David Shaw dshaw at jabberwocky.com
Tue Oct 17 14:41:18 CEST 2006

On Tue, Oct 17, 2006 at 12:59:54PM +0200, Lionel Elie Mamane wrote:

> > This is not correct.  No DSA signatures in OpenPGP, whether v3 or
> > v4, have a hash firewall.
> I got that idea from this language in the RFC:
>                             A V4 signature hashes the packet body
>  starting from its first field, the version number, through the end of
>  the hashed subpacket data. Thus, the fields hashed are the signature
>  version, the signature type, the public key algorithm, the hash
>  algorithm, the hashed subpacket length, and the hashed subpacket
>  body.
> Doesn't the fact that the they hash algorithm identifier is hashed
> into what is DSA-signed establish a hash firewall?

No.  That puts the hash algorithm inside the document being hashed.
If the hash is broken, then that's the worst place for the identifier
to be :)

What DSA does is (more or less):
  DSA( Hash( Identifier + document ) )

What RSA, with its hash firewall does is (again, more or less):
  RSA( Identifier + Hash( document ) )

Note that the identifier is present outside of the hash in the
material given to the RSA algorithm (it's actually present inside the
hash as well, but that's not relevant here).  If the hash is broken,
that doesn't impact the identifier that isn't in the hash.


More information about the Gnupg-devel mailing list