Are DSA2 signing keys backwards compatible?

David Shaw dshaw at jabberwocky.com
Mon Feb 11 05:33:59 CET 2008


On Sun, Feb 10, 2008 at 10:13:11PM -0600, Kevin Hilton wrote:
> >It doesn't work that way.  SHA-1 doesn't even work with DSA2 keys.
> >DSA2 doesn't mean "a bigger DSA key".  It means "a bigger hash with a
> >bigger DSA key".  DSA2 allows for any hash size that is equal to or
> >greater than the hash size that was used when generating the key.
> >Thus, for example, it is legal (albeit silly) to use SHA-512 with a
> >old DSA key (which uses a 160-bit hash).  We just truncate to fit.
> 
> So just to clarify --
> A 3096 bit DSA signing key could only be used with the SHA-512 hash?

No.  A 3096 bit DSA key that uses SHA-1 is possible and legal in
OpenPGP.  It is silly though, and GPG won't create it unless you
modify the code.  Outside of code modification, a 3096 bit key would
use a 256-bit hash (SHA-256, not SHA-512).  You could use SHA-512 with
it if you liked, but the hash would be truncated to 256 bits.

We follow the advice in FIPS 180-3:

      L = 1024, N = 160
      L = 2048, N = 224
      L = 3072, N = 256

So a 1024 bit key gets a 160 bit hash.  1025-2048 gets a 224 bit hash.
2049-3072 gets a 256 bit hash.  We don't generate keys less than 1024
bits or greater than 3072 bits.  Other programs may behave
differently, so GPG will naturally follow what the key encoding says
if it comes down to that.

David



More information about the Gnupg-users mailing list