Re: SSL sans RSA

New Message	Reply	About this list	Date view	Thread view	Subject view	Author view

Eric Rescorla (ekr@rtfm.com)
Fri, 26 Feb 1999 21:44:21 -0800

Next message: Anonymous: "Re: Using crypto to solve a part of the DNS/TM mess"
Previous message: EKR: "Re: SSL sans RSA"
In reply to: Eric Rescorla: "Re: SSL sans RSA"
Next in thread: EKR: "Re: SSL sans RSA"
Reply: EKR: "Re: SSL sans RSA"

> > > 2. What formats are popular for storing dsa keys, in this context? For
> > > RSA keys, I use pkcs#1 key formats (encapsulated using PEM-style
> > > ascii-armoring).
> > There's a lot of variety. Note that you do not need to agree with
> > everyone else in order to be compatible.
>
> I understand that private key format are not crucial for
> compatibility. But it would still be nice to be able to use keys
> created by SSLeay/OpenSSL, and vice versa.
Right. I believe that the format you're using matches OpenSSL,
but I'm not an expert on how OpenSSL does things.

> > > 5. Formats and object identifiers for certification of diffie-hellman
> > > parameters?
> > See PKIX: RFC 2459
>
> One more question... The dsa signature process: If this is in any way
> similar to the PKCS#1 rsa signature process, it would go like this:
>
> 1. Hash the message to be signed (with SHA1 or some other
> cryptographic hash function).
>
> 2. Create a DigestInfo structure, and DER-encode it.
>
> 3. Sign the result using DSA (where the first step is hashing with
> SHA1).
>
> Is this correct? Or is the process simpler: feeding the message
> directly to the DSA algorithm (i.e. first SHA1, then some bignum
> calculations), without any DigestInfo stuff?
Correct. DSA takes a 20-byte input.

> In the latter case, the object identifier id-dsa-with-sha1 seems
> completely redundant; the sha1 part is implied by "dsa", and there's
> no place in the signature process for another hash function. The
> id-dsa identifier (with omitted parameters) would do just as well for
> identifying the complete signature process.
Actually, any 160 bit hash function would do. The issue is that
there's no identifying information in the signature itself,
so a substitution attack is possible if you don't mandate a
single digest algorithm.

-Ekr

Next message: Anonymous: "Re: Using crypto to solve a part of the DNS/TM mess"
Previous message: EKR: "Re: SSL sans RSA"
In reply to: Eric Rescorla: "Re: SSL sans RSA"
Next in thread: EKR: "Re: SSL sans RSA"
Reply: EKR: "Re: SSL sans RSA"

New Message	Reply	About this list	Date view	Thread view	Subject view	Author view

All trademarks and copyrights are the property of their respective owners.
Other Directory Sites: SeekWonder | Directory Owners Forum

The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:18:28