Adding a nounce before hashing as covert channel (Re: phasing out SHA1 for digest creation)
Andrew Gallagher
andrewg at andrewg.com
Tue Dec 10 17:06:41 CET 2024
On 10 Dec 2024, at 08:48, Bernhard Reiter via Gnupg-devel <gnupg-devel at gnupg.org> wrote:
>
> Am Samstag 07 Dezember 2024 15:35:09 schrieb Andrew Gallagher via Gnupg-devel:
>> there are already countless places in the wire format that an adversary
>> could use for a covert channel,
>
> It still may not be wise to add another place.
> There can be unwanted side effects of adding a nonce
> (is what I understand from the example).
There might be, however since the nonce is signed over as if it were the first N bits of the document, manipulating the nonce of a salted signature would be equivalent to manipulating the first N bits of a document signed by an unsalted signature. Collision attacks generally require manipulation of many more bits than is provided by a V6 signature salt, which is half the bit length of the digest algorithm. And remember that the nonce is not attacker-controlled, unlike the document. Even if there were an additional vulnerability introduced, the attacker would have a 1 in O(2^N) chance of successfully exploiting it.
> Not saying that this is done deliberately.
Of course you aren't. I do wish we could have a reasonable discussion without other people resorting to veiled allegations and FUD.
A
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20241210/e55ce98f/attachment.sig>
More information about the Gnupg-devel
mailing list