Confusion with signature digest type.
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu May 2 07:00:38 CEST 2013
On 05/02/2013 12:51 AM, Robert J. Hansen wrote:
> On 5/2/2013 12:48 AM, Robert J. Hansen wrote:
>> She cares what the collision is: it has to be a valid OpenPGP signature
>> sequence.
>
> Erf, did I really write that?
>
> s/signature/User ID
>
> The point being the User ID isn't allowed to be completely arbitrary:
> there's a lot of structure to it. I think that's what kicks this into a
> preimage.
the same can be said of X.509 certificates. there is a lot of structure
in them too, but nonetheless a collision attack was sufficient to mint a
new certificate from rapidSSL's predictable signing policy.
The User ID itself does have well-defined structure, it's true -- in
particular, it has to be a valid UTF-8 bytestream.
However, the selfsig is made on a digest over many things, only one of
which is the User ID. for example, it could contain an arbitrary
OpenPGP notation subpacket, which can itself include an arbitrary
bytestream in the value field, particularly if notation flag 0x80 is
cleared. Compare this to the X.509 ASN.1 "tumor" used in
http://www.win.tue.nl/hashclash/rogue-ca/
This is an attack against the digest's collision-resistance, not against
its preimage resistance.
Regards,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130502/e774840a/attachment.sig>
More information about the Gnupg-users
mailing list