dual-use digital signature vulnerability
Sean Smith
sws at cs.dartmouth.edu
Sun Jul 18 12:36:21 EDT 2004
> at the NIST PKI workshop a couple months ago .... there were a number
> of infrastructure presentations where various entities in the
> infrastructure were ...signing random data as part of authentication
> protocol
I believe our paper may have been one of those that Lynn objected to.
We used the same key for client-side TLS as well as for signing a
delegation certificate. However (as we made sure to clarify in the
revised paper for the final proceedings):
In SSL and TLS, the client isn't signing random data provided by the
adversary. Rather, the client is signing a value derived from data
both the client and server provide as part of the handshake. I do not
believe it is feasible for a malicious server to choose its nonces so
that the resulting signature be coincide with a valid signature on a
delegation cert the client might have constructed.
(On the other hand, if we're wrong, I'm sure that will be pointed out
repeatedly here in the next day or two :)
--Sean
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list