digest-algo SHA256, SHA-1 attacks

Peter Lebbing peter at digitalbrains.com
Thu Nov 27 11:07:03 CET 2014

On 27/11/14 06:55, NdK wrote:
> 1) who guarantees that the 'r' seen by the receiving party is the same
> generated by the signer? Since it's usually trivially combined with
> source text, I feel it's a huge attack vector

The purpose of the signature is to ascertain that the OpenPGP message has not
been modified in transit. If you flip a byte anywhere in the message, either in
'r', or in the actual message, the hash changes. This is all the effect it has:
the hash changes; there is no remote code execution or anything :). And since
the hash changes, the message fails to verify as a valid signature.

Are you thinking of a preimage attack where the attacker is now able to vary the
hash of their nefarious message by varying 'r'? If there's a preimage attack
against the hash function, you've lost. Randomized hash or not, it's bye-bye.

I must admit I haven't read the actual specifications and publications
surrounding randomized hashing. But perhaps you should read them if you're
worried; they might answer your questions?

> 2) it could be a side-channel for leakage (say a smartcard under some
> control by some TLA that encrypts the used secret key and some really
> random bytes and uses the result as 'r')

First of all, in the case of an OpenPGP card, the smartcard never sees or comes
in contact with 'r'. It just signs the hash using its private key. I'd assume
this is a common setup for smartcards doing crypto, since you wouldn't want to
feed your multi-gigabyte signed datafile through a smartcard interface. That
would take ages.

I'm fairly sure this side channel does not exist in the current OpenPGP card as
long as you don't use the on-card key generation. And adding randomized hashing
would not change that situation.

And it doesn't make sense when the PC signing your message is the one that is
leaking information through 'r'... If "They"[1] control your PC, it's game over.

Could you get a little more concrete than "I feel it's a huge attack vector"?
It's kind of difficult to argue with, second guessing and all.



[1] I feel "They" should be a 3 letter word, to fit with the parties it usually
refers to. Then again, 4 letter words have a nice reputation as well.

I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

More information about the Gnupg-users mailing list