- From: Tom Gindin <tgindin@us.ibm.com>
- Date: Fri, 5 Apr 2002 21:33:10 -0500
- To: aleksey@aleksey.com
- Cc: Blair Dillaway <blaird@microsoft.com>, xml-encryption@w3.org
The algorithm substitution attack on signature, as a scenario, is basically that you generate a signature without an algorithm, attach it to a document which the message digest within the signature matches, and then later find another document whose digest using another algorithm is that of the original. This attack may not be very likely with most algorithms. It doesn't work well against DSA (no digest algorithm changes allowed) or PKCS#1 v1.5 (algorithm physically next to digest), and I don't think it works against PSS very well either. Furthermore, trying to find a collision between two widely accepted hash algorithms (say RIPEMD-160 and SHA-1) may not be much easier than finding a collision inside one - which allows you to do the same kind of forgeries. However, if attackers can choose an arbitrary digest algorithm for the second digest, the attack becomes much more plausible. However, what I don't understand on deeper consideration is how putting the algorithm ID into the basis of the message digest stops the attack. Effectively, doing this changes the forger's problem from "find M2 such that H2(M2) == H1(M1)" to "find M2 such that H2(M2 || ID(H2)) == H1(M1 || ID(H1))". Since ID(H1) and ID(H2) are constants, this does very little to complicate the forger's task. Tom Gindin Aleksey Sanin <aleksey@aleksey.com> on 04/05/2002 04:33:28 PM Please respond to aleksey@aleksey.com To: Blair Dillaway <blaird@microsoft.com> cc: Tom Gindin/Watson/IBM@IBMUS, xml-encryption@w3.org Subject: Re: EncryptionMethod in XMLEnc and SignatureMethod in XMLDSig I still could not understand the algorithm substitution attack on XML DSig if the SignatureMethod is ommited. The application expects that the signature will be generated using algorithm A (this algorithm is is *hard coded* in the application context). Suppose that someone generated signature using algorithm B. If application successfully validates this signature using *hard coded* algorithm A then IMHO it's the same as if an evil guy simply "guessed" the signature for algorithm A. IMHO, this simply means that algorithm A is weak and must not be used as signature algorithm at all (evil guy can guess signature *w/o* keys!!!) Aleksey. Blair Dillaway wrote: >I agree with you. Alg substitution isn't a very useful attack on XML Enc >or XML Sig with the algorithms defined in the spec. If one used some >other algorithms, then it might be an issue for Sig. Though, one might >question the wisdom of using a signature alg open to this type of >attack. > >Blair >
Received on Friday, 5 April 2002 21:34:01 UTC