-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sep 7, 2013, at 5:09 PM, "Perry E. Metzger" <pe...@piermont.com> wrote:
> Note that such systems should at this point be using deterministic > methods (hashes of text + other data) to create the needed nonces. I > believe several such methods have been published and are considered > good, but are not well standardized. Certainly this eliminates a *very* > important source of fragility in such systems and should be universally > implemented. > > References to such methods are solicited -- I'm operating without my > usual machine at the moment while its hard drive restores from backup. For as long as PGP has done DSA, it protected the signature nonce by hashing it with the DSA private key. These days, we'd do an HMAC, most likely. There's now an RFC 6979 on "Deterministic DSA" now, as well. Phil Z, David Kravitz, and I started on something equivalent and then stopped when we saw what Thomas Pornin was doing. It's good stuff. https://datatracker.ietf.org/doc/rfc6979/ Jon -----BEGIN PGP SIGNATURE----- Version: PGP Universal 3.2.0 (Build 1672) Charset: us-ascii wj8DBQFSK8FpsTedWZOD3gYRAs2DAKCA8Di/fH9ZYvAb4y5Byb2bN6MudQCgkXZO 80uY0/A7zZ3CBe6C0/1ALfU= =eqWE -----END PGP SIGNATURE----- _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography