[368] in cryptography@c2.net mail archive
Re: Q: security of 2-barreled hashing
daemon@ATHENA.MIT.EDU (Arnold G. Reinhold)
Mon Mar 17 13:32:48 1997
In-Reply-To: <3.0.32.19970317115936.0072cc74@mail-60.openmarket.com>
Date: Mon, 17 Mar 1997 12:50:17 -0400
To: "Lawrence C. Stewart" <stewart@openmarket.com>
From: "Arnold G. Reinhold" <reinhold@world.std.com>
Cc: cryptography@c2.net
Lawrence C. Stewart clarified:
>I was ambiguous, I think. Here's another try.
>
>Suppose I have a message m and the matching valid signature H(M)
>= (SHA(m), CRC(m)). The message is transmitted as (m,H(m)).
>
>By virtue of cleverness, I have located a different message m' such
>that SHA(m') = SHA(m), but alas, CRC(m)!= CRC(m').
>
>I create a new hash, H(m') = (SHA(m), CRC(m')), and attach it to
>my new message m', giving (m',H(m')) which is accepted by
>the recipient.
>
>This works because I can disassemble H(m) into its two parts,
>use the SHA part and replace the CRC part. I can replace the CRC
>part because it does not depend on anything I don't know.
>I think the technical name for this is "splicing".
>
>-Larry
>
I think you are overlooking the point that H(m) must be signed. The message
is actually transmitted as (m, S(H(m)), where S is some signature function
dependent on the originator's secret key.
If you can create m' such that H(m') = H(m), you can transmit (m', S(H(m))
and it will be accepted. But changing the CRC component of H(m) will
invalidate the signature:
S((SHA1(m), CRC(m')) != S((SHA1(m), CRC(m))
Arnold Reinhold
