Nick,
The case that worries me to some extent is the upcomming algorithms with
parameters. It might be that creating collisions is simplier when you can
play with the parameters than with the body. This depends in part on how
the keying of the hash function is done.
Jim
-----Original Message-----
From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Nick Pope
Sent: Tuesday, April 18, 2006 2:49 AM
To: jimsch(_at_)exmsft(_dot_)com; ietf-smime(_at_)imc(_dot_)org
Subject: RE: Protect Algorithm identifiers?
Jim,
If the verifier is prepared to accept a weak hash algorithm
whereby a new body value can be created with the same hash
value, how can the algorithm identifier be protected ?
Nick Pope
-----Original Message-----
From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org]On Behalf Of Jim
Schaad
Sent: 18 April 2006 04:38
To: ietf-smime(_at_)imc(_dot_)org
Subject: Protect Algorithm identifiers?
In the process of reviewing documents dealing with multiple
signature
processing, I suddenly realized that we currently do not have any
attribute which lets us verify that the correct digest and
signature
algorithms have been used in verifying a SignerInfo. The
question is
do we need to do this?
More details on what I mean:
When you create a signer info you:
1. Hash the body of the message, place the digest value as
a signed
attribute and the digest algorithm into the SignerInfo
structure in an
unprotected location.
2. Create the sequence of signed attributes, hash the
value, create a
signature value using your private key and place the signature
algorithm and the signature in unprotected locations.
The signature does not need any additional protection, however one
could change the digest algorithms being used in both the signature
and body digest locations without a verifier being able to
know that
it has happened.
The attack I envision would be to find a body that has a
digest of the
same length, but uses a different algorithm and update the
SignerInfo
structure with the new digest algorithm data and the body with the
updated body. This would currently be undetectable by a verifier.
Jim