On Dec 2, 2007, at 3:09 AM, William Allen Simpson wrote:
There are no circumstances in which any reputable certifier will ever
certify any of the "multitude" containing a hidden pdf image,
especially
where generated by another party.
It is getting fairly common for notaries in for example the
Netherlands to timestamp or otherwise attest that an (asset with) hash
(e.g. MD5 an) was presented to them by a person or company with such
and such credentials.
E.g. NotarSign (diginotarl.nl) its email service will attest such in
an automated fashion.
Essentially what you are getting is a notarized statement containing
the credentials as presented, the hash, a timestamp and a notarized
(backed with an Appostille of the Hague if to be used internationally)
declaration that such was presented.
Note presentation of the asset is quite optional in this process. And
for practical reasons it is quite common now in certain trade-
environments to _not_ sent the actual document to NotarSign but just
the statement with an MD5* and a https URL to the Purchase Order
(where the biz. partner needs his x509 or a physical RSA token to pick
it up) - to be forwarded to the trading partners.
THIS is what makes this "tongue in cheek" example 'somewhat' relevant
for day to day workflows for those who are still using MD5s.
'Somewhat' - as ultimately in this example it is hard to argue
entirely accidental tampering. However - in some biz. sealed-bid
processes the damage is done by that time.
The attack requires the certifier to be compromised, either to certify
documents that the certifier did not generate, or to include the
chosen
text (hidden image) in its documents in exactly the correct location.
While there are plenty of chosen text attacks in cryptography, this
one
is highly impractical. The image is hidden. It will not appear,
and thus
would not be accidentally copied by somebody (cut-and-paste).
Keep in mind that the notary is still 'careful' -- effectively they
sign the hash -- rather than the document; and state either such (e.g.
in the case of some software/code where you do not hand over the
actual code) or state that _a_ document was presented with said hash.
The _assumption_ that there is a 1:1 mapping is one left to the
reader. Compare it to the passport/personalia -- the statement of fact
usually says that a person appeared in front of the notary which
presented... rather than Mr X submitted himself to...
Dw.
*) The above example falls somewhat apart as the current message
contains
an 'at&t 'sum', md5, SHA-256, SHA-512 and the length - and almost
all
ERP systems check all but the AT&T checksum.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
