- From: Phillip M Hallam-Baker <pbaker@verisign.com>
- Date: Thu, 9 Sep 1999 15:29:40 -0400
- To: "Joseph M. Reagle Jr." <reagle@w3.org>, "IETF/W3C XML-DSig WG" <w3c-ietf-xmldsig@w3.org>
> * Fox: will XML content be too small sometimes (particularly if > signature is also over siginfo, pretty static information) in > order to permit a dictionary attack, do we need padding and salt? > Solo: jokes XML is never small. ACTION FOX: talk to > crypto-weenies. The issue here is not size but entropy. XML's verbosity provides nothing usefull here. The particular concern for a dictionary attack however is in the area of confidentiality. If there is little entropy in the message then I can build a dictionary - regarless of whether the message is a binary digit or <XML><HEAD><TITLE>YES</TITLE></HEAD></XML>. This is why sensible cryptographers employ session keys even when using symmetric keying for distribution. The attack of particular concern here is a replay attack. I can record your last signed message and replay it. This problem is not affected by message size in the way that the dictionary attack is. In general concerns of this nature are the responsibility of those proposing the low level packaging formats. PKCS#1.1 is designed to be very robust and is pretty much immune to attacks of this type which were considered in its design. Phill
Received on Thursday, 9 September 1999 15:28:34 UTC