digest-algo SHA256, SHA-1 attacks
NdK
ndk.clanbo at gmail.com
Thu Nov 27 06:55:34 CET 2014
Il 26/11/2014 20:39, Peter Lebbing ha scritto:
> On 26/11/14 20:31, NdK wrote:
>> Well, IIUC with rhash you're giving the attacker another mean to tamper
>> with your message. Unless 'r' is chosen deterministically.
> 'r' is randomly generated for each signature by the /signing/ party. So the
> attacker loses control over the input to the hashing algorithm, and they no
> longer can use collision attacks because they don't know the exact input to the
> hashing algorithm.
Sorry, I've been too concise.
I see two problems with randomizing crypto:
1) who guarantees that the 'r' seen by the receiving party is the same
generated by the signer? Since it's usually trivially combined with
source text, I feel it's a huge attack vector
2) it could be a side-channel for leakage (say a smartcard under some
control by some TLA that encrypts the used secret key and some really
random bytes and uses the result as 'r')
BYtE,
Diego.
More information about the Gnupg-users
mailing list