- From: Eric Rescorla <ekr@rtfm.com>
- Date: Wed, 13 Oct 1999 21:11:17 -0700
- To: "Jim Schaad (Exchange)" <jimsch@EXCHANGE.MICROSOFT.com>
- cc: "W3c-Ietf-Xmldsig (E-mail)" <w3c-ietf-xmldsig@w3.org>
> I am sorry Eric, but you are wrong in this case. The entire signature > algorithm is part of the hash, so they need to make a message that is > correctly layed out, contains the new hash algorithm,... Correct. We're discussing the situation where the digest algorithm has been completely compromised, so the attacker can efficiently make messages with arbitrary digests. The formatting constraints you describe aren't really that difficult to achieve. Consider any message of more than 160 words. Simply by doubling (or not) any of the inter-word spaces, you can achieve 2^160 different variations of reasonable looking messages. With high probability, one of these messages will match any given digest. The only problem here is doing it efficiently. That's where the assumption that the digest has been compromised comes in. Consider the case where one of the digest algorithms is CRC to see that this is possible with a sufficiently weak digest. > If what you are saying is true, then they have an attack againist DSA > anyway. There is nothing to prevent somebody from creating an OID for > DSA-with-RIPEMD-160 and putting that into the message today in CMS. My reading of the CMS spec is that this is forbidden. The DSA signature algorithm is defined in FIPS Pub 186 [DSS]. DSA is always used with the SHA-1 message digest algorithm. The algorithm identifier for DSA is: id-dsa-with-sha1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) x9-57 (10040) x9cm(4) 3 } I admit that it's not 100% clear. However, it seems to me that saying that DSA is always used with SHA-1 implies that it's not legal to define DSA-with-FOO. > The Signature algorithm is part of the data being hashed. I'm aware of that. As I said in my previous message, that's insufficient. This is why PKCS-1 puts it in the actual signature, where it cannot be tampered with even if the digest is completely compromised. Unfortunately, this is not possible with DSA, which is why DSA must be used with SHA-1 only. -Ekr [Eric Rescorla ekr@rtfm.com] PureTLS - free SSLv3/TLS software for Java http://www.rtfm.com/puretls/
Received on Thursday, 14 October 1999 00:11:24 UTC