Cryptography Reference
In-Depth Information
An interesting related attack for handwritten signatures occurs when a new
payment card that is being mailed out to a user is intercepted by an attacker in
the postal system. The attacker can then sign the user's name in the attacker's
handwriting on the back of the card and masquerade as the user (hopefully only
until the first monthly bill is received). The attacker is able to conduct this attack
without any knowledge of the victim's handwritten signature.
In order to prevent attacks of this type on verification keys, it is necessary to
put into place sound processes for authenticating verification keys. This same
problem arises for public keys that are being used for public-key encryption. We
will discuss this topic in Chapter 11.
SECURITY OF THE HASH FUNCTION
Digital signature schemes with appendix could also be attacked, at least in theory,
by finding collisions in the underlying hash function. We discussed an attack of
this type in Section 6.2.3. It is thus very important that any hash function that
is used to support a digital signature scheme with appendix provides collision
resistance (see Section 6.2.1). If this is in any doubt then all digital signatures
created using that hash function could become contestable.
7.4.2
Using digital signature schemes with encryption
Recall from Section 6.3.6 that many applications require both confidentiality and
data origin authentication, which is a topic that we discussed within the context of
symmetric cryptography. The case for requiring both of these security services is
even stronger in environments using public-key cryptography. This is because the
potentially wide availability of a public encryption key makes it easy for anyone to
send an encrypted message to the public key owner, without it necessarily being
clear who the originator of the message was.
In many applications it may thus be desirable to both encrypt and digitally
sign some data. The main problem with trying to combine encryption and digital
signatures in an application is that the two 'obvious' methods based on using
two separate primitives have fundamental security problems. These problems
are independent of the digital signature scheme that is used. We will assume
in the following discussion that we are using a digital signature scheme with
appendix.
Sign-then-encrypt
. This essentially involves Alice digitally signing the data and
then encrypting the data and the digital signature using Bob's public encryption
key. However, in this case a bad recipient Bob can:
1. decrypt and recover the data and the digital signature;
2. encrypt the data and the digital signature using Charlie's public encryption key;
3. send this ciphertext to Charlie, who decrypts it and verifies Alice's digital
signature.
