IETF Logo Mail Archive

[Cfrg] Hash substitution in PSS

"Igoe, Kevin M." <kmigoe@nsa.gov> Thu, 11 April 2013 17:42 UTC

Return-Path: <kmigoe@nsa.gov>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FE6821F92CD for <cfrg@ietfa.amsl.com>; Thu, 11 Apr 2013 10:42:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AGd3+doBcEYs for <cfrg@ietfa.amsl.com>; Thu, 11 Apr 2013 10:42:02 -0700 (PDT)
Received: from nsa.gov (emvm-gh1-uea09.nsa.gov [63.239.67.10]) by ietfa.amsl.com (Postfix) with ESMTP id 63D0721F92C3 for <cfrg@irtf.org>; Thu, 11 Apr 2013 10:42:02 -0700 (PDT)
X-TM-IMSS-Message-ID: <59a0c48000042f98@nsa.gov>
Received: from MSHT-GH1-UEA02.corp.nsa.gov ([10.215.227.181]) by nsa.gov ([63.239.67.10]) with ESMTP (TREND IMSS SMTP Service 7.1; TLSv1/SSLv3 AES128-SHA (128/128)) id 59a0c48000042f98 ; Thu, 11 Apr 2013 13:44:28 -0400
Received: from MSMR-GH1-UEA02.corp.nsa.gov (10.215.227.180) by MSHT-GH1-UEA02.corp.nsa.gov (10.215.227.181) with Microsoft SMTP Server (TLS) id 14.1.289.1; Thu, 11 Apr 2013 13:41:11 -0400
Received: from MSMR-GH1-UEA03.corp.nsa.gov ([10.215.224.3]) by MSMR-GH1-UEA02.corp.nsa.gov ([10.215.227.180]) with mapi id 14.01.0289.001; Thu, 11 Apr 2013 13:42:00 -0400
From: "Igoe, Kevin M." <kmigoe@nsa.gov>
To: "'cfrg@irtf.org'" <cfrg@irtf.org>
Thread-Topic: Hash substitution in PSS
Thread-Index: Ac42293JdF4quuUXQ1KmUJ+FVnLXSw==
Date: Thu, 11 Apr 2013 17:41:58 +0000
Message-ID: <3C4AAD4B5304AB44A6BA85173B4675CA9150F119@MSMR-GH1-UEA03.corp.nsa.gov>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.215.228.46]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [Cfrg] Hash substitution in PSS
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Apr 2013 17:42:05 -0000

On 4 August Jim Schaad pointed out that the choice of hash algorithm in PSS is not authenticated and asked if this was a security problem.

The good news is that if all of the hash algorithms in use are "secure", the only risk is the "birthday problem", and the aVailability of more than one hash does not a priori result in a cheaper attack.

The bad news is that if one of the hashes is broken, so broken that an adversary has a non-trivial chance of finding an "evil" message that has the same hash value as a benign message formed with a hash that is "secure", they can substitute the evil message under the weak hash for the benign message under the strong hash. Preventing this requires either that (1) the have a policy to reject all messages with the weak hash or (2) the choice of hash algorithm be authenticated. Personally I trust a cryptographic authentication over policy.

v2.23.0 | Report a Bug | By Email