[15792] in cryptography@c2.net mail archive
Re: dual-use digital signature vulnerability
daemon@ATHENA.MIT.EDU (Sean Smith)
Sun Jul 18 21:45:31 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <6.1.2.0.2.20040718074351.03db8de0@mail.comcast.net>
Cc: Amir Herzberg <herzbea@macs.biu.ac.il>, cryptography@metzdowd.com
From: Sean Smith <sws@cs.dartmouth.edu>
Date: Sun, 18 Jul 2004 12:36:21 -0400
To: Anne & Lynn Wheeler <lynn@garlic.com>
> at the NIST PKI workshop a couple months ago .... there were a number
> of infrastructure presentations where various entities in the
> infrastructure were ...signing random data as part of authentication
> protocol
I believe our paper may have been one of those that Lynn objected to.
We used the same key for client-side TLS as well as for signing a
delegation certificate. However (as we made sure to clarify in the
revised paper for the final proceedings):
In SSL and TLS, the client isn't signing random data provided by the
adversary. Rather, the client is signing a value derived from data
both the client and server provide as part of the handshake. I do not
believe it is feasible for a malicious server to choose its nonces so
that the resulting signature be coincide with a valid signature on a
delegation cert the client might have constructed.
(On the other hand, if we're wrong, I'm sure that will be pointed out
repeatedly here in the next day or two :)
--Sean
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
