Re: Security problems in Photuris #2

[Bill Sommerfeld <sommerfeld@apollo.hp.com>]

-----BEGIN PGP SIGNED MESSAGE-----

content-type: text/plain; charset=us-ascii

   I propose a simple compromise: document the assumptions.

I was thinking the same thing..

   Since Bill keeps asking for text contributions, here's one:
   
   	``Photuris signature transforms must hide their input.
   	  A signature transform which leaks information about
   	  its input is unsuitable for use in Photuris.''

Hmm.  How about the following, which includes some rationale text..

"Since the shared secret is included in the value to be signed,
Photuris signature transforms must not leak information about any part
of their input.  An example of an unsuitable signature transform would
be RSA of the raw signature value."

The following text may also help:

"Because the shared secret is found at both the beginning and the end
of the input to the signature transform, and all specified signature
transforms hash their input and then sign the hash, one may look at
this process as the signature of a keyed hash of the remaining fields,
with the shared secret as the key."

BTW, the same issue also applies to the verification of change
messages in section 6.4; the validity_choice algorithm also must not
leak info about the shared secret.

						- Bill




-----BEGIN PGP SIGNATURE-----
Version: 2.6.1

iQCVAwUBMH1rpVpj/0M1dMJ/AQEHbwP9F/DLG7ET7Psi3I0X3gcioj4Jbkk/9hdp
v1L/4jbWMDjUq3/Ptq2ORS9UFfkMqU9Vyzd83nYIfX6ANlxD7F1JILL8Z17DYacd
nHQIDPJcXTD+JejS4Flfk3D3t7hw9rt9lkiZqy6uF2Z1wtnzD8dl3At2EGaPM0kU
mdTlHkrOWj4=
=t2gz
-----END PGP SIGNATURE-----

---

References:

• Re: Security problems in Photuris #2
• From: David A Wagner <daw@CS.Berkeley.EDU>

---

• Prev by Date: Photuris Chapters 5 to 7
• Next by Date: Updated AH code fragment available
• Prev by thread: Re: Security problems in Photuris #2
• Next by thread: Security problems in Photuris #2
• Index(es):
  • Main
  • Thread