Re: Short intro on the K-R attack [Re: private key language]
2005-12-29 16:26:11
Okay, I talked to Hal, and got things explained. The issue is that
when you do a DSA signature, the signature not only uses the private
component, but the public ones as well, and those aren't hashed. So
the question is whether we do something, and if so, what. Here are
some things I thought of:
* When we do a V5 key, it makes sense to hash (or even better, hmac)
the entire public components as well as the private.
* This makes the problem better, but it doesn't solve it. For
example, it would be reasonable for someone to get public components
from the public key packets and only the private ones from the secret
packets. In this case, integrity checks on the secret packets aren't
sufficient.
* There must therefore be some security consideration note that calls
out that implementations need to do consistency checks on keys,
particularly when signing.
I propose that we improve the packets when we do V5, but put in the
security consideration now. Does that sound reasonable?
Jon
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- private key language, Daniel A. Nagy
- Re: private key language, David Shaw
- Re: private key language, Daniel A. Nagy
- Re: private key language, David Shaw
- Re: private key language, Daniel A. Nagy
- Re: private key language, David Shaw
- Re: private key language, Jon Callas
- Short intro on the K-R attack [Re: private key language], Daniel A. Nagy
- Re: Short intro on the K-R attack [Re: private key language], Jon Callas
- Re: Short intro on the K-R attack [Re: private key language], Daniel A. Nagy
- Re: Short intro on the K-R attack [Re: private key language],
Jon Callas <=
- Re: Short intro on the K-R attack [Re: private key language], Daniel A. Nagy
- Re: Short intro on the K-R attack [Re: private key language], Ben Laurie
- Re: Short intro on the K-R attack [Re: private key language], Ian G
|
|
|