEGER
> }

Thanks.

> > 2. What formats are popular for storing dsa keys, in this context? For
> > RSA keys, I use pkcs#1 key formats (encapsulated using PEM-style
> > ascii-armoring).
> There's a lot of variety. Note that you do not need to agree with
> everyone else in order to be compatible.

I understand that private key format are not crucial for
compatibility. But it would still be nice to be able to use keys
created by SSLeay/OpenSSL, and vice versa.

> > 5. Formats and object identifiers for certification of diffie-hellman
> > parameters?
> See PKIX: RFC 2459

One more question... The dsa signature process: If this is in any way
similar to the PKCS#1 rsa signature process, it would go like this:

1. Hash the message to be signed (with SHA1 or some other
   cryptographic hash function).

2. Create a DigestInfo structure, and DER-encode it.

3. Sign the result using DSA (where the first step is hashing with
   SHA1).

Is this correct? Or is the process simpler: feeding the message
directly to the DSA algorithm (i.e. first SHA1, then some bignum
calculations), without any DigestInfo stuff?

In the latter case, the object identifier id-dsa-with-sha1 seems
completely redundant; the sha1 part is implied by "dsa", and there's
no place in the signature process for another hash function. The
id-dsa identifier (with omitted parameters) would do just as well for
identifying the complete signature process.
 
/Niels

• Next message: EKR: "Re: SSL sans RSA"
• Previous message: Michael Froomkin - U.Miami School of Law: "Using crypto to solve a part of the DNS/TM mess"
• In reply to: Mail System Internal Data: "DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA"
• Next in thread: Eric Rescorla: "Re: SSL sans RSA"
• Reply: Eric Rescorla: "Re: SSL sans RSA"