- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Wed, 18 May 2005 16:46:20 +0100
- To: Kenneth Jensen <xmlsec@gmail.com>
- Cc: www-xkms@w3.org
Hi Kenneth, Kenneth Jensen wrote: > 1) Attacker generates random private/public keypair, that is fairly > useless on its own. > > 2) Attacker sends a Locate request containing the public key to an XKMS service Forget Locate - Validate with just a KeyValue is expected to happen often. I can even get a victim application to do the xkms query on my behalf, just by sending it a ds:Signature with a ds:KeyInfo that only contains a ds:KeyValue - which is basically the default case for xmlsig.... ...however.... > 3) There is a 1/<huge number> probability that the XKMS service has a > keybinding with the same keypair, BUT if it does For a given key pair, that's roughly as likely as guessing the factorisation by chance, isn't it? The probablility of having a big enough DB for a collision to happen via the birthday paradox is also still about 2^512 for a 1024 bit key. That's quite a large DB! [Ok, those figures are bogus, but say if there're only 2^256 different 1024-bit RSA keys, then I need a DB with 2^128 entries before collisions are likely - still not a deal. Anyone care to do the real arithmetic?] All in all, go buy lottery tickets first! > 4) the XKMS service will respond with information identifying the > target, signed public key certificates and certificate chain. > > 5) Now the attacker has a keypair, AND a lot of information about who > else uses the keypair and he is now ready to forge signatures, decrypt > secret stuff, register keys under fake ID etc. Cute though, and actually creates a nice covert channel if the the parties collude, (but then again probably any key management scheme does), Cheers, Stephen.
Received on Wednesday, 18 May 2005 15:46:42 UTC