Nomen Nescio <[EMAIL PROTECTED]> writes: > Derek Atkins replied: > > It depends on the signature algorithm. With RSA you can sign any > > message "directly" if said message is smaller than the public key size > > (N). DSA, however, requires the use of a hash. > > Actually, depending on the data being signed, it can be important to > hash for RSA. After all, RSA is existentially forgeable: anyone can > forge a signature on a *random* value (if C=M^e mod n, then M is a > signature on C). They might be able to try some large number of sigs > until they got a random value which looked enough like legitimate data > to be accepted - especially possible if the 1kbit value being signed > holds dense, random-ish binary data.
Let me be clear: I implied (but clearly I should have been explicit) that PKCS#1 padding should be used, not "raw" RSA. The problem with raw RSA is that you can combine multiple encryptions into new encryptions. Using PKCS padding inside the RSA signature foils the multiplication attack. So, sure, your message is can only be N-(sizeof(pkcs#1)) bits, not N bits. However you still do not need a hash. -derek -- Derek Atkins Computer and Internet Security Consultant [EMAIL PROTECTED] www.ihtfp.com --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]