% $RCSfile: dss.tex,v $
%
% $Revision: 1.1 $
% $Date: 1995/07/28 21:16:25 $
%

\protspec{DSS}{DSS (NIST Digital Signature Standard)}
\index{dss}
\index{digital signature}
\label{DSS}

\topic{SPECIFICATION}

\noindent
The DSS protocol pushes a 40 byte cryptographic signature onto the front
of a message.  On the incoming side, it pops a 40 byte signature, and
checks if it's consistent with the SHA checksum computed for the rest
of the message.  The code for DSS is based on the NIST specification.

DSS is designed to be composed over any datagram protocol.

This version of DSS is experimental.
It hasn't been connected to the key manager;
it uses one compiled-in identity for both signing and checking signatures.
See the RESTRICTIONS section for further information.

\topic{SYNOPSIS}

\noindent
When a message is pushed to a DSS session,
an SHA checksum is computed for the message.
The checksum is ``signed'', giving a 40 byte signature.  The signature
is pushed onto the front of the message.
When an incoming message is popped to a DSS session, the 40 byte signature is
popped, and an SHA checksum is computed for the rest of the message.
The signature is checked for consistency with the checksum.
If tracing is enabled, a message is printed reporting whether or not the
signature is valid.
No special action is taken on messages with an invalid signature;
they are passed on as usual to the next higher protocol.


\topic{REALM}

DSS is in the ASYNC realm.


\topic{PARTICIPANTS}

DSS passes participants to the lower protocols without manipulating them.


\topic{CONTROL OPERATIONS}

DSS recognizes the following control operations; all others are passed
unchanged to the lower protocol or session.

GETMAXPACKET and GETOPTPACKET:  The packet size returned by the lower
protocol/session is diminished by 40, and passed upward.

IP\_PSEUDOHDR:  This control operation turns on the IP pseudoheader
length-fixup flag, either for a session or the entire protocol.
The control operation is also passed to the lower session or protocol.
See IP (page~\pageref{IP}) for an explanation of this kludge.


\topic{CONFIGURATION}

DSS expects to be configured on top of a transport protocol.
The transport protocol must
preserve packet boundaries (i.e. DSS will not work on top of TCP).

Example of a graph.comp file:
\begin{verbatim}
---------------------------------
@;
name=simeth/0;
name=eth protocols=simeth/0;
name=arp protocols=eth;
name=vnet protocols=eth,arp;
name=ip protocols=vnet;
name=dss protocols=ip;
name=udp protocols=dss;
name=udptest protocols=udp;
@;
prottbl = ../../../etc/prottbl.nonstd;
---------------------------------
\end{verbatim}


\topic{RESTRICTIONS}

\noindent The security of the signature scheme depends on discrete logs being
hard for 512 bit primes, and on the security of the SHA hash method.
A cryptographic random number is required for each message signed.
Since we don't have a hardware random number generator handy, I've
used the GNU random number function as a stub.
If an adversary is able to determine the random number that was
used for signing a single message, he can forge messages.
DSS uses the GNU bignum routines, and no special care has been
taken to erase intermediate values before returning memory to the
general pool.

\noindent This version of DSS is experimental.
It hasn't been connected to the key manager;
it uses one compiled-in identity for both signing and checking signatures.

\noindent DSS has not been tested on little-endian machines, or between
machines of differing endianness.


\topic{ACKNOWLEDGMENT}

\noindent DSS uses the GNU multiprecision package to do its bignum arithmetic.


\topic{AUTHOR}

\noindent Richard Schroeppel

