OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

dss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [dss] Comments on Requirements Draft

Trevor,
   
> -----Original Message-----
> From: Trevor Perrin [mailto:trevp@trevp.net] 
> Sent: Friday, March 28, 2003 4:11 AM
> To: Robert Zuccherato; 'DSS TC'
> Subject: Re: [dss] Comments on Requirements Draft
> 
> 
> At 01:51 PM 3/27/2003 -0800, Trevor Perrin wrote:
> 
> >At 02:47 PM 3/27/2003 -0500, Robert Zuccherato wrote:
> >
> >>In Section 3.3.2 the statement is made that "Client-side hashing 
> >>requires
> >>the client to have knowledge of which hash algorithms the server is 
> >>capable of signing".  I may be missing something obvious, 
> but why?  The 
> >>client has already calculated the hash, so the DSS does not need to 
> >>compute the hash again.  It can just take the resultant 
> hash value and 
> >>compute the signature.  Now, we may eventually want to 
> produce a security 
> >>requirement that the DSS should only sign using hashes that 
> it believes 
> >>are secure, but that doesn't mean that the server is not 
> capable of signing it.
> >
> >I think most public-key signature algorithms (PKCS v1.5, PSS) 
> >incorporate
> >an OID of the hash algorithm in the data they sign with the 
> private key, 
> >or do something similar.  If they don't there's a rollback 
> attack where, 
> >even though you signed with SHA1, if I can find pre-images on MD4 or 
> >something, then I can make a forgery and tell the recipient 
> the message 
> >was MD4-hashed (10.1.2 Note 1 in RFC 2313).
> >
> >So if a DSS service doesn't know the OID of your hash algorithm, it 
> >might
> >not be able to sign it.  I'll add a sentence to explain the 
> rationale.
> 
> Sorry, I was wrong.  With XML-DSIG or CMS/PKCS#7 the server 
> is going to be 
> re-hashing the hash the client sends (to include signed 
> attributes and 
> whatever), and signing that.  So this requirement doesn't apply.  I 
> supposed it would apply if we wanted to have a PKCS #1 v1.5 
> DSS server, but 
> that's a pretty special case, so I'll take that requirement out.

I think the requirement is that the service must *know* what hash
algorithm has been used by the client, so that it can put this info
into the signature, for instance in XMLDSIG:

<dsig:Reference URI="ressource the digest has been calculated over">
  <dsig:DigestMethod Algorithm="digest alg used by the client"/>
  <dsig:DigestValue>the digest calculated by the
signer</dsig:DigestValue>
</dsig:Reference>


/Gregor


> 
> Note that because of the re-hashing, blinding isn't really 
> possible, which 
> was something we had discussed, so I left it out of the 
> document, unless 
> there's something we should say about it?
> 
> Trevor 
>

smime.p7s

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]