Questions about generating keys

[Robert J. Hansen]

Sven Radde wrote:
> I am paranoid, too. Could someone therefore please explain to me what a
> hash firewall actually is (possibly off-list)?

In an RSA signature, data about what algorithm was used in a signature
is, itself, part of the signed data.  You can't lie about a signature
algorithm without tampering with the message and making the signature
fail to verify.

In DSA, the data is not part of the signed data.  This allows you to
lie.  This has potential problems if one of the supported hashes becomes
so catastrophically weak that second-preimage attacks become feasible.

SHA-1 may be basically dead as far as crypto goes, but it is a _long_
way from a second-preimage attack.




The paranoid interpretation of this:

Let's speculate that tomorrow, Shengdong University continues their
trend of eye-popping crypto research and announces a second-preimage
attack against SHA-1.  You migrate to RIPEMD160 or truncated SHA256 or
what-have-you as a result.

An attacker wants to forge one of your new RIPEMD160-based signatures.
An attacker gets a good RIPEMD160-based signature from you.  This is
basically one very long binary sequence, which says "hey, if the message
you're reading hashes out to this binary sequence, then yes, it's for real."

I construct a new message, saying "I, Sven Radde, agree to pay Rob
Hansen one frosty cold pint of bitters."  I wave the dead chicken over
it, or whatever Shengdong U. says I have to do, in order to make it hash
out to the exact same binary sequence as the one your signature says is
authentic.

I lift your RIPEMD160 signature and place it on my new forged message.
I proceed to then lie and say "This message used SHA-1 as a digest."

I give it to your local barkeep.  He looks at the message, SHA-1s it,
gets the binary sequence I constructed.  He compares it against your
signature block, which says "hey, if the message you're reading hashes
out to this binary sequence, then yes, it's for real."

Your barkeep pours me a nice cold frosty pint of bitters--hey, I'm a
barbaric American and I drink my beer _cold_, thank you very much--and
puts the bill for it on your tab.

I have now defrauded you by using a forged message.  And it's all made
possible by the lack of a hash function firewall.





The practical paranoid interpretation of this:

A second-preimage attack on SHA-1 would be a mathematical advance of
such massive proportions that worrying about its consequences for DSA
signatures is kind of dumb.

If you stay up late at night wondering what will ever happen to "Deal Or
No Deal" in the days after a meteor hits Earth, then you're probably the
type of person who worries about what happens to DSA signatures after a
second-preimage attack on SHA1.  The rest of the world, however, will
have much more important things to worry about.




... Personally, I myself subscribe to the practical paranoid view.