[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: comments on Photuris
> From karn@unix.ka9q.ampr.org Thu Feb 9 03:36 PST 1995
> Although Ashar does have some valid points, several of his arguments
> are against straw men in my opinion. For example, his assumption of
> the identity function as the hash when signing. Tricking people into
> signing arbitrary things of the attacker's choosing is a well-known
> vulnerability of RSA and other digital signature algorithms. And this
> is easily avoided: you never sign anything directly, you always sign
> its crypto hash instead.
I disagree. Not all of the arguments on stealing signatures involve
the use of identity hash functions. I mentioned that one simply
for the sake of completeness.
There are many scenarios by means of which real signatures (on
hashes not the actual quantities) can be obtained, even though
the private keys may be perfectly secure. This is because signatures
are not physically protected, even though keys usually are or can
be.
Consider the case whereby, e.g., through OS deficiencies one
can steal a signature on a quantity from a smart card or token
device, even though there is no possibility of stealing the
private key from the device. With Photuris, stealing a single
signature on a quantity whose discrete log is known is equivalent
to stealing the long term private key (in the sense that it allows
unlimited impersonation thereafter). This is the real problem.
Then there is also the scenario that Hugo mentioned about
the intruder simply stealing the fatal triple {x,g^x,Sig(g^x)}
from the precompute table. This is also fatal, even if the
triple was never used and the private key is perfectly protected.
Stealing one signature should not be equivalent to stealing
the long term private key, because the latter can be heavily
protected whereas the former simply cannot be.
Regards,
Ashar.
Follow-Ups: