[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [dss] Comments on Requirements Draft
Trevor, > -----Original Message----- > From: Trevor Perrin [mailto:trevp@trevp.net] > Sent: Friday, March 28, 2003 4:11 AM > To: Robert Zuccherato; 'DSS TC' > Subject: Re: [dss] Comments on Requirements Draft > > > At 01:51 PM 3/27/2003 -0800, Trevor Perrin wrote: > > >At 02:47 PM 3/27/2003 -0500, Robert Zuccherato wrote: > > > >>In Section 3.3.2 the statement is made that "Client-side hashing > >>requires > >>the client to have knowledge of which hash algorithms the server is > >>capable of signing". I may be missing something obvious, > but why? The > >>client has already calculated the hash, so the DSS does not need to > >>compute the hash again. It can just take the resultant > hash value and > >>compute the signature. Now, we may eventually want to > produce a security > >>requirement that the DSS should only sign using hashes that > it believes > >>are secure, but that doesn't mean that the server is not > capable of signing it. > > > >I think most public-key signature algorithms (PKCS v1.5, PSS) > >incorporate > >an OID of the hash algorithm in the data they sign with the > private key, > >or do something similar. If they don't there's a rollback > attack where, > >even though you signed with SHA1, if I can find pre-images on MD4 or > >something, then I can make a forgery and tell the recipient > the message > >was MD4-hashed (10.1.2 Note 1 in RFC 2313). > > > >So if a DSS service doesn't know the OID of your hash algorithm, it > >might > >not be able to sign it. I'll add a sentence to explain the > rationale. > > Sorry, I was wrong. With XML-DSIG or CMS/PKCS#7 the server > is going to be > re-hashing the hash the client sends (to include signed > attributes and > whatever), and signing that. So this requirement doesn't apply. I > supposed it would apply if we wanted to have a PKCS #1 v1.5 > DSS server, but > that's a pretty special case, so I'll take that requirement out. I think the requirement is that the service must *know* what hash algorithm has been used by the client, so that it can put this info into the signature, for instance in XMLDSIG: <dsig:Reference URI="ressource the digest has been calculated over"> <dsig:DigestMethod Algorithm="digest alg used by the client"/> <dsig:DigestValue>the digest calculated by the signer</dsig:DigestValue> </dsig:Reference> /Gregor > > Note that because of the re-hashing, blinding isn't really > possible, which > was something we had discussed, so I left it out of the > document, unless > there's something we should say about it? > > Trevor >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]