>The problem is that an ambiguous message is signed, making this attack
>possible:
>
> (username, expiration) -> MAC signature
> --------------------- --------------------------
> (Alice, 21-Apr-2001 -> MAC (Alice21-Apr-2001, key)
> (Alice2, 1-Apr-2001 -> MAC (Alice21-Apr-2001, key)
>
>An adversary need only create an Alice2 account with an appropriate
>expiration time to forge an authenticator for the real Alice. In the
>real world, sites and systems like WSJ.com and ArsDigita ACS suffer
>from variants of this marshalling problem [1]. Just sign what you
>mean -- using a delimiter or variable name outside the message space
>is usually sufficient.
so change that to
(username, expiration) -> MAC signature
--------------------- --------------------------
(Alice, 21-Apr-2001 -> MAC (MAC(Alice), MAC(21-Apr-2001), key)
(Alice2, 1-Apr-2001 -> MAC (MAC(Alice2), MAC(1-Apr-2001), key)
maybe?
--
|-----< "CODE WARRIOR" >-----|
[EMAIL PROTECTED] * "ah! i see you have the internet
[EMAIL PROTECTED] (Andrew Brown) that goes *ping*!"
[EMAIL PROTECTED] * "information is power -- share the wealth."
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
