Problems with interpolibility between GnuPG and PGP when using SHA384-SHA512 hashes

[David Shaw]

On Thu, Jun 17, 2004 at 12:40:08PM -0600, Joe Vender wrote:
> On 17 Jun 2004 at 8:56, David Shaw wrote:
> 
> > It's an open question, and one of the reasons (aside from the need for a
> > compiler that can handle 64-bit math), that the 512 and 384 hashes are
> > not enabled by default.
> 
> Since the version of GnuPG that I compiled using MSYS/MingW on Win98SE 
> seems to work without returning any errors when using these hashes, I 
> assume my compiler handles the 64-bit math ok.

If it builds and passes "make check", then that's a safe assumption.

> > The implementation in GnuPG matches all of the SHA test vectors, so I
> > doubt there is a implementation bug.  I suspect that PGP 8 doesn't allow
> > for these hashes for some reason, but don't know for sure.
> > 
> 
> You may be right about PGP not handling these hashes, but that would be 
> in conflict with the information that PGP Corp. has posted on their 
> website regarding what the new SDK handles starting with 3.0. They 
> explicitly state <http://www.pgp.com/products/sdk.html>:

I've seen that, but in all of my testing with various versions of PGP,
it does not handle 384 and 512.  It's always possible that I got
something wrong in the hash code, but like I said, it matches the test
vectors from NIST.  Plus, it interoperates with the Nullify GPG
patches (back when they did their own SHA-384/512 implementation) and
the PGP 263multi code as well.  Three different implementations of
SHA-512 that all interoperate makes it unlikely that we all got it
equally wrong. ;)

Not that this means that the PGP people made a mistake in their code.
They're sharp people, and I really doubt they'd have shipped code with
such a mistake in it.

Without any other information (I keep meaning to ask the PGP folks
about it), I am assuming that just because the SDK supports SHA-512,
and PGP 8 uses that SDK, doesn't necessarily mean that PGP 8 supports
SHA-512 as well.

David