W3C home > Mailing lists > Public > xml-encryption@w3.org > April 2002

Re: EncryptionMethod in XMLEnc and SignatureMethod in XMLDSig

From: Aleksey Sanin <aleksey@aleksey.com>
Date: Fri, 05 Apr 2002 18:37:10 -0800
Message-ID: <3CAE5F56.3000106@aleksey.com>
To: Tom Gindin <tgindin@us.ibm.com>
CC: Blair Dillaway <blaird@microsoft.com>, xml-encryption@w3.org
Exactly! Algorithm substitution attack as you are describing it is 
*exactly*
the same as general attack "find signature for algorithm+document 
without key".


Aleksey.

Tom Gindin wrote:

>However, what I don't understand on deeper consideration is how
>putting the algorithm ID into the basis of the message digest stops the
>attack.  Effectively, doing this changes the forger's problem from "find M2
>such that H2(M2) == H1(M1)" to "find M2 such that H2(M2 || ID(H2)) == H1(M1
>|| ID(H1))".  Since ID(H1) and ID(H2) are constants, this does very little
>to complicate the forger's task.
>
Received on Friday, 5 April 2002 21:38:05 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:32:03 UTC