[15796] in cryptography@c2.net mail archive
Re: dual-use digital signature vulnerability
daemon@ATHENA.MIT.EDU (Sean Smith)
Sun Jul 18 22:52:44 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <6.1.2.0.2.20040718105710.03d7ba80@mail.comcast.net>
From: Sean Smith <sws@cs.dartmouth.edu>
Date: Sun, 18 Jul 2004 22:08:25 -0400
To: cryptography@metzdowd.com
>
> it isn't sufficient that you show there is some specific
> authentication protocol with unread, random data ... that has
> countermeasures against a dual-use attack ... but you have to
> exhaustively show that the private key has never, ever signed any
> unread random data that failed to contain dual-use countermeasure
> attack.
>
Why isn't it sufficient? (Quick: when was the last time anyone on
this list authenticated by signing unread random data?)
The way the industry is going, user keypairs live in a desktop
keystore, and are used for very few applications. I'd bet the vast
majority of usages are client-side SSL, signing, and encryption.
If this de facto universal usage suite contains exactly one
authentication protocol that has a built-in countermeasure, then when
this becomes solid, we're done.
Our energy would be better spent on the real weaknesses: such as the
ease of getting desktops to just cough up the private key, or to use it
for client-side SSL without ever informing the user.
And on the real problems: such as using the standard suite to get the
trust assertions to match the way that trust really flows in the real
world.
--Sean
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
