phasing out SHA1 for digest creation
Jacob Bachmeyer
jcb62281 at gmail.com
Fri Dec 6 01:54:14 CET 2024
On 12/5/24 11:13, Rainer Perske wrote:
> Bruce Walzer schrieb am 2024-12-05:
>> What is the actual issue here?
> Extremely simplified:
>
> Attacker makes many good documents and many bad documents until he finds a collision.
> Seehttps://shattered.io
> Attacker takes the good document and the bad document with the same hash.
> Attacker asks victim to sign the good document.
> Victim does so.
> Attacker combines the signature with the bad document.
> So the attacker can "prove" that the victim has signed the bad document.
Better solution: never sign a document exactly as presented to you;
always make a small change first. This could be as simple as including
a nonce in the signature. This is from Schneier's /Applied
Cryptography/ from many years ago: this problem (and its solution) is old.
-- Jacob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20241205/9afee072/attachment-0001.html>
More information about the Gnupg-devel
mailing list