On Sun, Nov 08, 2009 at 09:46:08PM -0500 David Shaw wrote:
>
> That's not quite how it works. What matters here is how the key was
> generated in the first place.
>
> One of the numbers used to generate a DSA key is known as "q". In DSA,
> the size of q is what controls the size of the hash that will be used
> with the key. This value is set at key generation time, and cannot be
> changed (it's part of the key). It has no strong relationship to the
> overall key size, so in theory, you could have a 2048-bit DSA key that
> uses a 8-bit hash. Of course, that would make for pretty poor
> signatures, so the DSA spec (and OpenPGP spec in turn) give some
> guidelines as to what hashes should be used for a given key size. For a
> 2048-bit key, you can choose either a 224 or 256 bit q.
>
> So, let's say you had a 2048-bit key, and the program you used to
> generate it chose a 256-bit q size. This key would allow a 256-bit
> hash. A 224-bit hash is impossible (too small). If you had a 2048-bit
> key and the program you used to generate it chose a 224-bit q size, this
> key would then allow a 224-bit hash. A hash larger than 224 bits is
> allowable as well, but would be truncated down to 224 bits to fit.
>
> The problem you are having is that whatever program generated your key
> chose a 256-bit q size. That parameter, chosen at key generation time,
> not GPG at signing time, is what is preventing you from using SHA-224.
>
> So the real question here is why did your program generate a DSA key
> with a 256-bit q, when a 224-bit q would have been equally acceptable
> according to the spec? As you say, they are both legal. The answer
> there is that while both are legal, a 256-bit q is slightly stronger as
> it allows a larger hash to be used. Both PGP and GPG use a 256-bit q for
> a 2048-bit key. However, if you managed to generate a 2048-bit key with
> a 224-bit q (as earlier versions of GPG did), all versions of GPG would
> (correctly) allow the use of SHA-224 with this key.
>
> David
>
A perfectly phrased and logical explanation. Thank you for elucidating
this matter for me. What I failed to put together is that the size of q
must be defined at key generation time, and thereafter is an immutable
part of the key.
I imagine I may at some point have been using a key generated with an
older version of GnuPG, with a 224-bit q, and became accustomed to
the permissibility of SHA224.
Thanks again for your response,
Kevin
--
"Le hasard favorise l'esprit préparé."
--Louis Pasteur
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
