>>>>> On Thu, 05 Feb 2015 23:38:16 -0500, David Mandelberg
>>>>> <da...@mandelberg.org> said:
David> After reviewing this document, I have one concern below, and
David> some nits that I'll send to the editor. Otherwise it looks
David> good to me.
David> In sections 4.1 and 4.2, there are two different to-be-signed
David> structures. If I understand correctly, the same router keys
David> will be used to sign data from both structures. It might be
David> possible for an attacker to take a valid signature of data
David> from the structure in 4.2, and present it as a valid
David> signature of the same bytes interpreted with the structure in
David> 4.1. I'm not sure anything malicious could be done this way,
David> but reinterpreting the meaning of signed data seems like a
David> bad idea to me. It would be easy to prevent this by
David> prepending both structures with a single byte that MUST BE 0
David> for 4.1 and MUST BE 1 for 4.2. Apologies if this has already
David> been discussed and is not an issue.
I don't believe this is a problem. The signature is calculated by
creating a digest of the data and then creating a signature from that
digest. I'm definitely not a cryptography expert, but my understanding
of digest functions generally is that with even slightly differing
input, the resulting set of bits should be completely different.
Assuming the digest function chosen is not flawed, there shouldn't be a
set of bits from the digest of 4.1 that could be used to successfully
replace the digest of 4.2, except by chance.
-Mike
--
Michael Baer
ba...@tislabs.com
_______________________________________________
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr
