Re: How to Calculate Signatures?
Konrad Rosenbaum <konrad@silmor.de> Wed, 06 April 2005 20:39 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA02174 for <openpgp-archive@lists.ietf.org>; Wed, 6 Apr 2005 16:39:28 -0400 (EDT)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j33JYETm054483; Sun, 3 Apr 2005 12:34:14 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j33JYEE6054482; Sun, 3 Apr 2005 12:34:14 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from p15139323.pureserver.info (silmor.de [217.160.219.75]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j33JYDY7054471 for <ietf-openpgp@imc.org>; Sun, 3 Apr 2005 12:34:13 -0700 (PDT) (envelope-from konrad@silmor.de)
Received: from p548c9f4c.dip.t-dialin.net ([84.140.159.76] helo=zaphod.local) by p15139323.pureserver.info with asmtp (Exim 3.35 #1 (Debian)) id 1DIAr5-0000a9-00; Sun, 03 Apr 2005 21:33:56 +0200
From: Konrad Rosenbaum <konrad@silmor.de>
To: Ben Laurie <ben@algroup.co.uk>
Subject: Re: How to Calculate Signatures?
Date: Sun, 03 Apr 2005 21:33:50 +0200
User-Agent: KMail/1.7.2
References: <20050402201614.31E9157EE9@finney.org> <200504031948.22079@zaphod.konrad.silmor.de> <42503B09.8090608@algroup.co.uk>
In-Reply-To: <42503B09.8090608@algroup.co.uk>
Cc: ietf-openpgp@imc.org
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart1781299.3IFMXeiy2q"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Content-Transfer-Encoding: 7bit
Message-Id: <200504032133.54375@zaphod.konrad.silmor.de>
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
On Sunday 03 April 2005 20:50, Ben Laurie wrote: > Konrad Rosenbaum wrote: > > Simple: you don't. DSA was designed to be used with SHA-1, which is 160 > > bit. Since SHA-1 is theoretically broken (practically will probably > > follow in a few months) one should see what the NIST makes of it. > > Supplanting a broken hash with another hash doesn't make much sense > > with DSA, since it does not contain the ID of the hash (as PKCS#1 does > > for RSA) - so any attacker could find a collission with the broken hash > > and then simply change the hash ID in the signature packet. > > The hash does include the ID of the hash, and hence the signature does. That does not prevent a downgrade attack. Presume the following scenario: The signature S is under Text A with hash algorithm H. The hash is deemed secure. So s contains the number of H and the content of A. The structure looks like this: Text packet A Signature packet S Hash number H signed(Hash_H(H_number || A)) # or something very similiar Now we want the signature to refer to Text B and we know that hash algorithm X is insecure (and we know how to use that). What we need to do now is we need to find a text C that consists of the the number of X, and B plus some "random" that is chosen in a way that does not distort the meaning (eg. a "geek code block" below the actual eMail text). The structure will look like: Text packet C ( = B || "random") Signature packet S' Hash number X signed(Hash_H(H_number || A)) == signed(Hash_X(X_number || C)) ...and that all because a weak Hash X will enable us to find a text that creates the same hash sum in X that we want to supplant for a hash sum of H - regardless of whether we hash the hash number, a "magic" code or my grand mothers birthday into it. MD5 is already beaten down to 33 bit, it is only a question of time till SHA-1 is there as well (granted, we'll probably have some months left). Currently we are only save because there is no 160-bit Hash in OpenPGP that is vulnerable enough to make the attack worthwhile. The days of DSA with a 160-bit p are counted. Period. Konrad PS.: please view my DSA signature on this mail as my last action of respect to DSA. It was a good fellow... ;-)
- How to Calculate Signatures? Ben Laurie
- Re: How to Calculate Signatures? "Hal Finney"
- Re: How to Calculate Signatures? Ben Laurie
- Re: How to Calculate Signatures? Ben Laurie
- Re: How to Calculate Signatures? Ben Laurie
- Re: How to Calculate Signatures? Konrad Rosenbaum
- Re: How to Calculate Signatures? Ian G
- Re: How to Calculate Signatures? Ben Laurie
- Re: How to Calculate Signatures? Ben Laurie
- Re: How to Calculate Signatures? "Hal Finney"
- Re: How to Calculate Signatures? "Hal Finney"
- Re: How to Calculate Signatures? Ian G
- Re: How to Calculate Signatures? Ben Laurie
- Re: How to Calculate Signatures? Ian G
- Re: How to Calculate Signatures? Ian G
- Re: How to Calculate Signatures? "Hal Finney"
- Re: How to Calculate Signatures? Jon Callas
- Re: How to Calculate Signatures? Jon Callas
- Re: How to Calculate Signatures? Ian G
- Re: How to Calculate Signatures? Jon Callas
- Re: How to Calculate Signatures? Ben Laurie
- Re: How to Calculate Signatures? "Hal Finney"
- Re: How to Calculate Signatures? David Shaw
- Re: How to Calculate Signatures? Jon Callas
- Re: How to Calculate Signatures? David Shaw
- Re: How to Calculate Signatures? Konrad Rosenbaum