dual-use digital signature vulnerability
Sean Smith
sws at cs.dartmouth.edu
Sun Jul 18 22:08:25 EDT 2004
>
> it isn't sufficient that you show there is some specific
> authentication protocol with unread, random data ... that has
> countermeasures against a dual-use attack ... but you have to
> exhaustively show that the private key has never, ever signed any
> unread random data that failed to contain dual-use countermeasure
> attack.
>
Why isn't it sufficient? (Quick: when was the last time anyone on
this list authenticated by signing unread random data?)
The way the industry is going, user keypairs live in a desktop
keystore, and are used for very few applications. I'd bet the vast
majority of usages are client-side SSL, signing, and encryption.
If this de facto universal usage suite contains exactly one
authentication protocol that has a built-in countermeasure, then when
this becomes solid, we're done.
Our energy would be better spent on the real weaknesses: such as the
ease of getting desktops to just cough up the private key, or to use it
for client-side SSL without ever informing the user.
And on the real problems: such as using the standard suite to get the
trust assertions to match the way that trust really flows in the real
world.
--Sean
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list