[Cryptography] Langsec & authentication
Stephan Neuhaus
stephan.neuhaus at tik.ee.ethz.ch
Tue May 27 15:08:35 EDT 2014
On 2014-05-27, 20:20, Judson Lester wrote:
> But this document:
> FOO=value1
> FOO=value2
>
> has the same outcome in the exchange as
> FOO=value2
>
> But they authenticate differently.
Even worse, the document
FOO=value1
might authenticate differently from the document
FOO=value1
if any characters used to represent the first line used UTF-8
non-shortest-form encodings and the second one didn't. (I don't know
how to make this happen in Thunderbird, so this is an example only, OK?)
And this even though both represent the same document!
I think you should treat data to be authenticated as a binary blob. In
other words, you should authenticate a particular representation of your
data. If you want to authenticate "what you mean" instead of "what you
say", you will never get anywhere. Or rather, you will get somewhere,
but it might not be where you want to be.
I'm thinking of XML signatures here, they tried the same thing and
failed horribly.
Fun,
Stephan
More information about the cryptography
mailing list