DSA and SHA-256 (It works! Or does it?! :))
Werner Koch
wk at gnupg.org
Wed Jan 13 10:27:12 CET 2010
On Wed, 13 Jan 2010 17:32:31 +1300, Sam Vilain wrote:
> That being said, I see in the source eg g10/sign.c that this case is
> well described already. I can't find the exact source line where this
> truncation happens, but I assume it does somewhere.
gnupg/g10/sesskey.c:encode_md_value():
size_t qbytes = gcry_mpi_get_nbits (pk?pk->pkey[1]:sk->skey[1]);
[... check qbytes ... ]
qbytes/=8;
if (gcry_mpi_scan (&frame, GCRYMPI_FMT_USG,
gcry_md_read (md, hash_algo), qbytes, &qbytes))
BUG();
gcry_mpi_scan does the truncation.
> What is in that subpacket? Pulling it apart (using
> Crypt::OpenPGP::Message), I can see that r is
> 563842300114387388457394839662831482428878447936 and s is
> 377105405312767191687013088546003017320679158753 - definitely both <160 bit.
FWIW, you may use gpg --debug 2 --list-packets to show the MPIs.
> 1. is gpg doing the correct, FIPS-186-3 thing of throwing away the lower
> bits?
Yes.
Libgcrypt does not enforce this because FIPS-186-2 does not seem to
require it. Libgcrypt is currently in NIST's evaluation queue but the
project was started far prior to June 2009 when -3 was released.
> 2. is this safe?
We hope so.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-devel
mailing list