Field slide attacks and how to avoid them.
Ben Laurie
ben at algroup.co.uk
Sun Sep 9 08:03:02 EDT 2001
John Kelsey wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> [ To: Perry's Crypto List ## Date: 09/08/01 07:35 pm ##
> Subject: Field slide attacks and how to avoid them. ]
>
> Guys,
>
> I've been noticing a lot of ways you can mess up a cryptographic
> protocol due to the "sliding around" of fields within a signed or MACed
> message. The classic example of this is the old attack on PGP
> fingerprints, which let you use some odd keysize, and thus get two
> different keys (with different keysizes) with the same hash, without
> breaking the hash function. (The raw bits of the two keys are the same,
> but the fields are broken up differently.)
>
> The natural way to resist this is to ensure that all information used to
> parse a hashed/MACed/signed message is included in the signature. But I
> was curious whether anyone knows of other standard, simple ways to deal
> with this problem?
ASN.1/DER. Note that I am not advocating it, merely pointing out that it
a standard (if not entirely simple) way to deal with the problem.
> d. Encode the fields first, in such a way that there is a single
> unambigous field separator between fields. For example, use the simple
> encoding rule that anytime three bytes of successive 0x00s are encoded,
> we always insert a 0x01 byte next. Use four successive 0x00 bytes as
> the field separator. The decoding rules work just the opposite:
> Whenever we run into 0x00,0x00,0x00, if the next byte is 0x00, we've hit
> a field separator; if it's a 0x01, we discard the 0x01 and continue
> decoding.
Its more efficient to insert the 0x01 (in the 4th position) only if
there is a run of 4 0x00, or 0x00,0x00,0x00,0x01.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list