Burton S. Kaliski Jr.
Citation: B.S. Kaliski Jr. On hash function firewalls in signature
schemes. In B. Preneel, editor, Topics in Cryptology — CT-RSA
2002, volume
2271 of Lecture Notes in Computer Science, Springer, 2002,
pages 1-16. ©
Springer-Verlag
Presented at RSA
Conference 2002, San Jose, CA, USA, February 18-22, 2002. Preliminary
versions presented to IEEE
P1363 Working Group, Boston, MA, USA, June 2, 2000; at AT&T Research,
Florham Park, NJ, USA, August 13, 2001; and at MIT
Laboratory for Computer Science Cryptography and Information Security
Group, Cambridge, MA, USA, October 5, 2001.
Abstract: The security of many signature schemes depends on the
verifier’s assurance that the same hash function is applied during
signature verification as during signature generation. Several schemes
provide this assurance by appending a hash function identifier to the
hash value. We show that such “hash function firewalls” do
not necessarily prevent an opponent from forging signatures with a weak
hash function and we give “weak hash function” attacks on
several signature schemes that employ such firewalls. We also describe
a new signature forgery attack on PKCS #1 v1.5 signatures, possible even
with a strong hash function, based on choosing a new (and suspicious-looking)
hash function identifier as part of the attack.
Click here for paper
(©
Springer-Verlag)
Click here for slides (CT-RSA 2002 version)
Click here
for slides (June 2000 version)
