"Blake Ramsdell" <blake(_dot_)ramsdell(_at_)worldtalk(_dot_)com> writes:
I agree that dsa should be id-dsa-with-sha-1 for security reasons.
What are the security reasons? I may not have been paying attention in
class again, so sorry if this is review.
Any system which uses DSA MUST choose one and only one
message digest to be used with DSA. Otherwise, imagine
that the attacker has compromised digest A but not
digest B. He takes a message signed with digest B
such that B(M)=dB and replaces it with a message M'
such that A(M')=dA=dB=B(M). He also (of course) relabels
the message as using digest A. He's now constructed a
message with a valid signature and content of his choosing.
This attack cannot be mounted against RSA because
the digest algorithm is part of the signature.
The idea was that in PKCS #7 v1.5, there was "the thing that you use to
digest the content [the digest algorithm]" and "the thing that you use
to unprotect the protected digest value so that you can compare it to
the thing you got with the thing that you used to digest the content
[which used to be called the digest encryption algorithm, but is now
called the signature algorithm, but which possibly should be called the
digest protection algorithm]". id-dsa-with-sha1 seems to refer to the
combination of these two types of algorithms, similar to
md5WithRSAEncryption.
Yes, I agree. The problem is that the digest algorthm cannot be
independently chosen from the digest protection algorithm when
DSA is used. It can when RSA is used.
I do not, however, agree that we should use fooWithRSAEncryption.
It doesn't provide any obvious benefit that I can see, and
(as noted) has negative backwards compatibility consequences.
Moroever, it leaves open the question of what to do if the
OID in the SignatureAlgorithm doesn't match the OID in the
digestAlgorithm field.
A message signed with an RSA certificate and digested using the SHA-1
digest algorithm in current practice has rsaEncryption in the
signatureAlgorithm, and the digestAlgorithm contains sha-1, so I think
we are already in a situation that they don't match.
But they're not supposed to match, so that's fine. If we change,
then you should have digestAlgorithm=SHA-1 and signatureAlgorithm=
SHAw/RSA but what if signatureAlgorithm=MD5w/RSA. How should
you behave if you receive such a message? I'd ratheer skirt
this problem entirely.
-Ekr
--
[Eric Rescorla Terisa Systems, Inc.]
"Put it in the top slot."