Re: Followup on I18N Last Call comments and disposition from Joseph M. Reagle Jr. on 2000-07-07 (w3c-ietf-xmldsig@w3.org from July to September 2000)

From: Joseph M. Reagle Jr. <reagle@w3.org>
Date: Fri, 07 Jul 2000 17:58:35 -0400
To: tgindin@us.ibm.com
Cc: "Martin J. Duerst" <duerst@w3.org>, w3c-ietf-xmldsig@w3.org, "John Boyer" <jboyer@PureEdge.com>
Message-Id: <3.0.5.32.20000707175835.01f4e5a0@localhost>

At 10:52 2000-06-29 -0400, tgindin@us.ibm.com wrote:
 >Well, it probably isn't even correct to call this a  "Birthday Attack," I'm
 >hoping someone else jumps in and tweaks the text, but I think the gist of
 >what you are after is there.
 >
 >[Tom Gindin] The wording of section 8.1.3 is somewhat unfortunate already.
 >While it is true that transforms appear to increase the number of documents
 >which map to the same digest, that number is already literally
 >astronomical.  For SHA-1, for example, the number of documents of length N
 >octets in UTF-8 which map to a given digest is 256**(N-20) or
 >2**(8*(N-20)).  Larger hash algorithms may increase the number 20 somewhat,
 >but a 200 octet message restricted to printable ASCII would still exceed
 >2**1000.  Not normalizing before digesting is what allows inconsequential
 >changes to affect the digest.

I've tweaked the text slightly in the forthcoming draft, if anyone want to
suggest alternative text in future versions, please propose it:

8.1.3 Transforms Can Aid Collision Attacks
In addition to the semantic concerns of transforms removing or including
data from a source document prior to signing, there is potential for
syntactical collision attacks. For instance, consider a signature which
includes a transform that changes the character normalization of the source
document to Normalized Form C [NFC]. This transform increases the number of
documents that when transformed and digested yield the same hash value.
Consequently, an attacker could include a subsantive syntactical and
semantic change to the document by varying other inconsequential syntactical
values that are normalized prior to digesting such that the tampered
signature document is considered valid. Consequently, while we RECOMMEND all
documents operated upon and generated by signature applications be in [NFC]
(otherwise intermediate processors might unintentionally break the
signature) encoding normalizations SHOULD NOT be done as part of a signature
transform.

_________________________________________________________
Joseph Reagle Jr.   
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/People/Reagle/

Received on Friday, 7 July 2000 18:06:38 UTC