collision vs. preimage attacks: policy for signing data created by others

Hauke Laging mailinglisten at hauke-laging.de
Mon Sep 24 19:06:17 CEST 2012 

Hello,

not a GnuPG specific problem but perhaps relevant to GnuPG users.

Given the much bigger difficulty of preimage attacks, would a rule make sense 
not to sign a document that someone else has created (and thus been given the 
opportunity for a collision attack)? The solution would be to change the file 
in a way that does not affect the meaning (e.g. an additional space somewhere) 
and can easily be detected to match this condition. There could even be a 
field especially for a random modification by the recipient.

Often documents have to be signed by both parties. How can the sender be safe 
against a collision attack by the recipient's modification? One aspect is 
time. If you get the document back within days it seems very hard to get the 
attack done in that time. But perhaps it also helps to have certain 
requirements for the modification; requirements which make a collision attack 
a lot harder (but are easy to check). I can just guess what that may be. 
Perhaps the combination of a random value and its hash:

ACAM: JIu1ZmRJdYFH9wVspZr9 a6dd2f422f95606ff3e1de4ccb662f5f3a876d92

There could be one such Anti Collision Attack Modification field for each 
party. It would make sense to require a hash algorithm with heavy CPU load for 
this. But perhaps this is exaggerated and the additional space serves just as 
well? :-)

Of course, this is not intended as a possibility to continue using hash 
functions with known collision attacks but as a precautionary measure as you 
can never be sure that you know all your attacker knows (who need not even be 
the one you want to make a treaty with). Probably not even the majority of 
OpenPGP users is immediately aware of the publishing of new attacks.


Hauke
-- 
☺
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20120924/c63a0091/attachment.pgp>

More information about the Gnupg-users mailing list