>>>>> On Thu, 05 Feb 2015 23:38:16 -0500, David Mandelberg >>>>> <da...@mandelberg.org> said:
David> After reviewing this document, I have one concern below, and David> some nits that I'll send to the editor. Otherwise it looks David> good to me. David> In sections 4.1 and 4.2, there are two different to-be-signed David> structures. If I understand correctly, the same router keys David> will be used to sign data from both structures. It might be David> possible for an attacker to take a valid signature of data David> from the structure in 4.2, and present it as a valid David> signature of the same bytes interpreted with the structure in David> 4.1. I'm not sure anything malicious could be done this way, David> but reinterpreting the meaning of signed data seems like a David> bad idea to me. It would be easy to prevent this by David> prepending both structures with a single byte that MUST BE 0 David> for 4.1 and MUST BE 1 for 4.2. Apologies if this has already David> been discussed and is not an issue. I don't believe this is a problem. The signature is calculated by creating a digest of the data and then creating a signature from that digest. I'm definitely not a cryptography expert, but my understanding of digest functions generally is that with even slightly differing input, the resulting set of bits should be completely different. Assuming the digest function chosen is not flawed, there shouldn't be a set of bits from the digest of 4.1 that could be used to successfully replace the digest of 4.2, except by chance. -Mike -- Michael Baer ba...@tislabs.com _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr