Bogus digital signatures, Re: OT: utility account transfer frauds

John R T Brazier prunesquallor at proproco.co.uk
Mon, 14 Oct 2002 23:02:05 +0100 

-----Original Message-----
From: ukcrypto-admin@chiark.greenend.org.uk
[mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Brian
Campbell
Sent: 14 October 2002 21:13
To: ukcrypto@chiark.greenend.org.uk
Subject: Re: Bogus digital signatures, Re: OT: utility account transfer
frauds


John B drivelled:
> > > The convention is that you produce your two texts (one for the punter
to
> > >sign, the other incriminating), and then play with the white space. You
swap
> > >spaces for tabs, and so forth. You can also append extra spaces, add
and
> > >then cancel out format markers, etc. A decent program should be able to
> > >generate very large numbers of, say, Word documents that are apparently
> > >identical but have different internal bit patterns (especially if
you've got
> > >'Track Changes' on, so that deleted material is still actually retained
in
> > >the file). You can rapidly approach the position where you have some
text
> > >with the random bit streams invisibly mixed in. At this point the
birthday
> > >'paradox' returns to give you aid.
>
Charles Lindsey stated
> >You still have to generate, on average, 2^64 versions of the document.
> >And at the end, an expert witness who draws attention to the _very_
> >peculiar contents of the 'Track Changes' part of the Word document could
> >undo all your good work.

Brian Campbell added:
> Moreover, if the victim keeps the document that they signed, a
> sufficiently expert witness will show that both documents have the same
> hash and so it cannot be determined which document was signed.  You can
> also avoid becoming a victim by insisting that both parties sign, so
> that you can demonstrate the other person's intent.

Yup, and if and when this happens digital signatures should be seriously
compromised in court.

and Casper Dik added:
> You must make sure you generate the document you sign; the other
> party can then agree to the document but should never able to
> determine the hash beforehand.

Yup as well, although this is going to make contract signing fun.

All the best,

John B