Re: XML signature HMAC truncation authentication bypass

2009-07-29 Thread Bill Stewart
At 05:11 PM 7/27/2009, Jon Callas wrote: By the way, do you think it's safe to phase out MD5? That will break all the PGP 2 users. Depends - if you're only replacing it with SHA-1, it's probably not worthwhile.. And if you're breaking things anyway, might as well replace most of the

Re: XML signature HMAC truncation authentication bypass

2009-07-28 Thread Jon Callas
On Jul 26, 2009, at 10:31 PM, Peter Gutmann wrote: Jon Callas j...@callas.org writes: You are of course correct, Peter, but are you saying that we shouldn't do anything? Well, I think it's necessary to consider the tradeoffs, if you don't know the other side's capabilities then it's a

Re: XML signature HMAC truncation authentication bypass

2009-07-28 Thread Peter Gutmann
Jon Callas j...@callas.org writes: Okay, password-protected files would get it, too. I won't ask why you're sending password protected files to an agent. They're not technically password-protected files but pre-shared key (PSK) protected files, where the keys have a high level of entropy

Re: XML signature HMAC truncation authentication bypass

2009-07-27 Thread Peter Gutmann
Jon Callas j...@callas.org writes: You are of course correct, Peter, but are you saying that we shouldn't do anything? Well, I think it's necessary to consider the tradeoffs, if you don't know the other side's capabilities then it's a bit risky to assume that they're the same as yours. You are

Re: XML signature HMAC truncation authentication bypass

2009-07-26 Thread Peter Gutmann
Jon Callas j...@callas.org writes: On Jul 17, 2009, at 8:39 PM, Peter Gutmann wrote: PGP Desktop 9 uses as its default an iteration count of four million (!!) for its password hashing, which looks like a DoS to anything that does sanity-checking of input. That's precisely what it is -- a

Re: XML signature HMAC truncation authentication bypass

2009-07-26 Thread Jon Callas
Where this falls apart completely is when there are asymmetric capabilities across sender and receiver. You are of course correct, Peter, but are you saying that we shouldn't do anything? I don't believe that we should roll over and die. We should fight back, even if the advantage is to

Re: XML signature HMAC truncation authentication bypass

2009-07-20 Thread Jon Callas
On Jul 17, 2009, at 8:39 PM, Peter Gutmann wrote: PGP Desktop 9 uses as its default an iteration count of four million (!!) for its password hashing, which looks like a DoS to anything that does sanity-checking of input. That's precisely what it is -- a denial of service to password

Re: XML signature HMAC truncation authentication bypass

2009-07-19 Thread Peter Gutmann
Leandro Meiners lmein...@gmail.com quotes: For example, by specifying an HMACOutputLength of 1, only one bit of the signature is verified. This can allow an attacker to forge an XML signature that will be accepted as valid. This excessive generality is a serious problem in way too many crypto

XML signature HMAC truncation authentication bypass

2009-07-17 Thread Leandro Meiners
XML Signature Syntax and Processing (XMLDsig) is a W3C recommendation for providing integrity, message authentication, and/or signer authentication services for data. XMLDsig is commonly used by web services such as SOAP. The XMLDsig recommendation includes support for HMAC truncation, as