PlayStation 3 predicts next US president

Mon Dec 3 06:20:26 EST 2007

On Dec 2, 2007, at 3:09 AM, William Allen Simpson wrote:

> There are no circumstances in which any reputable certifier will ever
> certify any of the "multitude" containing a hidden pdf image,  
> especially
> where generated by another party.

It is getting fairly common for notaries in for example the  
Netherlands to timestamp or otherwise attest that an (asset with) hash  
(e.g. MD5 an) was presented to them by a person or company with such  
and such credentials.

E.g. NotarSign (diginotarl.nl) its email service will attest such in  
an automated fashion.

Essentially what you are getting is a notarized statement containing  
the credentials as presented, the hash, a timestamp and a notarized  
(backed with an Appostille of the Hague if to be used internationally)  
declaration that such was presented.

Note presentation of the asset is quite optional in this process. And  
for practical reasons it is quite common now in certain trade- 
environments to _not_ sent the actual document to NotarSign but just  
the statement with an MD5* and a https URL to the Purchase Order  
(where the biz. partner needs his x509 or a physical RSA token to pick  
it up) - to be forwarded to the trading partners.

THIS is what makes this "tongue in cheek" example 'somewhat' relevant  
for day to day workflows for those who are still using MD5s.  
'Somewhat' - as ultimately in this example it is hard to argue  
entirely accidental tampering. However - in some biz. sealed-bid  
processes the damage is done by that time.

> The attack requires the certifier to be compromised, either to certify
> documents that the certifier did not generate, or to include the  
> chosen
> text (hidden image) in its documents in exactly the correct location.
>
> While there are plenty of chosen text attacks in cryptography, this  
> one
> is highly impractical.  The image is hidden.  It will not appear,  
> and thus
> would not be accidentally copied by somebody (cut-and-paste).

Keep in mind that the notary is still 'careful' -- effectively they  
sign the hash -- rather than the document; and state either such (e.g.  
in the case of some software/code where you do not hand over the  
actual code) or state that _a_ document was presented with said hash.

The _assumption_ that there is a 1:1 mapping is one left to the  
reader. Compare it to the passport/personalia -- the statement of fact  
usually says that a person appeared in front of the notary which  
presented... rather than Mr X submitted himself to...

Dw.

*) The above example falls somewhat apart as the current message  
contains
    an 'at&t 'sum', md5, SHA-256, SHA-512 and the length - and almost  
all
    ERP systems check all but the AT&T checksum.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com