SPECIFICATION
The DSS protocol pushes a 40 byte cryptographic signature onto the front
of a message. On the incoming side, it pops a 40 byte signature, and
checks if it's consistent with the SHA checksum computed for the rest
of the message. The code for DSS is based on the NIST specification.
DSS is designed to be composed over any datagram protocol.
This version of DSS is experimental. It hasn't been connected to the key manager; it uses one compiled-in identity for both signing and checking signatures. See the RESTRICTIONS section for further information.
SYNOPSIS
When a message is pushed to a DSS session,
an SHA checksum is computed for the message.
The checksum is ``signed'', giving a 40 byte signature. The signature
is pushed onto the front of the message.
When an incoming message is popped to a DSS session, the 40 byte signature is
popped, and an SHA checksum is computed for the rest of the message.
The signature is checked for consistency with the checksum.
If tracing is enabled, a message is printed reporting whether or not the
signature is valid.
No special action is taken on messages with an invalid signature;
they are passed on as usual to the next higher protocol.
REALM
DSS is in the ASYNC realm.
PARTICIPANTS
DSS passes participants to the lower protocols without manipulating them.
CONTROL OPERATIONS
DSS recognizes the following control operations; all others are passed
unchanged to the lower protocol or session.
GETMAXPACKET and GETOPTPACKET: The packet size returned by the lower protocol/session is diminished by 40, and passed upward.
IP_PSEUDOHDR: This control operation turns on the IP pseudoheader
length-fixup flag, either for a session or the entire protocol.
The control operation is also passed to the lower session or protocol.
See IP (page 
) for an explanation of this kludge.
CONFIGURATION
DSS expects to be configured on top of a transport protocol.
The transport protocol must
preserve packet boundaries (i.e. DSS will not work on top of TCP).
Example of a graph.comp file:
--------------------------------- @; name=simeth/0; name=eth protocols=simeth/0; name=arp protocols=eth; name=vnet protocols=eth,arp; name=ip protocols=vnet; name=dss protocols=ip; name=udp protocols=dss; name=udptest protocols=udp; @; prottbl = ../../../etc/prottbl.nonstd; ---------------------------------
RESTRICTIONS
The security of the signature scheme depends on discrete logs being
hard for 512 bit primes, and on the security of the SHA hash method.
A cryptographic random number is required for each message signed.
Since we don't have a hardware random number generator handy, I've
used the GNU random number function as a stub.
If an adversary is able to determine the random number that was
used for signing a single message, he can forge messages.
DSS uses the GNU bignum routines, and no special care has been
taken to erase intermediate values before returning memory to the
general pool.
This version of DSS is experimental. It hasn't been connected to the key manager; it uses one compiled-in identity for both signing and checking signatures.
DSS has not been tested on little-endian machines, or between machines of differing endianness.
ACKNOWLEDGMENT
DSS uses the GNU multiprecision package to do its bignum arithmetic.
AUTHOR
Richard Schroeppel