short-ish signatures (again)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

short-ish signatures (again)

Bob Mearns
A while back I posted asking if it was possible to generate
shorter than normal digital signatures with OpenSSL.  The
response I got was that signatures as short as I was talking
about (192 bits or less) would be insecure.  I'm just now back to
working on this, so I'd like to ask again - accepting that such
a sig would lack security, is it possible with OpenSSL, and how
would I go about it?  In my application there's a tradeoff between
sig length and security and in some instances a short sig
length, at the risk of some insecurity, will be the right answer.

DSA, with its 320-bit sigs, is out for this application.  I've played
with RSA a bit, but I run into problems with the digest being too
long when using RSA keys shorter than 384 bits.  I thought I'd read
that the RSA signature should be the same length as the number of bits
in the key, and I don't understand how digest length (at 128 or 160 bits
far shorter than the key) plays into this.  Are there other algorithms I
should be looking at besides RSA to accomplish my goal.

Thanks for your patience with my questions.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: short-ish signatures (again)

Victor Duchovni
On Tue, Feb 14, 2006 at 12:04:58PM -0800, Bob Mearns wrote:

> In my application there's a tradeoff between
> sig length and security and in some instances a short sig
> length, at the risk of some insecurity, will be the right answer.

Who is the signer and who is the verifier. Can the signer and verifier
engage in an on-line protocol? Are you signing traffic or stored data?

OpenSSL signs (symmetric MAC) each "message" in an SSL session.
Kerberos signs each message with an ephemeral session key...

> Are there other algorithms I
> should be looking at besides RSA to accomplish my goal.

Algorithm selection is the easy part, the hard part is security analysis
and protocol selection. What problem are you trying to solve?

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: short-ish signatures (again)

Bob Mearns
In reply to this post by Bob Mearns
 >> In my application there's a tradeoff between
 >> sig length and security and in some instances a short sig
 >> length, at the risk of some insecurity, will be the right answer.
 >
 >Who is the signer and who is the verifier. Can the signer and verifier
 >engage in an on-line protocol? Are you signing traffic or stored data?
 >
 >OpenSSL signs (symmetric MAC) each "message" in an SSL session.
 >Kerberos signs each message with an ephemeral session key...
 >
 >> Are there other algorithms I
 >> should be looking at besides RSA to accomplish my goal.
 >
 >Algorithm selection is the easy part, the hard part is security analysis
 >and protocol selection. What problem are you trying to solve?
 >
 >--
 > Viktor.

Sorry - more details:  This isn't a comm aplication - it amounts to
authentication of application data files.  The signer is an utility which
exists solely in a vendor's environment.  The verifier is an application
that exists in a consumer (potentially hostile) environment.  Hence
asymmetric key algorithms are a fit.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: short-ish signatures (again)

Victor Duchovni
On Tue, Feb 14, 2006 at 02:50:19PM -0800, Bob Mearns wrote:

> Sorry - more details:  This isn't a comm aplication - it amounts to
> authentication of application data files.  The signer is an utility which
> exists solely in a vendor's environment.  The verifier is an application
> that exists in a consumer (potentially hostile) environment.  Hence
> asymmetric key algorithms are a fit.
>

If you want small, publically verifiable signatures for stored data, your
only choice is ECC. Staying clear of the patents may be difficult (IANAL)
and OpenSSL may not yet include all the required tooling. If this was
work for the US government, you could use Suite-B under the NSA license,
but its lowest approved security level is a bit stronger than you want.
(ECC of course can use smaller keys, but those are not covered by Suite B.)

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: short-ish signatures (again)

Nils Larsch
In reply to this post by Bob Mearns
Bob Mearns wrote:
...
> DSA, with its 320-bit sigs, is out for this application.  I've played
> with RSA a bit, but I run into problems with the digest being too
> long when using RSA keys shorter than 384 bits.  I thought I'd read
> that the RSA signature should be the same length as the number of bits
> in the key, and I don't understand how digest length (at 128 or 160 bits
> far shorter than the key) plays into this.  

you need to add the bytes for the pkcs1 padding + the bytes for
the digestInfo structure

Cheers,
Nils


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: short-ish signatures (again)

Nils Larsch
In reply to this post by Victor Duchovni
Victor Duchovni wrote:

> On Tue, Feb 14, 2006 at 02:50:19PM -0800, Bob Mearns wrote:
>
>
>>Sorry - more details:  This isn't a comm aplication - it amounts to
>>authentication of application data files.  The signer is an utility which
>>exists solely in a vendor's environment.  The verifier is an application
>>that exists in a consumer (potentially hostile) environment.  Hence
>>asymmetric key algorithms are a fit.
>>
>
>
> If you want small, publically verifiable signatures for stored data, your
> only choice is ECC.

in case of ECDSA the signature size is approx. twice the field size.
The smallest curve openssl afaik support is a 112 bit binary curve,
hence still too big.

Cheers,
Nils
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: short-ish signatures (again)

Dr. Stephen Henson
In reply to this post by Bob Mearns
On Tue, Feb 14, 2006, Bob Mearns wrote:

>
> Sorry - more details:  This isn't a comm aplication - it amounts to
> authentication of application data files.  The signer is an utility which
> exists solely in a vendor's environment.  The verifier is an application
> that exists in a consumer (potentially hostile) environment.  Hence
> asymmetric key algorithms are a fit.
>

Well if the verifier is in a hostile environment not much will protect you
against a few well placed NOPs.

If you were using (say) HMAC you'd be faced with either the possibility of
finding out the symmetric key or finding out where to patch the binary.

With an RSA public key algorithm of that key size the security would be
sufficiently low that breaking the private key would also be possible.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]