[Botan-devel] DSA signature verification always returns false

Jack Lloyd lloyd at randombit.net
Mon Apr 20 17:17:25 EDT 2009


On Fri, Apr 17, 2009 at 11:22:02PM -0400, Z. S. O. wrote:
> While we're still on the topic, I was wondering: does Botan have a standard
> way to generate pseudo-random session tokens for data that I digitally sign?

For just choosing uniform random values, AutoSeeded_RNG is probably
the best general choice in botan.

> >From what I understand, the only way to avoid a replay attack is to use
> sign(data+token) instead of sign(data). I could always generate my own
> random token, but I don't like to invent my own standards if I can help it.

Could you explain more about what you're trying to do / what problems
you are facing? In general I don't think this is going to solve the
replay problem, unless you keep track of each token that you have
previously seen.

> Besides, I'm not sure how big the token has to be for it to be considered
> "secure."

For something like this, I would guess you just want to make sure it
doesn't repeat. If you take a uniform random source of N bit numbers,
and generate 2^(N/2) of them, statistically you have about a 50%
chance of one repeating. (This is called the 'birthday paradox', there
are many articles explaining it online). So if you expected each key
to sign no more than, say, 2^64 messages (which seems pretty
reasonable in most cases), a 128 bit token would be sufficiently large
that you could expect that the same token would never be choosen more
than once for use with any one key (as long as you always used a good
PRNG/RNG).

-Jack



More information about the botan-devel mailing list