path: root/manual/html_node/Digital-signatures.html

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<!-- This manual is last updated 4 March 2015 for version
3.5.3 of GnuTLS.

Copyright (C) 2001-2015 Free Software Foundation, Inc.\\
Copyright (C) 2001-2015 Nikos Mavrogiannopoulos

Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
any later version published by the Free Software Foundation; with no
Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.  A
copy of the license is included in the section entitled "GNU Free
Documentation License". -->
<!-- Created by GNU Texinfo 6.1, http://www.gnu.org/software/texinfo/ -->
<head>
<title>GnuTLS 3.5.3: Digital signatures</title>

<meta name="description" content="GnuTLS 3.5.3: Digital signatures">
<meta name="keywords" content="GnuTLS 3.5.3: Digital signatures">
<meta name="resource-type" content="document">
<meta name="distribution" content="global">
<meta name="Generator" content="makeinfo">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link href="index.html#Top" rel="start" title="Top">
<link href="Function-and-Data-Index.html#Function-and-Data-Index" rel="index" title="Function and Data Index">
<link href="index.html#SEC_Contents" rel="contents" title="Table of Contents">
<link href="Certificate-authentication.html#Certificate-authentication" rel="up" title="Certificate authentication">
<link href="More-on-certificate-authentication.html#More-on-certificate-authentication" rel="next" title="More on certificate authentication">
<link href="Verifying-a-certificate-using-DANE.html#Verifying-a-certificate-using-DANE" rel="prev" title="Verifying a certificate using DANE">
<style type="text/css">
<!--
a.summary-letter {text-decoration: none}
blockquote.indentedblock {margin-right: 0em}
blockquote.smallindentedblock {margin-right: 0em; font-size: smaller}
blockquote.smallquotation {font-size: smaller}
div.display {margin-left: 3.2em}
div.example {margin-left: 3.2em}
div.lisp {margin-left: 3.2em}
div.smalldisplay {margin-left: 3.2em}
div.smallexample {margin-left: 3.2em}
div.smalllisp {margin-left: 3.2em}
kbd {font-style: oblique}
pre.display {font-family: inherit}
pre.format {font-family: inherit}
pre.menu-comment {font-family: serif}
pre.menu-preformatted {font-family: serif}
pre.smalldisplay {font-family: inherit; font-size: smaller}
pre.smallexample {font-size: smaller}
pre.smallformat {font-family: inherit; font-size: smaller}
pre.smalllisp {font-size: smaller}
span.nolinebreak {white-space: nowrap}
span.roman {font-family: initial; font-weight: normal}
span.sansserif {font-family: sans-serif; font-weight: normal}
ul.no-bullet {list-style: none}
body { 
	margin: 2%;
	padding: 0 5%;
	background: #ffffff;
}
h1,h2,h3,h4,h5 {
    font-weight: bold;
    padding: 5px 5px 5px 5px;
    background-color: #c2e0ff;
    color: #336699;
}
h1 {
    padding: 2em 2em 2em 5%;
    color: white;
    background: #336699;
    text-align: center;
    letter-spacing: 3px;
}
h2 { text-decoration: underline; }
pre {
  margin: 0 5%;
  padding: 0.5em;
}
pre.example,pre.verbatim {
  padding-bottom: 1em;

  border: solid #c2e0ff;
  background: #f0faff;
  border-width: 1px 1px 1px 5px;
  margin: 1em auto;
  width: 90%;
}

div.node {
  margin: 0 -5% 0 -2%;
  padding: 0.5em 0.5em;
  margin-top: 0.5em;
  margin-bottom: 0.5em;
  font-weight: bold;
}
dd, li {
  padding-top: 0.1em;
  padding-bottom: 0.1em;
}
div.float {

  margin-bottom: 0.5em;
  text-align: center;
}

table {
  text-align: left;
  margin-left:auto;
  margin-right:auto;
  border-spacing: 7px;
  width: 50%;
}

th {
  padding: 0;
  color: #336699;
  background-color: #c2e0ff;
  border: solid #000000;
  border-width: 0px;
  margin: 1em auto;
  text-align: center;
  margin-left:auto;
  margin-right:auto;
}

td {
  padding: 0;
  border: solid #000000;
  background-color: #f0faff;
  border-width: 0px;
  margin: 1em auto;
  text-align: left;
  margin-left:auto;
  margin-right:auto;
  padding-left: 1em;
}

dl {
  text-align: left;
  margin-left:auto;
  margin-right:auto;
  width: 50%;

  padding-left: 1em;
  border: solid #c2e0ff;
  background: #f0faff;
  border-width: 5px 1px 1px 1px;
  margin: 1em auto;
}

-->
</style>


</head>

<body lang="en">
<a name="Digital-signatures"></a>
<div class="header">
<p>
Previous: <a href="Advanced-certificate-verification.html#Advanced-certificate-verification" accesskey="p" rel="prev">Advanced certificate verification</a>, Up: <a href="Certificate-authentication.html#Certificate-authentication" accesskey="u" rel="up">Certificate authentication</a> &nbsp; [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="Function-and-Data-Index.html#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
</div>
<hr>
<a name="Digital-signatures-1"></a>
<h4 class="subsection">4.1.4 Digital signatures</h4>
<a name="index-digital-signatures"></a>

<p>In this section we will provide some information about digital
signatures, how they work, and give the rationale for disabling some
of the algorithms used.
</p>
<p>Digital signatures work by using somebody&rsquo;s secret key to sign some
arbitrary data.  Then anybody else could use the public key of that
person to verify the signature.  Since the data may be arbitrary it is
not suitable input to a cryptographic digital signature algorithm. For
this reason and also for performance cryptographic hash algorithms are
used to preprocess the input to the signature algorithm. This works as
long as it is difficult enough to generate two different messages with
the same hash algorithm output. In that case the same signature could
be used as a proof for both messages. Nobody wants to sign an innocent
message of donating 1 euro to Greenpeace and find out that they
donated 1.000.000 euros to Bad Inc.
</p>
<p>For a hash algorithm to be called cryptographic the following three
requirements must hold:
</p>
<ol>
<li> Preimage resistance.
That means the algorithm must be one way and given the output of the
hash function <em>H(x)</em>, it is impossible to calculate <em>x</em>.

</li><li> 2nd preimage resistance.
That means that given a pair <em>x,y</em> with <em>y=H(x)</em> it is
impossible to calculate an <em>x'</em> such that <em>y=H(x')</em>.

</li><li> Collision resistance.
That means that it is impossible to calculate random <em>x</em> and
<em>x'</em> such <em>H(x')=H(x)</em>.
</li></ol>

<p>The last two requirements in the list are the most important in
digital signatures. These protect against somebody who would like to
generate two messages with the same hash output. When an algorithm is
considered broken usually it means that the Collision resistance of
the algorithm is less than brute force. Using the birthday paradox the
brute force attack takes
<em>2^{((hash size) / 2)}</em>
operations. Today colliding certificates using the MD5 hash algorithm
have been generated as shown in [<em>WEGER</em>].
</p>
<p>There has been cryptographic results for the SHA-1 hash algorithms as
well, although they are not yet critical.  Before 2004, MD5 had a
presumed collision strength of <em>2^{64}</em>, but it has been showed
to have a collision strength well under <em>2^{50}</em>.  As of November
2005, it is believed that SHA-1&rsquo;s collision strength is around
<em>2^{63}</em>.  We consider this sufficiently hard so that we still
support SHA-1.  We anticipate that SHA-256/386/512 will be used in
publicly-distributed certificates in the future.  When <em>2^{63}</em>
can be considered too weak compared to the computer power available
sometime in the future, SHA-1 will be disabled as well.  The collision
attacks on SHA-1 may also get better, given the new interest in tools
for creating them.
</p>
<a name="Trading-security-for-interoperability"></a>
<h4 class="subsubsection">4.1.4.1 Trading security for interoperability</h4>

<p>If you connect to a server and use GnuTLS&rsquo; functions to verify the
certificate chain, and get a <code>GNUTLS_CERT_INSECURE_ALGORITHM</code>
validation error (see <a href="Verifying-X_002e509-certificate-paths.html#Verifying-X_002e509-certificate-paths">Verifying X.509 certificate paths</a>), it means
that somewhere in the certificate chain there is a certificate signed
using <code>RSA-MD2</code> or <code>RSA-MD5</code>.  These two digital signature
algorithms are considered broken, so GnuTLS fails verifying
the certificate.  In some situations, it may be useful to be
able to verify the certificate chain anyway, assuming an attacker did
not utilize the fact that these signatures algorithms are broken.
This section will give help on how to achieve that.
</p>
<p>It is important to know that you do not have to enable any of
the flags discussed here to be able to use trusted root CA
certificates self-signed using <code>RSA-MD2</code> or <code>RSA-MD5</code>. The
certificates in the trusted list are considered trusted irrespective
of the signature.
</p>
<p>If you are using <a href="Core-TLS-API.html#gnutls_005fcertificate_005fverify_005fpeers3">gnutls_certificate_verify_peers3</a> to verify the
certificate chain, you can call
<a href="Core-TLS-API.html#gnutls_005fcertificate_005fset_005fverify_005fflags">gnutls_certificate_set_verify_flags</a> with the flags:
</p><ul>
<li> <code>GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2</code>
</li><li> <code>GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5</code>
</li></ul>
<p>as in the following example:
</p>
<div class="example">
<pre class="example">  gnutls_certificate_set_verify_flags (x509cred,
                                       GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5);
</pre></div>

<p>This will signal the verifier algorithm to enable <code>RSA-MD5</code> when
verifying the certificates.
</p>
<p>If you are using <a href="X509-certificate-API.html#gnutls_005fx509_005fcrt_005fverify">gnutls_x509_crt_verify</a> or
<a href="X509-certificate-API.html#gnutls_005fx509_005fcrt_005flist_005fverify">gnutls_x509_crt_list_verify</a>, you can pass the
<code>GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5</code> parameter directly in the
<code>flags</code> parameter.
</p>
<p>If you are using these flags, it may also be a good idea to warn the
user when verification failure occur for this reason.  The simplest is
to not use the flags by default, and only fall back to using them
after warning the user.  If you wish to inspect the certificate chain
yourself, you can use <a href="Core-TLS-API.html#gnutls_005fcertificate_005fget_005fpeers">gnutls_certificate_get_peers</a> to extract
the raw server&rsquo;s certificate chain, <a href="X509-certificate-API.html#gnutls_005fx509_005fcrt_005flist_005fimport">gnutls_x509_crt_list_import</a> to parse each of the certificates, and
then <a href="X509-certificate-API.html#gnutls_005fx509_005fcrt_005fget_005fsignature_005falgorithm">gnutls_x509_crt_get_signature_algorithm</a> to find out the
signing algorithm used for each certificate.  If any of the
intermediary certificates are using <code>GNUTLS_SIGN_RSA_MD2</code> or
<code>GNUTLS_SIGN_RSA_MD5</code>, you could present a warning.
</p>
<hr>
<div class="header">
<p>
Previous: <a href="Advanced-certificate-verification.html#Advanced-certificate-verification" accesskey="p" rel="prev">Advanced certificate verification</a>, Up: <a href="Certificate-authentication.html#Certificate-authentication" accesskey="u" rel="up">Certificate authentication</a> &nbsp; [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="Function-and-Data-Index.html#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
</div>



</body>
</html>