[Cryptography] Attaching the signing public key to data being signed

[Natanael]

Den 28 feb. 2017 22:32 skrev "Ron Garret" <ron at flownet.com>:

One of the things you have to decide when designing a signature protocol is
exactly what is to be signed.  Simply signing a raw document is a bad idea
because that leaves you vulnerable to chimera/Dali attacks (
https://pdfs.semanticscholar.org/7a3a/8a1342d40e0585342fd36
f938d01c82b75c7.pdf).  At the very least you need to integrate the
mime-type (or something equivalent) and maybe even the file name into the
data being signed.

My question is: would it help to also integrate the public key being used
to produce the signature into the data being signed?  Are there any attacks
that this would help prevent?  Has this construction been studied?  Can
anyone point me to a paper?


Don't have the papers right now, but at least in some cases with RSA you
can take an existing message and signature pair, and construct a matching
keypair (different from the original signing key) for which it still
validates.

Attack scenario: Somebody thought a stand-alone signature was as good as a
secure hash in every way.

Based on this, the adversary takes a trusted message (previous validated,
key data discarded...? CT logged signature...?), generates a matching
keypair, and then lies about which signing keypair was used, allowing him
to spoof that message signer by using another keypair which he also can use
to sign other messages.

Definitely a very unlikely attack. Still possible, though.

Note that instead of including the full public key you really just need to
include some pointer / address / identifier for the key that allows you to
look it up and confirm it. Anything unambiguous.

Related previous comment of mine:
https://www.ietf.org/mail-archive/web/cfrg/current/msg08958.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170228/3dfd4853/attachment.html>