Re: [dss] Comments on Requirements Draft

[Trevor Perrin <trevp@trevp.net>]

At 01:51 PM 3/27/2003 -0800, Trevor Perrin wrote:

>At 02:47 PM 3/27/2003 -0500, Robert Zuccherato wrote:
>
>>In Section 3.3.2 the statement is made that "Client-side hashing requires 
>>the client to have knowledge of which hash algorithms the server is 
>>capable of signing".  I may be missing something obvious, but why?  The 
>>client has already calculated the hash, so the DSS does not need to 
>>compute the hash again.  It can just take the resultant hash value and 
>>compute the signature.  Now, we may eventually want to produce a security 
>>requirement that the DSS should only sign using hashes that it believes 
>>are secure, but that doesn't mean that the server is not capable of signing it.
>
>I think most public-key signature algorithms (PKCS v1.5, PSS) incorporate 
>an OID of the hash algorithm in the data they sign with the private key, 
>or do something similar.  If they don't there's a rollback attack where, 
>even though you signed with SHA1, if I can find pre-images on MD4 or 
>something, then I can make a forgery and tell the recipient the message 
>was MD4-hashed (10.1.2 Note 1 in RFC 2313).
>
>So if a DSS service doesn't know the OID of your hash algorithm, it might 
>not be able to sign it.  I'll add a sentence to explain the rationale.

Sorry, I was wrong.  With XML-DSIG or CMS/PKCS#7 the server is going to be 
re-hashing the hash the client sends (to include signed attributes and 
whatever), and signing that.  So this requirement doesn't apply.  I 
supposed it would apply if we wanted to have a PKCS #1 v1.5 DSS server, but 
that's a pretty special case, so I'll take that requirement out.

Note that because of the re-hashing, blinding isn't really possible, which 
was something we had discussed, so I left it out of the document, unless 
there's something we should say about it?

Trevor