Bogus digital signatures, Re: OT: utility account transfer frauds
George Ross
gdmr at dcs.ed.ac.uk
Tue, 15 Oct 2002 10:21:12 +0100
--==_Exmh_-1327151936P
Content-Type: text/plain; charset=us-ascii
> > Is it not sufficient that each party generate their own random string,
> sign
> > the concatenation of that string with the document, and publish the string
> > along with the signature. No-one is then signing anyone else's text, but
> > all can verify that everyone signed the same document.
>
> I presume that both strings would be appended to the text (so both sides get
> to vary it).
Is that necessary? Since the idea is to defend against someone else
contriving the text to force a particular hash, just concatenating your own
random string before signing should suffice. Everyone signs their own
concatenation, but all can verify that it's the same document that's been
signed since the strings are all published.
(Aside: I think I would concatenate the random string on to the front of
the document before signing; and the length of the string would also be
random. Actually, truely random isn't necessary, as long as it's not
predictable in advance by the other parties.)
Whether the contents of the document itself can be interpreted in more than
once way is a real, but separate, issue.
--
Dr George D M Ross, School of Informatics, University of Edinburgh
Kings Buildings, Mayfield Road, Edinburgh, Scotland, EH9 3JZ
Mail: gdmr@inf.ed.ac.uk Voice: +44 131 650 5147 Fax: +44 131 667 7209
PGP DSA: 1024/AD758CC5 B91E D430 1E0D 5883 EF6A 426C B676 5C2B AD75 8CC5
--==_Exmh_-1327151936P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Exmh version CVS 20020424
iD8DBQE9q94ItnZcK611jMURAsgTAJwOP4bqGOYuQdtTzzPzjzzwR8ExUACfXkOR
lvueX8kSuZtvy5+BRpaFyYo=
=Qvh5
-----END PGP SIGNATURE-----
--==_Exmh_-1327151936P--