Bogus digital signatures, Re: OT: utility account transfer frauds
Charles Lindsey
Charles Lindsey <chl at clw.cs.man.ac.uk>
Mon, 14 Oct 2002 11:37:17 +0100 (BST)
On Sat, 12 Oct 2002 18:57:20 +0100
"John R T Brazier" <prunesquallor@proproco.co.uk> said...
> Charles accurately stated:
>
> ...and followed up with:
> > I also noticed today, when checking something else in the PGP format,
> > that the signature does NOT contain the MD5 hash in the clear (just the
> > first two bytes of it). The first two bytes are worth 2^16, but that
> > still means that you have to perform 2^48 full RSA decodings before you
> > find your match.
>
> But no attacker would do it that way. He'd get an excuse to get the punter
> to sign the hash of an innocuous message (probably involving some financial
> benefit to said punter) on which he'd precalculated the matching digest for
> the incriminating message. Assuming, of course, he could actually generate
> the two messages.
Yes, you are right. The snag I mentioned only arises if you have a
signature to hand without the text it is alleged to sign, and then you
cannot know the MD5 hash. But that situation does not arise in any of
the scenarios under consideration.
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 Fax: +44 161 436 6133 Web: http://www.cs.man.ac.uk/~chl
Email: chl@clw.cs.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5