Some thoughts about signing a document, e.g. a contract: 1. Someone, either Alice or Bob, will make a last change to the document proposal. WLOG Alice. 2. This might offer an attack vector regarding two versions of the document with the same hash value. 3. Alice sends the final draft to Bob for signing. Bob wants mitigation of this attack vector.
Can Bob modify the document in a defined way (i.e. a nonce inside the document rather an external salt while hashing and signing) which will solve the problem? Let's have Bob adding a line to the document: nonce1: f1d2d2f924e986ac86fdf7b36c94bcdf32beec15 This example is obtained from ``echo foo | sha1sum'', but might be completely random. 4. Bob sends the document back to Alice for purpose of signing. Since Alice does not want Bob to prepare an evil document with different nonce, she adds a line to the document: nonce2: e242ed3bffccdf271b7fbaf34ed72d089537b42f obtained by ``echo bar | sha1sum'' for this example. If she sends it back to Bob, the problems starts all over again (infinite regress). On Tue, 10 Dec 2024 09:48:19 +0100 Bernhard Reiter via Gnupg-devel <[email protected]> wrote: > > There can be unwanted side effects of adding a nonce > (is what I understand from the example). As shown above, a trivial "solution" with a nonce does not really work. There are some implicit or explicit expectations which interfere here: - both sides sign the same document (symmetric) - nonces are inside the signed document - the time and place of signing are different (asymmetric), and - the time interval between signatures is big enough to create a good/evil hash collision - no third trust party involved The attack vector discussed refers to the asymmetric part which allows to modify both versions of the document (good and evil) to create a hash collision. A nonce inside the document mirrors the problem back. Are there any good solutions to the problem (workflow, best practice) besides hoping the hash algorithm will prevent such an attack in reasonable time? - external nonce/salt - signing two different documents The more I consider the problem, the more difficult it appears. kind regards Frank
pgpwhMswAd2mr.pgp
Description: OpenPGP digital signature
_______________________________________________ Gnupg-devel mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-devel
