Sven Radde wrote: > I am paranoid, too. Could someone therefore please explain to me what a > hash firewall actually is (possibly off-list)?
In an RSA signature, data about what algorithm was used in a signature is, itself, part of the signed data. You can't lie about a signature algorithm without tampering with the message and making the signature fail to verify. In DSA, the data is not part of the signed data. This allows you to lie. This has potential problems if one of the supported hashes becomes so catastrophically weak that second-preimage attacks become feasible. SHA-1 may be basically dead as far as crypto goes, but it is a _long_ way from a second-preimage attack. The paranoid interpretation of this: Let's speculate that tomorrow, Shengdong University continues their trend of eye-popping crypto research and announces a second-preimage attack against SHA-1. You migrate to RIPEMD160 or truncated SHA256 or what-have-you as a result. An attacker wants to forge one of your new RIPEMD160-based signatures. An attacker gets a good RIPEMD160-based signature from you. This is basically one very long binary sequence, which says "hey, if the message you're reading hashes out to this binary sequence, then yes, it's for real." I construct a new message, saying "I, Sven Radde, agree to pay Rob Hansen one frosty cold pint of bitters." I wave the dead chicken over it, or whatever Shengdong U. says I have to do, in order to make it hash out to the exact same binary sequence as the one your signature says is authentic. I lift your RIPEMD160 signature and place it on my new forged message. I proceed to then lie and say "This message used SHA-1 as a digest." I give it to your local barkeep. He looks at the message, SHA-1s it, gets the binary sequence I constructed. He compares it against your signature block, which says "hey, if the message you're reading hashes out to this binary sequence, then yes, it's for real." Your barkeep pours me a nice cold frosty pint of bitters--hey, I'm a barbaric American and I drink my beer _cold_, thank you very much--and puts the bill for it on your tab. I have now defrauded you by using a forged message. And it's all made possible by the lack of a hash function firewall. The practical paranoid interpretation of this: A second-preimage attack on SHA-1 would be a mathematical advance of such massive proportions that worrying about its consequences for DSA signatures is kind of dumb. If you stay up late at night wondering what will ever happen to "Deal Or No Deal" in the days after a meteor hits Earth, then you're probably the type of person who worries about what happens to DSA signatures after a second-preimage attack on SHA1. The rest of the world, however, will have much more important things to worry about. ... Personally, I myself subscribe to the practical paranoid view. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users