Il 26/11/2014 20:39, Peter Lebbing ha scritto: > On 26/11/14 20:31, NdK wrote: >> Well, IIUC with rhash you're giving the attacker another mean to tamper >> with your message. Unless 'r' is chosen deterministically. > 'r' is randomly generated for each signature by the /signing/ party. So the > attacker loses control over the input to the hashing algorithm, and they no > longer can use collision attacks because they don't know the exact input to > the > hashing algorithm. Sorry, I've been too concise. I see two problems with randomizing crypto: 1) who guarantees that the 'r' seen by the receiving party is the same generated by the signer? Since it's usually trivially combined with source text, I feel it's a huge attack vector 2) it could be a side-channel for leakage (say a smartcard under some control by some TLA that encrypts the used secret key and some really random bytes and uses the result as 'r')
BYtE, Diego. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
