Re: Appropriate role for lists of algorithms and key sizes

Mon, 30 Jan 2017 04:43:05 -0800 

On 28/01/2017 07:51, Peter Gutmann wrote:

Jakob Bohm <jb-mozi...@wisemo.com> writes:


DSA and ECDSA signatures are only secure if the hash algorithm is specified
in the certificate, presumably as part of the AlgorithmIdentifier in the
SubjectPublicKeyInfo.


It's in the (badly-named) signature field of the cert, if it was in the
signatureAlgorithm it wouldn't be covered by the sig.  Having said that, I
don't know how many implementations actually check whether what's in the
signature corresponds to the signatureAlgorithm, I tried it many years ago
(md5With... vs sha1With...) and nothing much seemed to notice, as long as the
signatureAlgorithm was the one that was correct for the signature.



Actually, it is more fundamental than that.  Using a compromised hash
(such as MD2) over a data item that contains the identifier "MD2", does
not require the signature made on the MD2 value to actually indicate
that it is a signature on an MD2 value.

An (EC)DSA signature signs a "hash value" disembodied from the identity
of that hash algorithm.  Thus a signature on an SHA-3-256 value M is an
equally valid signatue on a CRAP-256 value M, and thus on anything that
can (through the insecurity of the hypothetical CRAP algorithm) be made
to have that hash value, including messages saying that this signature
is supposed to be made with the CRAP algorithm.

Therefore, an (EC)DSA public key must specify both the group parameters
(such as P-521) AND the hash algorithm in order to be fully specified.

In contrast the PKCS#1 RSA signature formats do include the hash
algorithm identifier separately from the hash value, thus allowing safe
use of a SHA-512 certified RSA key to sign an SHA-256 hash value as
part of a protocol exchange.

Surprised you didn't know that, considering who you are.



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to