Bogus digital signatures, Re: OT: utility account transfer frauds
John R T Brazier
prunesquallor at proproco.co.uk
Tue, 15 Oct 2002 11:06:51 +0100
John B gibbered:
> > I presume that both strings would be appended to the text (so both sides
get
> > to vary it).
> Is that necessary? Since the idea is to defend against someone else
> contriving the text to force a particular hash, just concatenating your
own
> random string before signing should suffice. Everyone signs their own
> concatenation, but all can verify that it's the same document that's been
> signed since the strings are all published.
I think so. If I'm the baddy, and I create the document (simplest case),
then I can produce two versions of the document (one fair, one for my
nefarious purposes). I then start generating random numbers on both
documents (birthday 'paradox' comes in). When I get the two docs, I sign
both hashes. I send the fair one (without either random string) to the
punter, who adds his random string, computes the hash and signs it.
I still have two documents, saying different things, that sign to the same.
In court the different random strings don't help the punter. We both
demonstrate that our documents sign correctly.
If we add both strings (his and mine) to the document, however, the I'm
forced to compute a specified hash, and I lose the birthday 'paradox'. I'm
looking at 2^127 different hashes (to a 50% probability).
All the best,
John B