IETF Logo Mail Archive

Re: [Cfrg] Hash substitution in PSS

Dan Brown <dbrown@certicom.com> Thu, 11 April 2013 18:28 UTC

Return-Path: <prvs=08135012b4=dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 718CE21F8DC9 for <cfrg@ietfa.amsl.com>; Thu, 11 Apr 2013 11:28:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.203
X-Spam-Level:
X-Spam-Status: No, score=-5.203 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n4QycQdT8Nc3 for <cfrg@ietfa.amsl.com>; Thu, 11 Apr 2013 11:28:20 -0700 (PDT)
Received: from mhs061cnc.rim.net (mhs061cnc.rim.net [208.65.73.35]) by ietfa.amsl.com (Postfix) with ESMTP id 911BC21F882A for <cfrg@irtf.org>; Thu, 11 Apr 2013 11:28:20 -0700 (PDT)
X-AuditID: 0a412830-b7f2f6d000007c2a-ff-516700b57b8a
Received: from XCT106CNC.rim.net (xct106cnc.rim.net [10.65.161.206]) (using TLS with cipher AES128-SHA (128/128 bits)) (Client did not present a certificate) by mhs061cnc.rim.net (SBG) with SMTP id 1B.9B.31786.5B007615; Thu, 11 Apr 2013 13:28:05 -0500 (CDT)
Received: from XCT113CNC.rim.net (10.65.161.213) by XCT106CNC.rim.net (10.65.161.206) with Microsoft SMTP Server (TLS) id 14.2.328.9; Thu, 11 Apr 2013 14:28:05 -0400
Received: from XMB111CNC.rim.net ([fe80::fcd6:cc6c:9e0b:25bc]) by XCT113CNC.rim.net ([::1]) with mapi id 14.02.0328.009; Thu, 11 Apr 2013 14:28:05 -0400
From: Dan Brown <dbrown@certicom.com>
To: "'Igoe, Kevin M.'" <kmigoe@nsa.gov>, "'cfrg@irtf.org'" <cfrg@irtf.org>
Thread-Topic: Hash substitution in PSS
Thread-Index: Ac42293JdF4quuUXQ1KmUJ+FVnLXSwAAineA
Date: Thu, 11 Apr 2013 18:28:04 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF513F1F2@XMB111CNC.rim.net>
References: <3C4AAD4B5304AB44A6BA85173B4675CA9150F119@MSMR-GH1-UEA03.corp.nsa.gov>
In-Reply-To: <3C4AAD4B5304AB44A6BA85173B4675CA9150F119@MSMR-GH1-UEA03.corp.nsa.gov>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.252]
Content-Type: text/plain; charset="us-ascii"
content-transfer-encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrDKsWRmVeSWpSXmKPExsXC5bjwnO5WhvRAg19XrS26fxxksphw6jWr A5PH5I2H2Tz6d71kDWCKamC0SUosKQvOTM/Tt7NJzMvLL0ksSVVISS1OtlXySU1PzFEIKMos S0yuVHDJLE7OSczMTS1SUshMsVUyUVIoyElMTs1NzSuxVUosKEjNS1Gy41LAADZAZZl5Cql5 yfkpmXnptkqewf66FhamlrqGSna6CZ08GVMmb2UuuCRece1DQAPjL6EuRk4OCQETiSOPz7FC 2GISF+6tZwOxhQTamSQWrhLoYuQCslcySjzbf4cdwpnDKPF76TsmkCo2AVWJ+0fPMYPYIgJe EvuvfgWbJAwUfzppEStEXE3i785+KNtIYvWMeewgNgtQzZcj74HmcHDwCrhJtF/kglgcJLH1 +0ewEk6BYIn+revBWhkFZCV2n70OtpZZQFzi1pP5TBBHC0gs2XOeGcIWlXj5+B/UM4oSz+4s ZYeo15FYsPsTG4StLbFs4Wuwel4BQYmTM5+wQOxVkLhyfR/LBEbxWUhWzELSPgtJ+ywk7QsY WVYxCuZmFBuYGSbnJesVZebq5aWWbGIEJw8Ngx2M799bHGIU4GBU4uH98iItUIg1say4MvcQ owQHs5IIb8xeoBBvSmJlVWpRfnxRaU5q8SFGV2AATWSW4k7OBya2vJJ4YwMD3Bwlcd7fwtGB QgLpwFSVnZpakFoEM4eJgxNkD5eUSDEw4aQWJZaWZMSD0mJ8MTAxSjUw6p8tKDX4Ip8jvlDw ym533q/M+2fkMd9gtHktsG9JuBWH04TY2lOXlaruXjZcK7XxY+amFu0TIqe7WD+anW8+KlqT Jyn45rroyxN7U2ayHO88wc+ja5adEyNz/pp2/vYbsWmbLBL4Yq+tm2Cu5bHqlcalxebt904d lA++yPVHsCDtz+a1LI0rlFiKMxINtZiLihMBwCJA0l8DAAA=
Subject: Re: [Cfrg] Hash substitution in PSS
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Apr 2013 18:28:21 -0000

Doesn't the signer need to have a policy to avoid signing with a weak hash?

Otherwise, if Alice the signer does not have such a policy, then she could sign with a weak hash.  Then Eve the adversary, under your scenario (*), could take the hash value from any message that Alice signed, and find an evil message with the same hash, and fool Bob the verifier.  What am I missing?

It seems impossible to avoid having a good policy for the signer.  I agree that it would be fantastic to avoid such a policy on algorithms, via some algorithm. 

Surely, the verifier would be able to use the same policy as the signer.  Maybe this violates the principle of being "generous in what you receive", but how appropriate is that particular principle when verifying a signature?

Why not embed the signer's policy into the signer's certificate?  That would somewhat ease the burden on the verifier, and place responsibility for the policy upon the signer, where the burden probably belongs.

Best regards,

Dan

(*) Your scenario sounds like this to me: the hash is "weak" in the sense that evil pre-images of any hash can be found.  That is what I am assume above.  (Or, you can take second preimages ...)

A more elaborate scenario would be that the "weak" hash is still strong in the sense that it 1st and 2nd preimage resistant, but it is not 2nd preimage resistant given a 1st preimage under the strong hash.  In other words, it fails to be second cross-preimage resistant.  This scenario is theoretically possible, but seems unlikely for most conventional hash functions.  The policy-necessity argument I make above does not apply to this scenario. 

> -----Original Message-----
> From: cfrg-bounces@irtf.org [mailto:cfrg-bounces@irtf.org] On Behalf Of
> Igoe, Kevin M.
> Sent: Thursday, April 11, 2013 1:42 PM
> To: 'cfrg@irtf.org'
> Subject: [Cfrg] Hash substitution in PSS
> 
> On 4 August Jim Schaad pointed out that the choice of hash algorithm in
> PSS is not authenticated and asked if this was a security problem.
> 
> The good news is that if all of the hash algorithms in use are
> "secure", the only risk is the "birthday problem", and the aVailability
> of more than one hash does not a priori result in a cheaper attack.
> 
> The bad news is that if one of the hashes is broken, so broken that an
> adversary has a non-trivial chance of finding an "evil" message that
> has the same hash value as a benign message formed with a hash that is
> "secure", they can substitute the evil message under the weak hash for
> the benign message under the strong hash. Preventing this requires
> either that (1) the have a policy to reject all messages with the weak
> hash or (2) the choice of hash algorithm be authenticated. Personally I
> trust a cryptographic authentication over policy.
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg

---------------------------------------------------------------------
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.

v2.23.0 | Report a Bug | By Email