Bogus digital signatures, Re: OT: utility account transfer frauds

John R T Brazier prunesquallor at proproco.co.uk
Sat, 12 Oct 2002 18:57:20 +0100 

John burbled:
>> The convention is that you produce your two texts (one for the punter to
>> sign, the other incriminating), and then play with the white space. You
swap
>> spaces for tabs, and so forth. You can also append extra spaces, add and
>> then cancel out format markers, etc. A decent program should be able to
>> generate very large numbers of, say, Word documents that are apparently
>> identical but have different internal bit patterns (especially if you've
got
>> 'Track Changes' on, so that deleted material is still actually retained
in
>> the file). You can rapidly approach the position where you have some text
>> with the random bit streams invisibly mixed in. At this point the
birthday
>> 'paradox' returns to give you aid.

Charles accurately stated:
> You still have to generate, on average, 2^64 versions of the document.
> And at the end, an expert witness who draws attention to the _very_
> peculiar contents of the 'Track Changes' part of the Word document could
> undo all your good work.

I din't say it was easy, I was just pointing out that the birthday 'paradox'
does help you. As to weirdness of track changes content, by the time a
document has been through four or five revisions by half a dozen people it
looks like a complete mess anyway when the changes are displayed - every
backspace, deletion and so forth is marked, and in Word 2000 it looks a
total wreck (XP is tidier) [see note]. Lastly, you would write your forgery
program in a sophisticated manner to make possible changes look realistic -
if you have access to technology that let you break MD5 or SHA, this bit of
programming would be trivial!

...and followed up with:
> I also noticed today, when checking something else in the PGP format,
> that the signature does NOT contain the MD5 hash in the clear (just the
> first two bytes of it). The first two bytes are worth 2^16, but that
> still means that you have to perform 2^48 full RSA decodings before you
> find your match.

But no attacker would do it that way. He'd get an excuse to get the punter
to sign the hash of an innocuous message (probably involving some financial
benefit to said punter) on which he'd precalculated the matching digest for
the incriminating message. Assuming, of course, he could actually generate
the two messages.

TTFN

John B

[note] I actually love Word's Track Changes and Comments features. People
always forget to delete them (they turn the view off, but don't remove the
information). Many a time I have been privy to people's thoughts when they
send me a document ...

JB