Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protocol-11

[Michael Baer <baerm@tislabs.com>]

>>>>> On Thu, 05 Feb 2015 23:38:16 -0500, David Mandelberg <david@mandelberg.org> said:

    David> After reviewing this document, I have one concern below, and
    David> some nits that I'll send to the editor. Otherwise it looks
    David> good to me.

    David> In sections 4.1 and 4.2, there are two different to-be-signed
    David> structures. If I understand correctly, the same router keys
    David> will be used to sign data from both structures. It might be
    David> possible for an attacker to take a valid signature of data
    David> from the structure in 4.2, and present it as a valid
    David> signature of the same bytes interpreted with the structure in
    David> 4.1. I'm not sure anything malicious could be done this way,
    David> but reinterpreting the meaning of signed data seems like a
    David> bad idea to me. It would be easy to prevent this by
    David> prepending both structures with a single byte that MUST BE 0
    David> for 4.1 and MUST BE 1 for 4.2. Apologies if this has already
    David> been discussed and is not an issue.

I don't believe this is a problem.  The signature is calculated by
creating a digest of the data and then creating a signature from that
digest.  I'm definitely not a cryptography expert, but my understanding
of digest functions generally is that with even slightly differing
input, the resulting set of bits should be completely different.
Assuming the digest function chosen is not flawed, there shouldn't be a
set of bits from the digest of 4.1 that could be used to successfully
replace the digest of 4.2, except by chance.

-Mike

-- 
Michael Baer
baerm@tislabs.com