Re: Parameters and Algorithms. from Eric Rescorla on 1999-10-14 (w3c-ietf-xmldsig@w3.org from October to December 1999)

From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 13 Oct 1999 21:11:17 -0700
To: "Jim Schaad (Exchange)" <jimsch@EXCHANGE.MICROSOFT.com>
cc: "W3c-Ietf-Xmldsig (E-mail)" <w3c-ietf-xmldsig@w3.org>
Message-Id: <199910140411.VAA44456@romeo.rtfm.com>

> I am sorry Eric, but you are wrong in this case.  The entire signature
> algorithm is part of the hash, so they need to make a message that is
> correctly layed out, contains the new hash algorithm,...  
Correct. We're discussing the situation where the digest algorithm has
been completely compromised, so the attacker can efficiently make
messages with arbitrary digests.

The formatting constraints you describe aren't really that difficult
to achieve. Consider any message of more than 160 words. Simply by
doubling (or not) any of the inter-word spaces, you can achieve 2^160
different variations of reasonable looking messages. With high
probability, one of these messages will match any given digest.

The only problem here is doing it efficiently. That's where the
assumption that the digest has been compromised comes in.

Consider the case where one of the digest algorithms is CRC to see
that this is possible with a sufficiently weak digest.

> If what you are saying is true, then they have an attack againist DSA
> anyway.  There is nothing to prevent somebody from creating an OID for
> DSA-with-RIPEMD-160 and putting that into the message today in CMS.
My reading of the CMS spec is that this is forbidden. 

   The DSA signature algorithm is defined in FIPS Pub 186 [DSS].  DSA is
   always used with the SHA-1 message digest algorithm.  The algorithm
   identifier for DSA is:

      id-dsa-with-sha1 OBJECT IDENTIFIER ::=  { iso(1) member-body(2)
          us(840) x9-57 (10040) x9cm(4) 3 }

I admit that it's not 100% clear. However, it seems to me that
saying that DSA is always used with SHA-1 implies that it's not
legal to define DSA-with-FOO.

> The Signature algorithm is part of the data being hashed.
I'm aware of that. As I said in my previous message, that's
insufficient. This is why PKCS-1 puts it in the actual
signature, where it cannot be tampered with even if the
digest is completely compromised. Unfortunately, this is
not possible with DSA, which is why DSA must be used with
SHA-1 only.

-Ekr

[Eric Rescorla                                   ekr@rtfm.com]
          PureTLS - free SSLv3/TLS software for Java
                http://www.rtfm.com/puretls/

Received on Thursday, 14 October 1999 00:11:24 UTC