W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 1999

RE: Minutes of 990909-tele

From: Phillip M Hallam-Baker <pbaker@verisign.com>
Date: Thu, 9 Sep 1999 15:29:40 -0400
To: "Joseph M. Reagle Jr." <reagle@w3.org>, "IETF/W3C XML-DSig WG" <w3c-ietf-xmldsig@w3.org>
Message-ID: <002201befaf9$a9601680$6e07a8c0@pbaker-pc.verisign.com>
>      * Fox: will XML content be too small sometimes (particularly if
>        signature is also over siginfo, pretty static information) in
>        order to permit a dictionary attack, do we need padding and salt?
>        Solo: jokes XML is never small. ACTION FOX: talk to
>        crypto-weenies.

The issue here is not size but entropy. XML's verbosity provides nothing
usefull here.

The particular concern for a dictionary attack however is in the area
of confidentiality. If there is little entropy in the message then
I can build a dictionary - regarless of whether the message is a
binary digit or <XML><HEAD><TITLE>YES</TITLE></HEAD></XML>.

This is why sensible cryptographers employ session keys even when 
using symmetric keying for distribution.


The attack of particular concern here is a replay attack. I can record
your last signed message and replay it. This problem is not affected
by message size in the way that the dictionary attack is.

In general concerns of this nature are the responsibility of those
proposing the low level packaging formats. PKCS#1.1 is designed to
be very robust and is pretty much immune to attacks of this type 
which were considered in its design. 

	Phill
Received on Thursday, 9 September 1999 15:28:34 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:07 GMT