IETF Logo Mail Archive

Re: How to Calculate Signatures?

Konrad Rosenbaum <konrad@silmor.de> Wed, 06 April 2005 20:39 UTC

Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA02174 for <openpgp-archive@lists.ietf.org>; Wed, 6 Apr 2005 16:39:28 -0400 (EDT)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j33JYETm054483; Sun, 3 Apr 2005 12:34:14 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j33JYEE6054482; Sun, 3 Apr 2005 12:34:14 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from p15139323.pureserver.info (silmor.de [217.160.219.75]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j33JYDY7054471 for <ietf-openpgp@imc.org>; Sun, 3 Apr 2005 12:34:13 -0700 (PDT) (envelope-from konrad@silmor.de)
Received: from p548c9f4c.dip.t-dialin.net ([84.140.159.76] helo=zaphod.local) by p15139323.pureserver.info with asmtp (Exim 3.35 #1 (Debian)) id 1DIAr5-0000a9-00; Sun, 03 Apr 2005 21:33:56 +0200
From: Konrad Rosenbaum <konrad@silmor.de>
To: Ben Laurie <ben@algroup.co.uk>
Subject: Re: How to Calculate Signatures?
Date: Sun, 03 Apr 2005 21:33:50 +0200
User-Agent: KMail/1.7.2
References: <20050402201614.31E9157EE9@finney.org> <200504031948.22079@zaphod.konrad.silmor.de> <42503B09.8090608@algroup.co.uk>
In-Reply-To: <42503B09.8090608@algroup.co.uk>
Cc: ietf-openpgp@imc.org
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart1781299.3IFMXeiy2q"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Content-Transfer-Encoding: 7bit
Message-Id: <200504032133.54375@zaphod.konrad.silmor.de>
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

On Sunday 03 April 2005 20:50, Ben Laurie wrote:
> Konrad Rosenbaum wrote:
> > Simple: you don't. DSA was designed to be used with SHA-1, which is 160
> > bit. Since SHA-1 is theoretically broken (practically will probably
> > follow in a few months) one should see what the NIST makes of it.
> > Supplanting a broken hash with another hash doesn't make much sense
> > with DSA, since it does not contain the ID of the hash (as PKCS#1 does
> > for RSA) - so any attacker could find a collission with the broken hash
> > and then simply change the hash ID in the signature packet.
>
> The hash does include the ID of the hash, and hence the signature does.

That does not prevent a downgrade attack.

Presume the following scenario:

The signature S is under Text A with hash algorithm H. The hash is deemed 
secure.

So s contains the number of H and the content of A. The structure looks like 
this:

Text packet A
Signature packet S
 Hash number H
 signed(Hash_H(H_number || A)) # or something very similiar

Now we want the signature to refer to Text B and we know that hash algorithm 
X is insecure (and we know how to use that). What we need to do now is we 
need to find a text C that consists of the the number of X, and B plus some 
"random" that is chosen in a way that does not distort the meaning (eg. a 
"geek code block" below the actual eMail text). The structure will look 
like:

Text packet C ( = B || "random")
Signature packet S'
 Hash number X
 signed(Hash_H(H_number || A)) == signed(Hash_X(X_number || C))

...and that all because a weak Hash X will enable us to find a text that 
creates the same hash sum in X that we want to supplant for a hash sum of H 
- regardless of whether we hash the hash number, a "magic" code or my grand 
mothers birthday into it.

MD5 is already beaten down to 33 bit, it is only a question of time till 
SHA-1 is there as well (granted, we'll probably have some months left). 
Currently we are only save because there is no 160-bit Hash in OpenPGP that 
is vulnerable enough to make the attack worthwhile.

The days of DSA with a 160-bit p are counted. Period.


	Konrad

PS.: please view my DSA signature on this mail as my last action of respect 
to DSA. It was a good fellow... ;-)

v2.23.0 | Report a Bug | By Email