On 9/29/2011 12:24 AM, Lucas Martins wrote:
Hello,
I was looking libcrypto code, and found that DSA_sign and ECDSA_sign
ignore hash algorithm while RSA_sign do not.
Are there any reason for this?
Before passing a short (typically 128 to 512 bits) hash to the "raw"
schoolbook RSA
algorithm for signing, some additional formatting is needed to both extend
the size to the key length (typically 1024 to 8192 bits) and to protect
against some
specific attacks. There are at least 3 standards for this formatting
(ISO-somenumber,
PKCS#1 v1 and PKCS#1 v2). The ISO one is insecure and the two others
include
various aspects of the hash algorithm in the formatting.
DSA does not do this, it uses the hash value directly, requires a hash
algorithm with
the same bit length as the "Q" subgroup of its group parameters, and
produces a
signature exactly twice as large as the hash value.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
