ietf-smime
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Protect Algorithm identifiers?

2006-04-18 08:58:32
from [Jim Schaad] [Permanent Link] 

Nick,

The case that worries me to some extent is the upcomming algorithms with
parameters.  It might be that creating collisions is simplier when you can
play with the parameters than with the body.  This depends in part on how
the keying of the hash function is done.

Jim



-----Original Message-----
From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org 
[mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Nick Pope
Sent: Tuesday, April 18, 2006 2:49 AM
To: jimsch(_at_)exmsft(_dot_)com; ietf-smime(_at_)imc(_dot_)org
Subject: RE: Protect Algorithm identifiers?


Jim,

If the verifier is prepared to accept a weak hash algorithm 
whereby a new body value can be created with the same hash 
value, how can the algorithm identifier be protected ?

Nick Pope


-----Original Message-----
From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org]On Behalf Of Jim 
Schaad
Sent: 18 April 2006 04:38
To: ietf-smime(_at_)imc(_dot_)org
Subject: Protect Algorithm identifiers?



In the process of reviewing documents dealing with multiple 

signature 

processing, I suddenly realized that we currently do not have any 
attribute which lets us verify that the correct digest and 

signature 

algorithms have been used in verifying a SignerInfo.  The 

question is 

do we need to do this?

More details on what I mean:

When you create a signer info you:

1.  Hash the body of the message, place the digest value as 

a signed 

attribute and the digest algorithm into the SignerInfo 

structure in an 

unprotected location.

2.  Create the sequence of signed attributes, hash the 

value, create a 

signature value using your private key and place the signature 
algorithm and the signature in unprotected locations.

The signature does not need any additional protection, however one 
could change the digest algorithms being used in both the signature 
and body digest locations without a verifier being able to 

know that 

it has happened.


The attack I envision would be to find a body that has a 

digest of the 

same length, but uses a different algorithm and update the 

SignerInfo 

structure with the new digest algorithm data and the body with the 
updated body.  This would currently be undetectable by a verifier.

Jim
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Protect Algorithm identifiers?, Alfonso De Gregorio
Next by Date:  {Blocked Content} I-D ACTION:draft-ietf-smime-escertid-01.txt, Internet-Drafts
Previous by Thread:  RE: Protect Algorithm identifiers?, Nick Pope
Next by Thread:  Re: Protect Algorithm identifiers?, Alfonso De Gregorio
Indexes:  [Date] [Thread] [Top] [All Lists]