dual-use digital signature vulnerability

Anne & Lynn Wheeler lynn at garlic.com
Thu Jul 22 10:34:25 EDT 2004 

At 05:37 AM 7/22/2004, Amir Herzberg wrote:
>Most (secure) signature schemes actually include the randomization as part 
>of their process, so adding nonces to the text before signing is not 
>necessary. OTOH, I don't see any problem in defining between the parties 
>(in the `meta-contract` defining their use of public key signatures) that 
>the signed documents are structured with a random field before and after 
>the `actual contract`, as long as the fields are well defined.


there has been some claim that large random nonces as part of message ... 
before hashing and signing is characteristic of RSA signatures. one of the 
issues with DSA and hardware tokens in the 90s was that none of the 
hardware tokens had reliable random generators. If you were doing DSA (or 
ECDSA) infrastructure ... then integrity was dependent on quality random 
generator as part of the signature process (to preserve the integrity of 
the private key). In some sense, large random nonces (as part of the 
content to be signed) was shifted to the party(s) generating the message as 
part of the RSA process. In theory, DSA/ECDSA eliminates that requirement 
... especially as you move in to the late 90s where hardware tokens started 
to appear that had quality random generators.

protocols have had severs contributing unique values in signed messages 
.... in things like authentication protocol .... as countermeasure to 
replay attacks (on the server).

protocols have had clients contributing some values in signed messages ... 
in an authentication protocol ... as countermeasure of server attacks on 
clients. It isn't necessary that the client contributed part has to bracket 
both the start and end of the message .... in a digital signature 
environment ... since the digital signature protects the whole message 
integrity. The client contributed part could be simple readable text 
disclaimer ... comparable to some disclaimers you see at the bottom of 
emails (especially from lawyers, doctors, and/or people that work for such 
firms .... you even see it in various mailing lists by people that work for 
the big accounting firms).

sometimes the recommendations are that both server and client contribute 
something unique to the signed message ... as generic countermeasures ... 
regardless of whether the situation is actually vulnerable to the 
associated attacks. In general, where the server incurs some expense and/or 
liability associated with every message ... the server (or relying-party) 
is probably interested in countermeasures against replay attacks.

one of the requirements given x9a10 working group (for the x9.59 protocol) 
... was to be able to perform the operation in a single round-trip .... w/o 
any sort of protocol chatter. this is comparable to existing electronic 
payment business process. the countermeasure that the infrastructure uses 
for replay attacks is to have the transactions time-stamped and log is 
kept. transactions with time-stamps that predate the log cut-off are deemed 
invalid. In the x9.59 transaction scenario ... the signing entity (in 
theory) specifically approved every transactions and used ecdsa signature. 
the ecdsa signature would preserve the integrity of the transaction. the 
time-stamp in the transaction would indicate whether it was within the 
current active log window of the payment processor, and the randomness of 
the ecdsa signature would provide uniqueness (two transactions that were 
otherwise identical (in amount, time, etc) would be unique if they had 
different ecdsa signatures (effectively provided by the definition of dsa & 
ecdsa).

the addition of ecdsa signature to existing payment transaction .... 
exactly preserved all the existing business processes and flows ... 
including the requirement that the client can originate the transaction and 
the message flow could complete in a single round-trip.

the addition of the ecdsa signature added
a) integrity of the transaction message,
b) authenticated the origin, and
c) provided transaction uniqueness.

no (public key) certificate was required since the transaction was being 
processed by the relying-party (which in the SET model was also the 
relying-party, had the public key on file, had the original of all the 
information that went into a SET relying-party-only certificate, and the 
only function that the SET relying-party-only certificate was to repeatedly 
travel from the client to the relying party increasing the payload and the 
bandwidth requirements by a factor of one hundred times, carrying static, 
trivial subset of information to the relying party ... which the relying 
party already had ... making it redundant and superfluous ... other than 
contributing enormous payload bloat).

there was one additional thing that was specified in x9.59 standard .... 
that account numbers used in x9.59 transactions could not be used in 
non-authenticated transactions (not that all the payment processors already 
supported feature/function of mapping multiple account numbers to the same 
account). the issue was that it was recognized that regardless of the 
crypto facilities used to protect the account number in flight, there were 
scores of business processes that required the account number to appear in 
the clear.

In the existing infrastructure that are huge numbers of unauthenticated 
transactions that can be performed with the account number ... which 
effectively turns the account number into an enormous shared-secret .... 
requiring enormous amounts of protection for the shared-secret. however, 
with all the enormous numbers of places that the clear-text account number 
is used ... it is not possible to also preserve the account number as a 
shared-secret. minor past note about security proportional to risk
<http://www.garlic.com/~lynn/2001h.html#61>http://www.garlic.com/~lynn/2001h.html#61 


so the x9.59 approach was to eliminate "shared-secret" as a business 
characteristic of the account numbers used in x9.59 transactions. if an 
account number used in an (digitally signed) x9.59 transaction ... can only 
be used in x9.59 (digitally signed) transactions .... it no longer carries 
with it the "shared-secret" characteristic (since simple knowledge of the 
account number is insufficient to impersonate and/or perform fraudulent 
transactions).  So if the insiders at a merchant processing end-point (or 
an external outsider that is harvesting merchant processing transaction 
files) is unable to "steal" the account number and use it fraudulently ... 
it no longer has to be protected as a shared-secret.

The end-point static harvesting of transaction files has been the major 
vulnerability for a long time. They have tended to be in the clear because 
of the large number of business processes that require access to the 
transactions. Neither SET nor SSL provided any countermeasures for this 
(the major) vulnerability/exploit.

X9.59 did eliminate this as a vulnerability ... since stealing the 
transaction file and harvesting the account numbers .... would not provide 
the crook any mechanism to impersonate and/or perform a fraudulent 
transaction. It turns out the secondary effect was that it was no longer 
necessary to hide the account number while in flight either (in order to 
preserve an account number as a shared-secret). digitally signing the 
transaction both preserved the integrity of the transaction as well as 
authenticating the origin of the transaction. This then eliminated the 
requirement to hide the account number as a countermeasure against the 
account number being exposed (and comprimising its shared-secret 
characteristic).

The issue with SET was that it was horribly more complex and expensive and 
provided no fundamental additional protection/countermeasure than existing 
SSL (with respect to reducing existing vulnerabilities and fraud).  This 
was somewhat orthogonal to the problem with the horribly additional expense 
not being born by the primary benefiting parties.

X9.59 is an enormously simpler and less expensive protocol than either SET 
or SSL ... and turns out to address (in a business way) the major exploits 
and vulnerabilities in the existing infrastructure ... the basic 
characteristic that the account number is effectively a shared-secret 
(which neither SET nor SSL addresses). Furthermore, with the elimination of 
the shared-secret attribute for account numbers .... then it is no longer 
necessary to encrypt the transmissions (for purposes of preserving the 
account number secrecy).

--
Anne & Lynn Wheeler    http://www.garlic.com/~lynn/ 

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list