IETF Logo Mail Archive

Re: [Cfrg] Hash substitution in PSS

"Igoe, Kevin M." <kmigoe@nsa.gov> Fri, 12 April 2013 00:38 UTC

Return-Path: <kmigoe@nsa.gov>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB91C21F8A0C for <cfrg@ietfa.amsl.com>; Thu, 11 Apr 2013 17:38:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zZtPsJyLcIYA for <cfrg@ietfa.amsl.com>; Thu, 11 Apr 2013 17:38:53 -0700 (PDT)
Received: from nsa.gov (emvm-gh1-uea08.nsa.gov [63.239.67.9]) by ietfa.amsl.com (Postfix) with ESMTP id 0532021F89B0 for <cfrg@irtf.org>; Thu, 11 Apr 2013 17:38:52 -0700 (PDT)
X-TM-IMSS-Message-ID: <7ee6a87c0004ac22@nsa.gov>
Received: from MSHT-GH1-UEA02.corp.nsa.gov ([10.215.227.181]) by nsa.gov ([63.239.67.9]) with ESMTP (TREND IMSS SMTP Service 7.1; TLSv1/SSLv3 AES128-SHA (128/128)) id 7ee6a87c0004ac22 ; Thu, 11 Apr 2013 20:37:37 -0400
Received: from MSMR-GH1-UEA07.corp.nsa.gov (10.215.224.5) by MSHT-GH1-UEA02.corp.nsa.gov (10.215.227.181) with Microsoft SMTP Server (TLS) id 14.1.289.1; Thu, 11 Apr 2013 20:38:01 -0400
Received: from MSMR-GH1-UEA03.corp.nsa.gov ([10.215.224.3]) by MSMR-GH1-UEA07.corp.nsa.gov ([10.215.224.5]) with mapi id 14.01.0289.001; Thu, 11 Apr 2013 20:38:49 -0400
From: "Igoe, Kevin M." <kmigoe@nsa.gov>
To: "'dbrown@certicom.com'" <dbrown@certicom.com>, "'cfrg@irtf.org'" <cfrg@irtf.org>
Thread-Topic: Hash substitution in PSS
Thread-Index: Ac42293JdF4quuUXQ1KmUJ+FVnLXSwAAineAAA4EFHM=
Date: Fri, 12 Apr 2013 00:38:47 +0000
Message-ID: <3C4AAD4B5304AB44A6BA85173B4675CA91878EFE@MSMR-GH1-UEA03.corp.nsa.gov>
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF513F1F2@XMB111CNC.rim.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.215.228.46]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [Cfrg] Hash substitution in PSS
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2013 00:38:54 -0000

I believe we are in agreement. Any policy put in place by the signer to require use of the strong hash when signing is useless unless the verifier also has a policy to not accept messages signed using the weak hash. Like CRLs and patches, it takes a worrisomly long time for such changes to propogate to every verifier. During the chage over period the signer is vulnerable  to having one of their benign messages "hijacked" and an evil version fed to an "unpatched" verifier.

Having the policy be part of the cert sounds like a prudent precaution, but doesn't that implicitly require the policy to be authenticated to stop Eve from meddling with it?  I suppose the bottom line is that if a commonly used hash fails disasterously then even people who have not been using that hash are vulnerable. 

This seems to say designing a protocol that allows for the use of several different hashes actually increase everyones vulnerability. That certainly is counter intuitive. Of course the discussion above assumes a truly disasterous flaw. If the flaw more mundane, supporting more than one hash helps in recovering from the discovery of this flaw.


----- Original Message -----
From: Dan Brown [mailto:dbrown@certicom.com]
Sent: Thursday, April 11, 2013 02:28 PM Eastern Standard Time
To: Igoe, Kevin M.; 'cfrg@irtf.org' <cfrg@irtf.org>
Subject: RE: Hash substitution in PSS

Doesn't the signer need to have a policy to avoid signing with a weak hash?

Otherwise, if Alice the signer does not have such a policy, then she could sign with a weak hash.  Then Eve the adversary, under your scenario (*), could take the hash value from any message that Alice signed, and find an evil message with the same hash, and fool Bob the verifier.  What am I missing?

It seems impossible to avoid having a good policy for the signer.  I agree that it would be fantastic to avoid such a policy on algorithms, via some algorithm. 

Surely, the verifier would be able to use the same policy as the signer.  Maybe this violates the principle of being "generous in what you receive", but how appropriate is that particular principle when verifying a signature?

Why not embed the signer's policy into the signer's certificate?  That would somewhat ease the burden on the verifier, and place responsibility for the policy upon the signer, where the burden probably belongs.

Best regards,

Dan

(*) Your scenario sounds like this to me: the hash is "weak" in the sense that evil pre-images of any hash can be found.  That is what I am assume above.  (Or, you can take second preimages ...)

A more elaborate scenario would be that the "weak" hash is still strong in the sense that it 1st and 2nd preimage resistant, but it is not 2nd preimage resistant given a 1st preimage under the strong hash.  In other words, it fails to be second cross-preimage resistant.  This scenario is theoretically possible, but seems unlikely for most conventional hash functions.  The policy-necessity argument I make above does not apply to this scenario. 

> -----Original Message-----
> From: cfrg-bounces@irtf.org [mailto:cfrg-bounces@irtf.org] On Behalf Of
> Igoe, Kevin M.
> Sent: Thursday, April 11, 2013 1:42 PM
> To: 'cfrg@irtf.org'
> Subject: [Cfrg] Hash substitution in PSS
> 
> On 4 August Jim Schaad pointed out that the choice of hash algorithm in
> PSS is not authenticated and asked if this was a security problem.
> 
> The good news is that if all of the hash algorithms in use are
> "secure", the only risk is the "birthday problem", and the aVailability
> of more than one hash does not a priori result in a cheaper attack.
> 
> The bad news is that if one of the hashes is broken, so broken that an
> adversary has a non-trivial chance of finding an "evil" message that
> has the same hash value as a benign message formed with a hash that is
> "secure", they can substitute the evil message under the weak hash for
> the benign message under the strong hash. Preventing this requires
> either that (1) the have a policy to reject all messages with the weak
> hash or (2) the choice of hash algorithm be authenticated. Personally I
> trust a cryptographic authentication over policy.
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg

---------------------------------------------------------------------
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.

v2.23.0 | Report a Bug | By Email