vanitasvitae
/
openpgp-notes
mirror of https://codeberg.org/openpgp/notes.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

edit c20 hash algorithm choice

This commit is contained in:
Tammi L. Coles 2024-01-19 15:46:29 +01:00
parent 3d1efc090a
commit f476a96537
1 changed files with 9 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
book/source/adv/signatures.md
View File

@ -16,30 +16,28 @@ SPDX-License-Identifier: CC-BY-SA-4.0
## Choosing the hash algorithm for a signature
A central element of signature packets is the hash digest of the input data. Most OpenPGP software supports a set of different hash mechanisms, of which one is chosen for each signature packet (this is one aspect of OpenPGP's *cryptographic agility*), and used to calculate the hash digest.
The hash digest of the input data is a central element of signature packets in OpenPGP. The hash digest is calculated using a hash mechanism, selected from a diverse set supported by most OpenPGP software. The ability to choose from different hash mechanisms for each signature packet demonstrates OpenPGP's [*cryptographic agility*](https://en.wikipedia.org/wiki/Cryptographic_agility).
Different hash mechanisms offer different trade-offs:
- *Hash digest size*: Larger hash size tends to correspond with greater strength against cryptanalysis, and hash digests are relatively small: at the time of this writing, typical sizes are 32 to 64 bytes. However, for some use cases - especially where small messages are sent over a bandwidth-limited transport - larger hash sizes may unacceptably increase message size.
- *Computational cost*: Different hash algorithms may have different computational costs. Some OpenPGP users may prefer to limit this cost, for example on constrained computing environments.
- **Hash digest size**: Generally, a larger hash size offers greater resistance against cryptanalysis. At the time of this writing, typical hash digests range from 32 to 64 bytes, which are relatively compact. However, for some use cases - especially when transmitting small messages over limited bandwidth - larger hash sizes may unacceptably increase message size.
- **Computational cost**: Different hash algorithms may have different computational costs. Some OpenPGP users may prefer to limit this cost, for example, on constrained computing environments.
The following sections discuss how the hash algorithm is chosen, based on preferences that are associated with the involved OpenPGP certificates.
The following sections explain how the hash algorithm is chosen, based on preferences specified in the associated OpenPGP certificates.
### Typically: Local determination
Often, signature creation isn't targeted at a specific receiver. Many signatures are issued for an indeterminate set of "anyone who receives the signature."
Often, signature creation does not target a specific recipient. Instead, many signatures are intended for a broad audience, that is, anyone who receives the signature.
For example, self-signatures that form a certificate are aimed at everyone who interacts with that certificate. Similarly, when creating a data signature for a software package, this signature is aimed at "anyone who will check the signature," often over a long period of time, easily spanning years.
This is common in situations like self-signatures on certificates, which are relevant to all users of that certificate, or signatures on software packages, designed for anyone verifying the package, potentially over several years.
In such cases, the issuer of that signature chooses the hash algorithm locally, without following preferences of a third party.
In such cases, the issuer of that signature chooses the hash algorithm locally, based on their own criteria rather than the preferences of any third party.
### With a specific recipient: "Negotiation" based on recipient's preferences
In contrast, when a message is created for a specific recipient, the sender can - and should - choose the hash algorithm for the signature packet [based on the recipient's hash algorithm preference](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-hash-algorithm-preferences).
In contrast, when a message is created for a specific recipient, the sender can and should choose the hash algorithm for the signature packet [based on the recipient's hash algorithm preference](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-hash-algorithm-preferences). These preferences are specified in the metadata of the recipient's OpenPGP certificate, see {ref}`preferences-features` for more details.
The recipient's hash algorithm preference is defined in metadata of their certificate, see {ref}`preferences-features` for more details.
In this workflow, the signed hash digest is created with a hash algorithm that follows the recipient's preferences, and its intersection with the sender's capabilities and preferences.
In this workflow, the signed hash digest is created with a hash algorithm that meets the recipient's preferences as well as the sender's capabilities and preferences.
## Signature versions