- From: Joseph M. Reagle Jr. <reagle@w3.org>
- Date: Fri, 07 Jul 2000 17:58:35 -0400
- To: tgindin@us.ibm.com
- Cc: "Martin J. Duerst" <duerst@w3.org>, w3c-ietf-xmldsig@w3.org, "John Boyer" <jboyer@PureEdge.com>
At 10:52 2000-06-29 -0400, tgindin@us.ibm.com wrote: >Well, it probably isn't even correct to call this a "Birthday Attack," I'm >hoping someone else jumps in and tweaks the text, but I think the gist of >what you are after is there. > >[Tom Gindin] The wording of section 8.1.3 is somewhat unfortunate already. >While it is true that transforms appear to increase the number of documents >which map to the same digest, that number is already literally >astronomical. For SHA-1, for example, the number of documents of length N >octets in UTF-8 which map to a given digest is 256**(N-20) or >2**(8*(N-20)). Larger hash algorithms may increase the number 20 somewhat, >but a 200 octet message restricted to printable ASCII would still exceed >2**1000. Not normalizing before digesting is what allows inconsequential >changes to affect the digest. I've tweaked the text slightly in the forthcoming draft, if anyone want to suggest alternative text in future versions, please propose it: 8.1.3 Transforms Can Aid Collision Attacks In addition to the semantic concerns of transforms removing or including data from a source document prior to signing, there is potential for syntactical collision attacks. For instance, consider a signature which includes a transform that changes the character normalization of the source document to Normalized Form C [NFC]. This transform increases the number of documents that when transformed and digested yield the same hash value. Consequently, an attacker could include a subsantive syntactical and semantic change to the document by varying other inconsequential syntactical values that are normalized prior to digesting such that the tampered signature document is considered valid. Consequently, while we RECOMMEND all documents operated upon and generated by signature applications be in [NFC] (otherwise intermediate processors might unintentionally break the signature) encoding normalizations SHOULD NOT be done as part of a signature transform. _________________________________________________________ Joseph Reagle Jr. W3C Policy Analyst mailto:reagle@w3.org IETF/W3C XML-Signature Co-Chair http://www.w3.org/People/Reagle/
Received on Friday, 7 July 2000 18:06:38 UTC