- From: Aleksey Sanin <aleksey@aleksey.com>
- Date: Fri, 05 Apr 2002 18:37:10 -0800
- To: Tom Gindin <tgindin@us.ibm.com>
- CC: Blair Dillaway <blaird@microsoft.com>, xml-encryption@w3.org
Exactly! Algorithm substitution attack as you are describing it is *exactly* the same as general attack "find signature for algorithm+document without key". Aleksey. Tom Gindin wrote: >However, what I don't understand on deeper consideration is how >putting the algorithm ID into the basis of the message digest stops the >attack. Effectively, doing this changes the forger's problem from "find M2 >such that H2(M2) == H1(M1)" to "find M2 such that H2(M2 || ID(H2)) == H1(M1 >|| ID(H1))". Since ID(H1) and ID(H2) are constants, this does very little >to complicate the forger's task. >
Received on Friday, 5 April 2002 21:38:05 UTC