Plaintext attack vulnerabilities?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Jun 16 15:11:08 CEST 2009


On 06/16/2009 06:44 AM, Brian Mearns wrote:
> Are there any known vulnerabilities associated with an attacker who
> can provide plaintext and receive a signature for it? I'm planning a
> simple computer-auth system where a client sends a random token to the
> server, and then the server signs and returns it to prove that the
> server has the private key. I'm wondering if a malicious client could
> provide a certain plain text such it could learn something about the
> private key based on the returned signature.

The client may or may not be able to learn anything about the private
key directly, but there are other serious attacks that such a scheme
could be vulnerable to.

For example, a relay or man-in-the-middle attack is possible:

Alice wants to bob.example.org, a server run by Bob.  Mallory happens to
have a machine (mallory.example.net) on the network path between Alice
and bob.example.org.

mallory.example.net intercepts the traffic, and answers to Alice as
though it were bob.example.org.

Alice asks mallory.example.net to prove that it is bob.example.org by
supplying it a random token to sign.

mallory.example.net in turn opens a connection to the real
bob.example.org, pretending to be Alice, and hands it the same token,
which bob.example.org signs and returns to mallory.example.net

mallory.example.net replays bob.e.o's signature to Alice to establish
its fake identity.

 ----

If the bob.example.org uses the same key for other purposes (e.g.
identity certification, or more generally as a primary key), there are
still other attacks that are possible.

Why design your own protocol?  There are several public-key-based
network authentication protocols (using OpenPGP or not) which already
exist and have been vetted, many of which have free implementations you
can use!  For example, you could use RFC 5081 (TLS with OpenPGP
certificates).  This is not widely adopted at the moment, but it is
implemented in recent versions of GnuTLS.

As a rule of thumb, any asymmetric key which is set up to automatically
sign arbitrary plaintext provided by possible attackers is opening the
door to potential compromise.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090616/3c973e9e/attachment.pgp>


More information about the Gnupg-users mailing list