W3C home > Mailing lists > Public > public-xmlsec@w3.org > January 2009

RE: Another place to put garbage for collisions

From: Brad Hill <brad@isecpartners.com>
Date: Tue, 27 Jan 2009 14:06:52 -0800
To: Thomas Roessler <tlr@w3.org>, XML Security Working Group WG <public-xmlsec@w3.org>
Message-ID: <7E3B942D6F9AE64EA28CE80B7283C1EC21065F474B@exch01.isecpartners.com>

I just closed out the action items related to this - I think that as XML signatures inherently have an additional layer of indirection (signing a hash of a hash) there's no way to avoid this type of collision attack.

I would love to have an opinion from somebody more cryptographically astute.

Assume that an attacker, Mallory, is able to view an XMLDSIG from Alice.  Mallory wants to send an evil message to Bob, who trusts Alice's signature.  

Mallory has two choices (with regard to hash collisions):

	1) Mallory can attempt to generate a new SignedInfo with a hash that collides with the hash of Alice's original SignedInfo.  This is made somewhat easier by the ability to embed arbitrary namespace declarations, and especially comments (if Bob accepts withComments as a C14N method SignedInfo).   

	2) Mallory can attempt to generate a new Reference with a hash that collides with the hash of the original Reference.   

We can make (1) harder by forbidding comments to be included in the C14N of SignedInfo.

We can't do anything about (2).  The well-formed-ness semantics of the reference may make it more or less malleable for a collision attempt but it is out of the scope of XMLDSIG to defend against this.

Is it worth doing anything about (1), given (2)?

-Brad



-----Original Message-----
From: public-xmlsec-request@w3.org [mailto:public-xmlsec-request@w3.org] On Behalf Of Thomas Roessler
Sent: Tuesday, January 27, 2009 1:46 PM
To: XML Security Working Group WG
Subject: Another place to put garbage for collisions


It just occured to me that spurious XML namespace declarations on  
<SignatureMethod> elements might be a handy way to hide garbage if an  
attacker was to exploit collisions in a hash algorithm used for  
signatures.

I wonder whether we want to deal with that in any way.

--
Thomas Roessler, W3C  <tlr@w3.org>
Received on Tuesday, 27 January 2009 22:07:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:57 GMT