- From: Jim Schaad <ietf@augustcellars.com>
- Date: Mon, 19 Jan 2015 11:15:49 -0800
- To: "'Ryan Sleevi'" <sleevi@google.com>
- Cc: <public-webcrypto@w3.org>
I don't understand. RSA v1.5 allows for a verification that the hash is correct since it is encoded into the padding. RSA-PSS uses the hash and the mask function to create the padding. As long as one makes the hash algorithm consistent throughout the process getting the same padding for a different hash algorithm is going to be very difficult. DSA allows for any hash algorithm to be used without any ability to check that it is the correct hash value. Furthermore there are two hash values which will produce the same signature in some cases . Hash values larger than q can cause problems. Also any two hash algorithms with the same output length can be used so that there is the possibility of having collisions between hash algorithms be significant. ECDSA truncates the hash value by taking the leftmost n bits of it. Thus hash values which are longer than n will have built in collisions. Additionally, the hash algorithm is not built into the computation so that one hash the issue of dealing with collisions between different algorithms. Finally, at least for importing with JWK, the algorithm of the hash is part of the key so that piece of information is being lost. Should I file a bug on this? Jim From: Ryan Sleevi [mailto:sleevi@google.com] Sent: Monday, January 19, 2015 10:25 AM To: Jim Schaad Cc: public-webcrypto@w3.org Subject: Re: Hash for ECDSA Because it isn't cryptographically suspect in the way it is for RSA. On Jan 19, 2015 10:15 AM, "Jim Schaad" <ietf@augustcellars.com> wrote: Is there a reason that we did not move the hash for ECDSA from the sign operation to the import operation when it was done for RSA? Jim
Received on Monday, 19 January 2015 19:16:55 UTC