DSA2
Robert J. Hansen
rjh at sixdemonbag.org
Thu Sep 21 20:47:50 CEST 2006
Nicholas Cole wrote:
> Thanks for this. What is a "hash function firewall",
> for those of us who are mere mortals? :)
In the real world we don't sign an entire message with our private key.
Instead we take a hash of the message and sign the hash. Then we post
the original message and our signature. Other people can hash the
original message and compare it against our signed hash. If the two
compare identically, then clearly it's a good signature, right?
But there's one detail we're handwaving. How do you know what hash
algorithm to use? There has to be some piece of data telling you "use
SHA512" or "use SHA-1" or...
Let's think of an attack against this scheme. Let's say that our
message format puts _in the message_ "use SHA-512" or whatever, and
there's no data _in the signature_ about what hash was used. Let's also
say that I'm using a good hash algorithm, RIPEMD-128 [*].
How could we you the fact our format puts the hash data in the message
to your advantage?
Hmm. Well, you could use a very weak hash algorithm, such as MD4 [**].
You take a good signature off a message I've already signed, and you
construct a forged message whose MD4 hash comes out identical to the
RIPEMD-128 hash of my original (good) message.
"Hi!" the message now reads. "This is Rob, and I'd like to donate
megabucks to the Society of Evil Geniuses Working Together For a Better
Tomorrow. Please empty my bank account. Hail Eris! Hail Discordia!
Oh, and use MD4 to verify this message."
You then take your forged message to the bank. They verify the (forged)
signature to recover the original hash value. _They have no way of
knowing it was originally a RIPEMD-128 hash_. So when they MD4-hash the
message and see it's identical to the hash value in the signature, the
bank takes it as a valid digital signature and empties my bank account.
That's what it means for a signature scheme to lack a hash function
firewall. A good hash function firewall makes this impossible.
A hash function firewall means the signature carries data about itself,
protected by a digital signature to make it tamper-resistant. If, in
our previous example, the signature said "use RIPEMD-128", the bank
would know to use the right hash algorithm... a strong one, resistant to
cryptanalytic attacks.
Without a hash function firewall, any critical compromise of any hash
algorithm in the signature system puts the entire system in jeopardy.
With a hash function firewall, only signatures using that compromised
hash algorithm are jeopardized.
This is why some critics think signing keys need to support firewalling.
I don't know off the top of my head whether DSA supports firewalled hash
functions or not. I believe that the last time I checked the spec, I
came to the conclusion it did not.
RSA signing keys, on the other hand, do support firewalling.
This entire post has been a tremendous simplification of an esoteric
area of cryptology. There are a great many nuances to the subject. I
also haven't taken a magnifying glass to the OpenPGP spec in at least
eighteen months, maybe more; things may have changed since then.
Corrections from people who are up-to-date on the latest revision of the
spec are always appreciated.
[*] RIPEMD-128 is a 128-bit shortening of RIPEMD-160. It is at present
believed cryptographically secure. It shouldn't be confused with
RIPEMD, an earlier 128-bit hash, which is no longer considered
cryptographically secure.
[**] You can create collisions in MD4 with pen and paper. I'm not sure
if MD4 is really weak enough for this example, but it's just a thought
experiment, so let's assume it is.
More information about the Gnupg-users
mailing list