gpg rejects SHA224 with DSA-2048

Kevin Kammer mephisto at fastmail.net
Mon Nov 9 04:29:35 CET 2009 

On Sun, Nov 08, 2009 at 09:46:08PM -0500 David Shaw wrote:
>
> That's not quite how it works.  What matters here is how the key was  
> generated in the first place.
>
> One of the numbers used to generate a DSA key is known as "q".  In DSA, 
> the size of q is what controls the size of the hash that will be used 
> with the key.  This value is set at key generation time, and cannot be 
> changed (it's part of the key).  It has no strong relationship to the 
> overall key size, so in theory, you could have a 2048-bit DSA key that 
> uses a 8-bit hash.  Of course, that would make for pretty poor 
> signatures, so the DSA spec (and OpenPGP spec in turn) give some 
> guidelines as to what hashes should be used for a given key size.  For a 
> 2048-bit key, you can choose either a 224 or 256 bit q.
>
> So, let's say you had a 2048-bit key, and the program you used to  
> generate it chose a 256-bit q size.  This key would allow a 256-bit  
> hash.  A 224-bit hash is impossible (too small).  If you had a 2048-bit 
> key and the program you used to generate it chose a 224-bit q size, this 
> key would then allow a 224-bit hash.  A hash larger than 224 bits is 
> allowable as well, but would be truncated down to 224 bits to fit.
>
> The problem you are having is that whatever program generated your key  
> chose a 256-bit q size.  That parameter, chosen at key generation time, 
> not GPG at signing time, is what is preventing you from using SHA-224.
>
> So the real question here is why did your program generate a DSA key  
> with a 256-bit q, when a 224-bit q would have been equally acceptable  
> according to the spec?  As you say, they are both legal.  The answer  
> there is that while both are legal, a 256-bit q is slightly stronger as 
> it allows a larger hash to be used.  Both PGP and GPG use a 256-bit q for 
> a 2048-bit key.  However, if you managed to generate a 2048-bit key with 
> a 224-bit q (as earlier versions of GPG did), all versions of GPG would 
> (correctly) allow the use of SHA-224 with this key.
>
> David
>

A perfectly phrased and logical explanation. Thank you for elucidating
this matter for me. What I failed to put together is that the size of q
must be defined at key generation time, and thereafter is an immutable
part of the key.

I imagine I may at some point have been using a key generated with an
older version of GnuPG, with a 224-bit q, and became accustomed to
the permissibility of SHA224.

Thanks again for your response,
Kevin

-- 
"Le hasard favorise l'esprit préparé."
                      --Louis Pasteur

More information about the Gnupg-users mailing list