Problems with interpolibility between GnuPG and PGP when
using SHA384-SHA512 hashes
dshaw at jabberwocky.com
Thu Jun 17 20:55:46 CEST 2004
On Thu, Jun 17, 2004 at 12:40:08PM -0600, Joe Vender wrote:
> On 17 Jun 2004 at 8:56, David Shaw wrote:
> > It's an open question, and one of the reasons (aside from the need for a
> > compiler that can handle 64-bit math), that the 512 and 384 hashes are
> > not enabled by default.
> Since the version of GnuPG that I compiled using MSYS/MingW on Win98SE
> seems to work without returning any errors when using these hashes, I
> assume my compiler handles the 64-bit math ok.
If it builds and passes "make check", then that's a safe assumption.
> > The implementation in GnuPG matches all of the SHA test vectors, so I
> > doubt there is a implementation bug. I suspect that PGP 8 doesn't allow
> > for these hashes for some reason, but don't know for sure.
> You may be right about PGP not handling these hashes, but that would be
> in conflict with the information that PGP Corp. has posted on their
> website regarding what the new SDK handles starting with 3.0. They
> explicitly state <http://www.pgp.com/products/sdk.html>:
I've seen that, but in all of my testing with various versions of PGP,
it does not handle 384 and 512. It's always possible that I got
something wrong in the hash code, but like I said, it matches the test
vectors from NIST. Plus, it interoperates with the Nullify GPG
patches (back when they did their own SHA-384/512 implementation) and
the PGP 263multi code as well. Three different implementations of
SHA-512 that all interoperate makes it unlikely that we all got it
equally wrong. ;)
Not that this means that the PGP people made a mistake in their code.
They're sharp people, and I really doubt they'd have shipped code with
such a mistake in it.
Without any other information (I keep meaning to ask the PGP folks
about it), I am assuming that just because the SDK supports SHA-512,
and PGP 8 uses that SDK, doesn't necessarily mean that PGP 8 supports
SHA-512 as well.
More information about the Gnupg-devel