[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: collision-resistance and self-signatures [was: Re: Non-SHA-1 fingerprints]

To: IETF OpenPGP Working Group <ietf-openpgp@xxxxxxx>
Subject: Re: collision-resistance and self-signatures [was: Re: Non-SHA-1 fingerprints]
From: "Daniel A. Nagy" <nagydani@xxxxxxxxxxxxxxxx>
Date: Tue, 12 May 2009 07:41:09 +0200
In-reply-to: <4A08916E.4000902@xxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-id: <ietf-openpgp.imc.org>
List-unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
References: <5F766368-BB36-4076-807D-E0CEDB7B0026@xxxxxxxxxxxxxxx> <49FF6677.7070907@xxxxxxxxxxxxxxxx> <4A08916E.4000902@xxxxxxxxxxxxxxxxx>
Sender: owner-ietf-openpgp@xxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.21 (X11/20090318)

I think, you are right. My bad.

Daniel Kahn Gillmor wrote:
> (dredging this up from a week ago because i was re-thinking it today)
> 
> On 05/04/2009 06:04 PM, Daniel A. Nagy wrote:
>> For fingerprints, MDC and self-signatures, collision-resistance does not matter,
>> only the one-way property. So I think it is totally safe to postpone discussion
>> until SHA3 is selected.
> 
> I think this point holds for fingerprints and MDCs.  I'm not convinced
> that it holds for self-signatures, though.
> 
> Let's assume Alice has an SHA-1 collision-generator that she can coax
> into generating two messages, A and B with the same digest, and that she
> is meeting Bob for a keysigning at the pub on Friday.
> 
> She crafts message A, which looks like a regular public key/uid
> signature, including friday evening's timestamp and her User ID (this is
> exactly the information to be hashed in a non-self-signature -- maybe it
> hides the collision-generating bits in one of the public key MPIs?).
> Message B is the data within a self-signature over Bob's key, asserting
> something Bob didn't want to assert (e.g. binding a user ID of a known
> villain, or binding a false encryption subkey which Alice controls).
> The collision-generating bits in B might be hidden here in a notation
> subpacket or something similarly opaque.
> 
> At the pub, Alice gets Bob to sign her key (message A) at just the right
> time, retrieves his signature, and transfers it to the new bogus
> self-sig (message B).
> 
> I think this means we need to consider self-signatures made over a given
> algorithm as potentially spoofable if the digest's collision-resistance
> is weakened.  It is *not* just the one-wayness that matters for self-sigs.
> 
> Is this analysis reasonable?  What have i missed?
> 
> 	--dkg
> 
> PS i know that no one has demonstrated anything remotely close to the
> hypothesized oracle i've given Alice above.  The point is just that
> collision-resistance affects self-sigs in ways that it does not affect
> the MDC or the fingerprint.
>

Attachment: signature.asc
Description: OpenPGP digital signature

References:
- Non-SHA-1 fingerprints
  - From: David Shaw
- Re: Non-SHA-1 fingerprints
  - From: Daniel A. Nagy
- collision-resistance and self-signatures [was: Re: Non-SHA-1 fingerprints]
  - From: Daniel Kahn Gillmor

Prev by Date: collision-resistance and self-signatures [was: Re: Non-SHA-1 fingerprints]
Next by Date: Re: how to specify "trust no signatures over hash X from this key"?
Previous by thread: collision-resistance and self-signatures [was: Re: Non-SHA-1 fingerprints]
Next by thread: Re: Non-SHA-1 fingerprints
Index(es):
- Date
- Thread