Cryptography Reference
In-Depth Information
6.3.3 Security of Signatures
In his attacks against Alice's signature, Mallory is interested in putting her
valid signature on a different or modified document. He has two possibilities.
1. Mallory finds a second document to his liking; it supplies the same
hash value. (Anybody can calculate the hash value by means of the hash
function from the document, i.e., it is not secret.) This is an attack against
the one-way hash function.
2. Mallory finds Alice's private key. He can now sign any document he
wants in Alice's name.
Attacking the Asymmetric Method—The Remote-Future Problem
Let's look at the second possibility. The following threats arise from using an
asymmetric cipher.
1. Alice's private key is spied out. There are many ways to do this, but
Alice could be more careful and destroy her private key once she has
signed all important documents. But that doesn't matter, because her
public key remains known and can still be used to check the signature.
I'm afraid, however, that Alice will not be as careful in practice, and
she wouldn't be able to — nobody changes their public key as often as
they change their shirt.
2. Mallory could pretend his public key is Alice's public key and sign a
document himself. We discussed this threat in Section 4.5.2. It can be
excluded with sufficient certainty.
3. Mallory breaks the asymmetric method, in this case RSA. It is generally
thought that this is currently not possible for sufficiently large prime
factors.
4. Finally, Mallory could mount the chosen-ciphertext attack described in
Section 4.5.3. In the simplest case, he puts a faked hash value on a
document and has Alice sign it.
In a narrower sense, this is not an attack against the signature itself, but Mallory
could recover one of Alice's session keys in this way. This is worth something
indeed.
Let's hope that Alice's signature program computes the hash value itself. The
probability that this value represents a ciphertext to Mallory's liking is not
