[15772] in cryptography@c2.net mail archive
dual-use digital signature vulnerability
daemon@ATHENA.MIT.EDU (Anne & Lynn Wheeler)
Fri Jul 16 12:39:04 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Fri, 16 Jul 2004 08:31:27 -0600
To: cryptography@metzdowd.com
From: Anne & Lynn Wheeler <lynn@garlic.com>
In-Reply-To: <6.1.2.0.2.20040715085037.03ded030@mail.comcast.net>
ok, this is a long posting about what i might be able to reasonable assume
if a digital signature verifies (posting to c.p.k newsgroup):
http://www.garlic.com/~lynn/2004h.html#14
basically the relying-party has certified the environment that houses the
private key and the environment that the digital signature was done in ...
then the verification of the digital signature might be assumed to imply
one-factor or possibly two-factor authentication (i.e. if the relying-party
has certified that a private key is housed in a secure hardware token and
can never leave that hardware token, then the verification of the digital
signature might imply one-factor, "something you have" authentication).
that establishes the basis for using digital signature for authentication
purposes ... being able to assume that verification of the digital
signature possibly implies "something you have" authentication (or
something similar).
just the verification of the digital signature, however doesn't do anything
to establish any implication about a legal signature where the "signer" is
assumed to have read and agrees to the contents of the thing being signed
(intention to sign the content of the document as agreement, approval,
and/or authorization).
lets assume for argument sake that some sort of environment can be
certified that provides a relying party some reasonable assurance that the
signer has, in fact, read and is indicating agreement, approval, and/or
authorization ... then there might possible be the issue of the dual-use
vulnerability.
the dual-use comes up when the person is 'signing" random challenges as
purely a means of authentication w/o any requirement to read the contents.
Given such an environment, an attack might be sending some valid text in
lieu of random data for signature. Then the signer may have a repudiation
defense that he hadn't signed the document (as in the legal sense of
signing), but it must have been a dual-use attack on his signature (he had
signed it believing it to be random data as part of an authentication
protocol).
--
Anne & Lynn Wheeler http://www.garlic.com/~lynn/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
