W3C home > Mailing lists > Public > xml-encryption@w3.org > March 2001

RE: Signing encrypted data

From: Amir Herzberg <AMIR@newgenpay.com>
Date: Tue, 27 Mar 2001 02:57:59 +0100
Message-ID: <078EE8822DCFD411AAA1000629D56ADC0522A1@IMP01>
To: "'Joseph Ashwood'" <jashwood@arcot.com>, "Xml Encrypt (E-mail)" <xml-encryption@w3.org>
Joe says, 
> > .... In many secure e-payments and e-commerce
> > applications, we sign plaintext to provide non-repudiation (without
exposing
> > all content to some parties that still need to verify the signature). I
now
> > understand that the current draft intentionally excludes this for
security
> > concerns.
> 
> What the current draft very intentionally excludes is the 
> ability to publish
> a signature on data that was encrypted after the signature 
> was performed.
> This should not be used by anyone for very good security 
> reasons. 

So, it seems we do agree, at least, on what we disagree on: whether the
draft should intentionally exclude signing of plaintext (while sending only
an encrypted version of it for confidentiality). Right?

You seem to think this is justified for a `very good security reasons`.
Right? 

Question: what are these security reasons?

Comments:
1. Signing of secret values (encrypted or not) is done by existing
protocols. E.g. in SET we sign the credit card number, after performing HMAC
of it with a random key and pad, much like I proposed as a possible
implementation. 
2. I've consulted again with some of the leading cryptographers in this
area, specifically Shai Halevi, Ran Canetti and Hugo Krawczyk, and they all
agreed it is perfectly reasonable and secure to sign secret values using
such techniques (in particular signing HMAC (x,rand)). 
3. There are important applications where signing secret values is
necessary. Standards should try to support such cases, warning if necessary
so that implementors can avoid security pitfalls, but not excluding an
important application due to a security concern which may be avoided by
proper implementation. 

...... skip
> Actually there remains this pesky little proof that you only 
> have to guess
> the entropy content to guess the exact text. 

This certainly is not a security concern. The signer is in complete control
over the amount of randomness added to the signed data (and hence of the
entropy), therefore can easily use sufficient random bits to make this
attack infeasible. Guessing is always possible - you can guess secret keys
as well - but when length is appropriate, this is not a realistic attack. 

> > Joe was concerned about this suggestion:
> > >
> > > It depends on how post-image resistant the hash function in
> > > use is. If SHA-1
> > > is used then it will add most of what you expect, MD-5 it will add
> > > significantly less than expected (there are known 
> collisions in the
> > > compression function).
> >
> > Actually, the property we need here is unrelated to 
> collisions, and... <skip>
> 
> I'm sure I'm not the first person to tell you that all a hash 
> fucntion has
> is collisions and collision-resistance. If it's not related 
> to collicions,
> it's not related to hash functions, which means that it's not 
> related to
> modern cryptographic signature techniques. 

As in an earlier `errata` note I've sent immediately after sending the note
you responded to, I agree - I made a mistake, collision resistance is
necessary to provide non-repudiable signatures. 

However, as a side comment, the definitions used by most experts do not
require collisions-resistance from every hash function (and certainly
require additional properties). See really any textbook to see that there
are many applications where hash functions which allow collisions can be
appropriate. But indeed not for non-repudiation. 

Best regards, 
Amir Herzberg
CTO, NewGenPay Inc.  

See our demo and overview/tutorials on secure e-commerce in
http://www.NewGenPay.com
Received on Monday, 26 March 2001 18:54:27 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:42:18 GMT