James Donald writes:
> There is no need, ever, for the RSA signature to
encrypt
> anything other than a hash, nor will their ever be such
> a need. In this case the use of ASN.1 serves
absolutely
> no purpose whatsoever, other than to create complexity,
> bugs, and opportunities for attack. It is sheer
> pointless stupidity, complexity for the sake of
> complexity, an indication that the standards process is
> broken.
Actually there is something besides the hash there: an
identifier for
which hash algorithm is used. The ASN.1 OID was, I suppose,
a handy and
already-existant mechanism for universal algorithm
identification numbers.
Putting the hash identifier into the RSA signed data
prevents hash
substitution attacks. Otherwise the hash identifier has to
be passed
unsigned, and an attacker could substitute a weak hash
algorithm and find
a second preimage that matches your signed hash. Maybe that
is not part
of a threat model you are interested in but at least some
signers don't
want their hash algorithms to be changed.
BTW I want to mention a correction to Peter Gutmann's post:
as I
understand it, GnuPG was not vulnerable to this attack.
Neither was PGP.
The OpenPGP standard passes the hash number outside the RSA
signed data
in addition to using PKCS-1 padding. This simplifies the
parsing as it
allows hard-coding the ASN-1 prefix as an opaque bit string,
then doing
a simple comparison between the prefix+hash and what it
should be.
Hal Finney
------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomo metzdowd.com
|