nettle-bugs March 2010

nettle-bugs@lists.lysator.liu.se

2 participants
3 discussions

plans for other SHA-2 digests?
by Daniel Kahn Gillmor 26 Mar '10

26 Mar '10

Hi Nettle folks-- >From the documentation i could find, it looks like the strongest digest libnettle supports is SHA256. Are there plans to add support for SHA512 or other members of the SHA-2 family? (i suppose the same question holds for the primitives in libhogweed that include a digest operation, such as RSA signing) Thanks for offering this tool, --dkg PS i tried to send this message earlier, PGP/MIME-signed, but it appears to have been bounced from the mailing list with a … [View More]

2 9

RSA-SHA512 interface problem
by nisse＠lysator.liu.se 24 Mar '10

24 Mar '10

I just realized that supporting RSA with SHA-512 leads to an interface problem. For RSA keys to work with PKCS#1 signatures, the modulo n has to be large enough. Up to now, I have used two defines, RSA_MINIMUM_N_OCTETS and RSA_MINIMUM_N_BITS, which are determined so that pkcs#1 works with *all* supported hash function. The rsa_public_key_prepare and rsa_private_key_prepare functions check that n is large enough and returns a success/failure value. Then no other rsa functions are expected to … [View More]ever fail due to n being too small. With sha256, the minimum was 62 octets or 489 bits. But for sha512, the minimum is 94 octets or 745 bits. So if I just bump the RSA_MINIMUM_N_* accordingly, support for 512 bits RSA keys disappears. (And for comparison, with md5, the minimum is 353 bits). I really hope noone still uses 512 bit RSA for anything important, but I nevertheless don't think it's appropriate to just drop support for it. Some applications may have modest security requirements where small keys are somehow appropriate, and then there are legacy applications and old keys. It should still be *possible* to verify signatures made many years ago, using 512-bit RSA, even though they can no longer be considered very secure. I haven't figured out yet how I want to handle this, and I see no solution without its own problems. Some alternatives: * Discontinue the RSA_MINIMUM_N_*, or use some reasonable value which isn't large enough for rsa-sha512. Let signature functions abort if they encounter a too small key. Possibly define new hash-specific constants, RSA_<hash>_MINIMUM_N_BITS or so. * Add some argument to the rsa_*_key_prepare functions to say what the key is to be used for, so that it can check if the key is large enough. I don't quite like this; it's against the spirit of the rest of the Nettle interface. * Introduce a return value for the signing functions, to let them return a success/failure indication. This is analogous to the rsa_encrypt function, which checks if the key size is large enough for the current message size. If we do this, is the return value from the rsa_*_key_prepare functions still useful? I think it's less of a problem with public key operations, since signature verification and rsa decryption have a return value and for too small keys they can easily return fail for all messages. The problem is the signing functions. No matter how the problem is solved, it will break backwards compatibility in some way. Suggestions? Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. [View Less]

2 2

nettle bindings for higher-level languages
by Daniel Kahn Gillmor 23 Mar '10

23 Mar '10

I was wondering if there is a catalog somewhere of bindings that exist for nettle for higher-level languages. in particular, i'm interested in perl and python, but i'd be curious to know about the status of other languages as well. Is this documented somewhere? Is there a list of higher-level languages that the nettle author(s) would like to see prioritized? Regards, --dkg

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

nettle-bugs March 2010