Re: [Cfrg] [jose] Question from JOSE working group
John Bradley <ve7jtb@ve7jtb.com> Mon, 02 July 2012 22:40 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86A6A11E80C5 for <cfrg@ietfa.amsl.com>; Mon, 2 Jul 2012 15:40:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.458
X-Spam-Level:
X-Spam-Status: No, score=-3.458 tagged_above=-999 required=5 tests=[AWL=0.141, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l8BIuD8fos9g for <cfrg@ietfa.amsl.com>; Mon, 2 Jul 2012 15:40:18 -0700 (PDT)
Received: from mail-gh0-f182.google.com (mail-gh0-f182.google.com [209.85.160.182]) by ietfa.amsl.com (Postfix) with ESMTP id E36DF11E8080 for <cfrg@irtf.org>; Mon, 2 Jul 2012 15:40:17 -0700 (PDT)
Received: by ghbz22 with SMTP id z22so5531819ghb.13 for <cfrg@irtf.org>; Mon, 02 Jul 2012 15:40:23 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=FuPEUNz0RGOQrNcWpZg0OOUvqTMZEbrFDMuLSYRDCSs=; b=YmwCtl7V013b4QhLBDQ1WVdIaBBLtJHFWEmr5BD9YJPRTT4YaTGciVJg2cyMuJ8cCW yqaE0Po1ULeFrlVKrHSLAxb9Ni1qDY9ASYt99Hbdnp/ficXA1ggt1vg0ot4aAfaKeEy7 y+lIFYD0/Mm31ErEQjJGaSqiK/lbTeTqzXjVPFtKqJdBBngAlJSTnO7VQ2NuzUMUJv5G jCZYIcHQ3D5EKBi09CiFhmN/K4uI2FCVjMxCp96bdYyPDHk9hWpWy3MglOiR1R1932Sa 2TLyU8FtHkydSapYjJb7x1hxI368NtlRff4gHsTofvOizn6VXVMH255I/3k1QYDnGQih 0Cgg==
Received: by 10.236.165.74 with SMTP id d50mr17236527yhl.118.1341268823767; Mon, 02 Jul 2012 15:40:23 -0700 (PDT)
Received: from [192.168.1.211] (190-20-50-6.baf.movistar.cl. [190.20.50.6]) by mx.google.com with ESMTPS id k67sm27822393yhj.18.2012.07.02.15.40.16 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 02 Jul 2012 15:40:22 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: multipart/signed; boundary="Apple-Mail=_303FD340-641E-4FAF-A220-52B7E32A1446"; protocol="application/pkcs7-signature"; micalg="sha1"
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <7DF2365FF07C0E4E89419D65CCC93C9E018FF3683736@EXCHANGE11.campus.tue.nl>
Date: Mon, 02 Jul 2012 18:40:03 -0400
Message-Id: <58091EAC-6E16-48FD-A698-A4BF64C60DEB@ve7jtb.com>
References: <32228A90-A4D4-493A-93AC-2F30643C3187@bbn.com> <76A75405-ACBB-474F-AE9A-845F1AA65E54@bbn.com> <A010F653-8437-4725-8F8D-B2A496061A78@ve7jtb.com> <7DF2365FF07C0E4E89419D65CCC93C9E018FF3683736@EXCHANGE11.campus.tue.nl>
To: "Weger, B.M.M. de" <b.m.m.d.weger@TUE.nl>
X-Mailer: Apple Mail (2.1278)
X-Gm-Message-State: ALoCoQlmokt7kgudjTyAJpCwosiIAceY+7jT2rfJbHDlJZY6ILKcyWKGXOyTqhE+vYCTLwSAninn
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [Cfrg] [jose] Question from JOSE working group
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jul 2012 22:40:18 -0000
Yes sorry JOSE would not be susceptible to chosen prefix unless we allow the attacker to control the entire plaintext. As it is now the header is controlled by the signer. I think Richard was referring to an identical prefix attack being possible due to the header without a nonce or date stamp being relatively deterministic. In ether event integrity protecting the header is not increasing the vulnerability. Thanks few the correction. Regards John Bradley On 2012-07-02, at 6:19 PM, Weger, B.M.M. de wrote: > Hi John, > >> Chosen-prefix attacks require the text of both messages to be the same up >> to the point where the attacker can insert the collision function blocks. > > Correction: > It's identical-prefix attacks that require the text of both messages to be > the same up to the point where the attacker can insert the collision blocks. > That's exactly why these attacks are called "identical-prefix". > > Chosen-prefix attacks allow the attacker to choose whatever he wants in > each of the two messages up to the point where ... etc. > > Chosen-prefix attacks fail if the attacker has no sufficient control over / > cannot sufficiently predict this part of the messages. > > Grtz, > Benne de Weger
- [Cfrg] Question from JOSE working group Richard L. Barnes
- Re: [Cfrg] Question from JOSE working group Mike Jones
- Re: [Cfrg] [jose] Fwd: Question from JOSE working… Richard L. Barnes
- Re: [Cfrg] Question from JOSE working group Russ Housley
- Re: [Cfrg] Question from JOSE working group Richard L. Barnes
- Re: [Cfrg] Question from JOSE working group Richard L. Barnes
- Re: [Cfrg] [jose] Question from JOSE working group John Bradley
- Re: [Cfrg] [jose] Question from JOSE working group Weger, B.M.M. de
- Re: [Cfrg] [jose] Question from JOSE working group John Bradley
- Re: [Cfrg] Question from JOSE working group Russ Housley
- Re: [Cfrg] Question from JOSE working group Jim Schaad
- Re: [Cfrg] Question from JOSE working group Richard L. Barnes
- Re: [Cfrg] Question from JOSE working group Jim Schaad