ietf-openpgp
[Top] [All Lists]

Re: Hash Collision Shield (subpacket def)

2005-02-17 18:51:33

This hash collision shield is an interesting idea, but to work the random
data has to be hashed first, before the other data that is signed.
Otherwise if the data being signed is hashed first, and it has a
collision, the collision will still be valid when the random data is
hashed later.  That's because of how these hash functions work.

But we could specify it to work this way: we'd have a subpacket with
the random data, and its meaning is that this stuff gets hashed first
when we do the signature calculation.  We'd be changing the rules for
how signatures are calculated.  We could set the critical bit on the
subpacket to indicate that the sig won't be verifiable by software which
doesn't recognize that subpacket type.  We could even put the subpacket
into the unhashed region since there is no reason to hash it again.
OTOH it doesn't hurt to do so.

There are some down sides to putting random data into signatures.  See
http://www.educatedguesswork.org/movabletype/archives/2005/02/next_steps_for_1.html
for some discussion of the pros and cons.

Hal Finney


<Prev in Thread] Current Thread [Next in Thread>