ietf-openpgp
[Top] [All Lists]

Re: I-D ACTION:draft-ietf-openpgp-rfc2440bis-01.txt

2000-10-03 16:14:06
I added the following two paragraphs to Security Considerations that
address this issue:

There is a potential security problem in signatures. If an attacker can
find a message that hashes to the same hash with a different algorithm, a
bogus signature structure can be constructed that evaluates correctly.

For example, suppose Alice DSA signs message M using hash algorithm H.
Suppose that Mallet finds a message M' that has the same hash value as M
with H'. Mallet can then construct a signature block that verifies as
Alice's signature of M' with H'. However, this would also constitute a
weakness in either H or H' or both. Should this ever occur, a revision will
have to be made to this document to revise the allowed hash algorithms.