[1982] in cryptography@c2.net mail archive
Re: Whitespace: What should a signature sign?
daemon@ATHENA.MIT.EDU (Rick Smith)
Thu Dec 18 13:15:09 1997
In-Reply-To: <199712180523.VAA23063@proxy3.ba.best.com>
Date: Thu, 18 Dec 1997 11:50:35 -0600
To: "James A. Donald" <jamesd@echeque.com>, cryptography@c2.net
From: Rick Smith <smith@securecomputing.com>
There's an old jawcracker word we use around here: "canonicalization"
It refers to the notion of taking some relatively free form data and
forcing it into a standard format before doing some important operation on
it. This simplifies the software doing the important operation.
In IPSEC authentication, for example, a secure hash is computed across the
entire IP address header, which includes fields that might change during
the delivery process. To handle this, the digital signature is computed
against a "canonical" version of the packet header in which all of the
fields that might change during delivery are all set to zero (packet hop
count, for example). But the "real" packet with the "real" values needed
for transmission is sent, not the canonical version. The recipient simply
resets the same fields to zero before recomputing the hash.
In this case, you could preprocess the e-mail message before computing your
digital signature. You don't actually have to change the message itself,
you just have to interpret the contents in a particular way when you
compute the signature.
In your case, you might define "newline" as a piece of data to be
canonicalized -- always convert them to a standard form before computing
the checksum. You might be able to define a similar thing for handling the
angle bracket in front of the word >From: correctly.
However, you should not allow too much modification, since every thing you
do to permit uncontrolled variation will increase the risk that an attacker
can manipulate a message maliciously without invalidating the signature.
It's a tricky line to walk.
Rick.
smith@securecomputing.com Secure Computing Corporation
"Internet Cryptography" at http://www.visi.com/crypto/ and bookstores
