Bogus digital signatures, Re: OT: utility account transfer frauds

Nicholas Bohm nbohm at ernest.net
Sat, 12 Oct 2002 11:23:15 +0100 

At 17:27 11/10/2002 +0100, Charles Lindsey wrote:
>         On Fri, 11 Oct 2002 01:11:23 +0100
>         Matthew Astley <lists-ukcrypto@fruitcake.demon.co.uk> said...
>
> >
> > On Thu, Oct 10, 2002 at 10:23:49PM +0100, Peter Tomlinson wrote:
> > > David Howe wrote:
> >
> > > > I am just waiting for this to fail, and fail badly in court. the
> > > > obvious defense is to prove (by example) that two documents, with
> > > > different content, can have the same digital signature
> >
> > I'm told that someone suggested distributed.net should look for an
> > instance of a collision on MD5, by collecting values that when hashed
> > repeatedly give a result which has the top 32 bits clear.
>
>Yes, but finding a random collision is of no help in the problem we are
>discussing. All you will be able to exhibit is two streams of random
>bits which have the same hash. So what?
>
>Now if you can produce two English texts that have the same hash, then
>that might be something.
>
>But even that is not enough. We started out where the "victim" has
>signed some text, presumably a text that was meaningful to him,
>otherwise why should he sign it?
>
>Now the bad guy comes along, and he has to find some other meaningful
>text that hashes to the same as the original. Worse than that, he
>has to find some text whose meaning is such as to be useful in
>embarassing/blackmailing/whatever the victim. That is a hard problem,
>and the birthday paradox gives you no help at all.
>
>In our scenario, the victim is trying to repudiate some incriminating
>text that he has allegedly signed. So he has to persuade the Court that
>some Bad Guy has solved the problem I described above, starting with
>some other innocent text previously signed by the victim.
>
>The Court is not likely to be convinced by being shown two random bit
>strings with the same hash. The Court might be impressed with two
>English texts with the same hash, but even then a competent expert
>witness should be able to explain why that is irrelevant to the
>particular circumstance.
> >
> > It's all pointless anyway, because the real question is "how much do
> > you need to pay the cleaner, in order to get access to steal the
> > private key?".
>
>Or, in this case, the victim has only to convince the court that he did
>not keep his key particularly secure, and that the Bad Guy must have
>sneaked in and snitched it.
>
>Which seems to me like a good argument why the law should assume that
>anyone who does not keep his key secure should be made to abide by the
>content of anything signed with it.

This is about as attractive as the suggestion that anything taken from my 
house using a door key that I carelessly lost should be treated as taken 
with my consent.

Regards

Nicholas

Salkyns, Great Canfield,
Takeley, Bishop's Stortford CM22 6SX, UK

Phone   01279 871272    (+44 1279 871272)
Fax     01279 870215    (+44 1279 870215)
Mobile  07715 419728 (+44 7715 419728)

PGP RSA 1024 bit public key ID: 0x08340015.  Fingerprint:
9E 15 FB 2A 54 96 24 37  98 A2 E0 D1 34 13 48 07
PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF.  Fingerprint:
5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF