Le sextidi 6 ventôse, an CCXXIV, Christian Seiler a écrit : > Yes, I know what an HMAC is. But an HMAC is _utterly_ useless for a > digital signature. Please stop commenting the finger when I try to show you the moon. I was not saying that HMAC are useful for digital signatures, I was giving another, simpler, example to try to get you to understand the principle. You want an actual example of attack that a proper signing protocol prevents? Here is one: 1. Alice generates harmless.iso and harmful.iso with a hash collision. 2. Bob generates harmless.iso.sha and signs it as harmless.iso.sha.sign. 3. Alice replaces harmless.iso by harmful.iso. 4. Eve checks the signature, the signature is valid. Compare to: 2. Bob signs harmless.iso as harmless.iso.sign. 3. Alice replaces harmless.iso by harmful.iso. 4. Eve checks the signature, the signature is invalid, the attack is foiled. The principle is that a proper signing protocol needs to include in the hashed message parts that the attacker can not control. (As a side note, IIRC, the collision attack on MD5 has the property that: size(A) == size(B) && md5(A) == md5(B) => md5(A||C) = md5(B||C); in that case, it would be better to include parts that the attacker can not control before the message, not just after.) Regards, -- Nicolas George
Attachment:
signature.asc
Description: Digital signature