[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security problems in Photuris #2
> From: hugo@watson.ibm.com
>
> Summary of this message: I claim that the security of Photuris
> needs to be guaranteed not only based on its default transforms,
> but for any replacement of these transforms by other secure algorithms.
I dispute your claim. You did not specify the scope of "secure".
This statement would require that a zero-knowledge proof of a
Hamiltonian cycle (to pick something randomly from Schneier) would be an
appropriate algorithm for Photuris.
> The current definition of Photuris does not satisfy this criterion.
> As an example, use of plain RSA signature as the signature attribute
> in the protocol discloses the exchanged DH key.
I cannot find _anywhere_ in our documents where a "plain" RSA signature
is mentioned, let alone used. Plain RSA alone is not secure for digital
signatures over any hidden text. And it is "just plain inefficient"!
The forms of signatures specified are currently DNS-SIG, DSS, MD2, MD4,
MD5, PGP, PKCS, SHA, and X.509. MD5 is required. The others are not
specified in the base document, but have been split off to an extensions
document. Therefore, I refuse to discuss their details until the base
is complete.
> Photuris is intended to be algorithm independent.
No, it is not. Only a few, well chosen, algorithms are specified.
Anything else would destroy interoperability and burden the implementor.
Protocol designers are expected to have both knowledge and common sense.
Implementors are expected to follow the specification.
Bad assumptions lead to a bogus argument.
'Nuff said.
Bill.Simpson@um.cc.umich.edu
Key fingerprint = 2E 07 23 03 C5 62 70 D3 59 B1 4F 5E 1D C2 C1 A2
Follow-Ups: