Jim,
If the verifier is prepared to accept a weak hash algorithm whereby a new
body value can be created with the same hash value, how can the algorithm
identifier be protected ?
Nick Pope
-----Original Message-----
From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org]On Behalf Of Jim Schaad
Sent: 18 April 2006 04:38
To: ietf-smime(_at_)imc(_dot_)org
Subject: Protect Algorithm identifiers?
In the process of reviewing documents dealing with multiple signature
processing, I suddenly realized that we currently do not have any
attribute
which lets us verify that the correct digest and signature algorithms have
been used in verifying a SignerInfo. The question is do we need
to do this?
More details on what I mean:
When you create a signer info you:
1. Hash the body of the message, place the digest value as a signed
attribute and the digest algorithm into the SignerInfo structure in an
unprotected location.
2. Create the sequence of signed attributes, hash the value, create a
signature value using your private key and place the signature
algorithm and
the signature in unprotected locations.
The signature does not need any additional protection, however one could
change the digest algorithms being used in both the signature and body
digest locations without a verifier being able to know that it
has happened.
The attack I envision would be to find a body that has a digest
of the same
length, but uses a different algorithm and update the SignerInfo structure
with the new digest algorithm data and the body with the updated
body. This
would currently be undetectable by a verifier.
Jim