On 05/02/2013 12:51 AM, Robert J. Hansen wrote: > On 5/2/2013 12:48 AM, Robert J. Hansen wrote: >> She cares what the collision is: it has to be a valid OpenPGP signature >> sequence. > > Erf, did I really write that? > > s/signature/User ID > > The point being the User ID isn't allowed to be completely arbitrary: > there's a lot of structure to it. I think that's what kicks this into a > preimage.
the same can be said of X.509 certificates. there is a lot of structure in them too, but nonetheless a collision attack was sufficient to mint a new certificate from rapidSSL's predictable signing policy. The User ID itself does have well-defined structure, it's true -- in particular, it has to be a valid UTF-8 bytestream. However, the selfsig is made on a digest over many things, only one of which is the User ID. for example, it could contain an arbitrary OpenPGP notation subpacket, which can itself include an arbitrary bytestream in the value field, particularly if notation flag 0x80 is cleared. Compare this to the X.509 ASN.1 "tumor" used in http://www.win.tue.nl/hashclash/rogue-ca/ This is an attack against the digest's collision-resistance, not against its preimage resistance. Regards, --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
