Security problems in Photuris #2

[hugo@watson.ibm.com]

Ref:  Your note of Thu, 12 Oct 1995 10:37:21 -0700 (PDT) (attached)

 >
 > I propose a simple compromise: document the assumptions.
 >
 > Since Bill keeps asking for text contributions, here's one:
 >
 > 	``Photuris signature transforms must hide their input.
 > 	  A signature transform which leaks information about
 > 	  its input is unsuitable for use in Photuris.''

This is not a compromise. This is the absolute minimum required for the
current Photuris design. As I said in my messages, language changes
can help here. But why not to get a better, less restrictive design that
does not require (inflexible) assumptions from a signature transform as
above?
The additional MAC operation I am asking for before applying the digital
signature cannot be a reason not to go to a better, more robust design.

Anyway, don't forget another "mandatory" language change regarding
the Signature-Message. A Photuris implementation MUST sign the identity
of the signer (this is unrelated to the issue of whether the signature
provides secrecy or not). This can be accomplished by specifying that
the Certificate field MUST always be present and, at least, include the
signer's identity. Or, any other way to ensure that this identity is
included in the signature (and known to the verifier).
See my "Security problems in PHoturis #3" for a rationale about mandatory
signing of identity.

Hugo

---

• Prev by Date: Re: Security problems in Photuris #2
• Next by Date: Photuris Chapters 5 to 7
• Prev by thread: Re: Security problems in Photuris #2
• Next by thread: Re: Security problems in Photuris #2
• Index(es):
  • Main
  • Thread