digest-algo SHA256, SHA-1 attacks

NdK ndk.clanbo at gmail.com
Thu Nov 27 06:55:34 CET 2014


Il 26/11/2014 20:39, Peter Lebbing ha scritto:
> On 26/11/14 20:31, NdK wrote:
>> Well, IIUC with rhash you're giving the attacker another mean to tamper
>> with your message. Unless 'r' is chosen deterministically.
> 'r' is randomly generated for each signature by the /signing/ party. So the
> attacker loses control over the input to the hashing algorithm, and they no
> longer can use collision attacks because they don't know the exact input to the
> hashing algorithm.
Sorry, I've been too concise.
I see two problems with randomizing crypto:
1) who guarantees that the 'r' seen by the receiving party is the same
generated by the signer? Since it's usually trivially combined with
source text, I feel it's a huge attack vector
2) it could be a side-channel for leakage (say a smartcard under some
control by some TLA that encrypts the used secret key and some really
random bytes and uses the result as 'r')

BYtE,
 Diego.



More information about the Gnupg-users mailing list