Field slide attacks and how to avoid them.
Steven M. Bellovin
smb at research.att.com
Sun Sep 9 20:06:17 EDT 2001
In message <4.1.20010908224034.020e9bc0 at pop.ix.netcom.com>, John Kelsey writes:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>[ To: Perry's Crypto List ## Date: 09/08/01 07:35 pm ##
> Subject: Field slide attacks and how to avoid them. ]
>
>Guys,
>
>I've been noticing a lot of ways you can mess up a cryptographic
>protocol due to the "sliding around" of fields within a signed or MACed
>message. The classic example of this is the old attack on PGP
>fingerprints, which let you use some odd keysize, and thus get two
>different keys (with different keysizes) with the same hash, without
>breaking the hash function. (The raw bits of the two keys are the same,
>but the fields are broken up differently.)
>
>The natural way to resist this is to ensure that all information used to
>parse a hashed/MACed/signed message is included in the signature. But I
>was curious whether anyone knows of other standard, simple ways to deal
>with this problem?
Mike Merritt and I discussed such issues in our critique of Kerberos
(http://www.research.att.com/~smb/papers/kerblimit.usenix.ps or .pdf).
We recommended use of ASN.1 or equivalent to prevent it. I
demonstrated a variety of analogous cut-and-paste attacks in my
critique of early versions of IPsec; the fix I suggested was strong
authentication (http://www.research.att.com/~smb/papers/badesp.ps or
.pdf).
--Steve Bellovin, http://www.research.att.com/~smb
http://www.wilyhacker.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list