Confusion with signature digest type.

Robert J. Hansen rjh at
Thu May 2 06:03:53 CEST 2013

On 5/1/2013 10:16 PM, Daniel Kahn Gillmor wrote:
> It doesn't facilitate a collision attack against that specific
> certification; but if a collision attack is possible against a
> particular digest, then *any* signature made over that digest becomes
> suspect.

First, thank you for a thorough reply.  I appreciate it a great deal.  I
think we may be using two different definitions of collision attack.

> That is, should a collision attack become viable against a particular
> digest, there's no way to tell whether any given signature that uses
> that digest was made before or after the collision attack was possible.

In the absence of a trusted timestamp, yes.  (Of course, then this
becomes a question of whether the trusted timestamp is susceptible to
attack.  I concede that this isn't a solution but just a reification one
level deeper.)

> Eve manages to inject data into your collection that makes the
> data collection have the same digest as a particularly weird User ID
> when bound to your primary key (i'm handwaving past the details of the
> OpenPGP boilerplate involved in a self-sig here).

Are you sure that this is a collision attack?  It seems to me you've
created a preimage scenario here.  And if so, I stand by my statement of
"then I'm completely screwed on a dozen different fronts simultaneously
and my certificate is the least of my worries."  :)

(For those confused by the difference -- I'm certain Daniel isn't -- all
preimage attacks are collision attacks, but relatively few collision
attacks are preimage attacks.  Wikipedia defines a collision attack as
being able to "find two arbitrary different messages m1 and m2 such that
hash(m1) = hash(m2)."  The 'arbitrary' is important: you only care about
finding a collision, but you don't care one whit what that collision is
over.  By comparison, a preimage attack means finding a specific message
that hashes out to a specific value.  By manipulating the data I'm
signing, Eve is finding a specific message: by specifying "it must hash
out to the same as a signature he made in the past", Eve is specifying a
particular hash value.  This is why his scenario seems to me to be a
preimage attack in disguise, rather than a collision attack.)

(However, it is certainly possible that I've misunderstood his scenario.)

> There is no good reason for anyone interacting with modern
> infrastructure to make their default certifications with anything weaker.

I continue to think that you're worrying about how you're going to turn
the coffeepot off as you're fleeing a house fire.  :)

More information about the Gnupg-users mailing list