[Top] [All Lists]

RE: Protect Algorithm identifiers?

2006-05-02 13:41:12


As I have stated, what really worries me is if one starts to play with the
parameters of the new round of hash algorithms that are being looked at.
There is no protection for these parameters either in the signature or in
the default settings of the validation code.


-----Original Message-----
From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org 
[mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Russ 
Sent: Tuesday, May 02, 2006 12:50 PM
To: jimsch(_at_)exmsft(_dot_)com; ietf-smime(_at_)imc(_dot_)org
Subject: Re: Protect Algorithm identifiers?


If the recipient has confidence in the hash algorithm, I do 
not see any problem with the current documents.  I think that 
implementations are going to need to be modified to provide 
an interface for users to indicate which ones are acceptable 
and which ones are not.  The default setting will be vital.


At 11:38 PM 4/17/2006, Jim Schaad wrote:

In the process of reviewing documents dealing with multiple 
processing, I suddenly realized that we currently do not have any 
attribute which lets us verify that the correct digest and signature 
algorithms have been used in verifying a SignerInfo.  The 
question is do we need to do this?

More details on what I mean:

When you create a signer info you:

1.  Hash the body of the message, place the digest value as a signed 
attribute and the digest algorithm into the SignerInfo 
structure in an 
unprotected location.

2.  Create the sequence of signed attributes, hash the 
value, create a 
signature value using your private key and place the signature 
algorithm and the signature in unprotected locations.

The signature does not need any additional protection, however one 
could change the digest algorithms being used in both the 
signature and 
body digest locations without a verifier being able to know 
that it has happened.

The attack I envision would be to find a body that has a 
digest of the 
same length, but uses a different algorithm and update the 
structure with the new digest algorithm data and the body with the 
updated body.  This would currently be undetectable by a verifier.


<Prev in Thread] Current Thread [Next in Thread>