On 12/6/24 02:11, Wiktor Kwapisiewicz via Gnupg-devel wrote:
On 6.12.2024 01:54, Jacob Bachmeyer via Gnupg-devel wrote:
This could be as simple as including a nonce in the signature.
Just for the record, due to the way of how OpenPGP hashes files,
there's plenty of other metadata influencing the final hash e.g.
signature creation time (I guess it's rather improbable that the
attacker would control that up to a second precision; it's not a high
entropy data though; also: some implementations embed nonce data in
notations).
So PGP is already resistant to such attacks and can be made entirely
immune by simply adding a nonce to the signature, which the protocol
already allows?
Does GPG already do this? If not, can this message count as a feature
request for secure nonces in signatures? Even 64 bits should be enough
to guard against collision-based forgeries, but I would suggest a nonce
length equal to one half of the digest length.
(I initially wanted to propose making the nonce length equal to the
digest length, but the pigeonhole principle suggests that a nonce that
long *might* make signatures malleable with enough computation---an
attacker *might* be able to use the nonce field to make a signature
"fit" a different document hash. I do not know if factoring a 4096-bit
RSA key would be easier---I would expect such an attack to be
computationally infeasible.)
Alternately, for the next PGP protocol version, including a nonce N in
the calculation of the digest H and also signing {N,H} instead of just H
should allow longer nonces without risking the signature integrity. (I
wonder if the SSH developers were thinking along those lines...)
-- Jacob
_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-devel
