[Cryptography-dev] DSA

skeuomorf skeuomorf at gmail.com
Wed Feb 19 09:39:59 CET 2014 

Concerning issue #230 "Add DSA",

DSA has the following parameters:

    p: prime modulus of bit length L
    q: prime divisor of (p-1) of bit length N
    g: a generator of a subgroup of order q in the multiplicative group
    GF(P) where 1<g<p
    x: private key, random where 0<x<q
    y: public key (y = (g^x) mod p)
    k: per message random number (nonce) where 0<k<q
    /domain_parameter_seed/ and /counter/ used in generation of p,q

_*A typical work flow would involve:*_

      * Domain parameter generation (and validation) (p,q,g)
      * Key pair generation (and validation) (x, y)
      * Signature generation (and verification and validation) (k, r, z)


_*Signature process(r,z,s)*_

    r = ((g^k) mod p) mod q
    z = The leftmost min(N, outlen) bits of Hash(M) where outlen is the
    bit length of the hash function output block.
    s = (k^-1 (z + xr)) mod q

*_The case of OpenSSL 0.9.8_*

      * Uses SHA-1 as its hash function
      * Maximum seed length of 160 bits when generating parameters
      * Skimming the source code, I found that it has a FIPS directory
        but upon further examination I discovered that it isn't
        different from the normal DSA implementation in the crypto/dsa
        directory (Please double check)
      * Needs further examination...


_*The case of OpenSSL 1.0.2-stable*_

      * Supposedly has a FIPS module that's referred to throughout the
        code yet it's not implemented "/* Workaround bug in prototype
        */" maybe I misunderstood?
      * Needs further examination... (What's the hash function used?...etc)

*_
Notes:_*

  * FIPS 186-4 lists recommends (L,N) pairs -in bits- (1024, 160),
    (2048, 224), (2048, 256), (3072, 256)
  * The security strengths for (L,N) pairs is listed in SP 800-57
  * The Hash function should have a strength >= strength(L,N)
  * Length of digital signature is 2q
  * Private signature key has a cryptoperiod of 1-3 years
  * "The security strength associated with the DSA digital signature
    process is no greater than the minimum of the security strength of
    the (L,N) pair and the security strength of the hash function that
    is employed."
  * "The same domain parameters (p, q, g) may be used for both digital
    signatures and key establishment. However, using different values
    for the generator g reduces the risk that key pairs generated for
    one purpose could be accidentally used (successfully) for another
    purpose."
  * A calculation of the inverse of k is required i.e. k^(-1)
  * (k, r, p, q, g) maybe pre computed

What do you guys think cryptography's API should expose? Support for
0.9.8's validation process is non-negotiable as a user might validate a
signature that was generated using the old standard.

Should the users be allowed to generate the domain parameters? and the
nonce? and store the private key and the nonce if it was precomputed?...etc

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20140219/3c839fd3/attachment.html>

More information about the Cryptography-dev mailing list