digest-algo SHA256, SHA-1 attacks

NdK ndk.clanbo at gmail.com
Thu Nov 27 06:55:34 CET 2014

Il 26/11/2014 20:39, Peter Lebbing ha scritto:
> On 26/11/14 20:31, NdK wrote:
>> Well, IIUC with rhash you're giving the attacker another mean to tamper
>> with your message. Unless 'r' is chosen deterministically.
> 'r' is randomly generated for each signature by the /signing/ party. So the
> attacker loses control over the input to the hashing algorithm, and they no
> longer can use collision attacks because they don't know the exact input to the
> hashing algorithm.
Sorry, I've been too concise.
I see two problems with randomizing crypto:
1) who guarantees that the 'r' seen by the receiving party is the same
generated by the signer? Since it's usually trivially combined with
source text, I feel it's a huge attack vector
2) it could be a side-channel for leakage (say a smartcard under some
control by some TLA that encrypts the used secret key and some really
random bytes and uses the result as 'r')


More information about the Gnupg-users mailing list