Part of the book series:Lecture Notes in Computer Science ((LNCS,volume 2271))
Included in the following conference series:
1427Accesses
10Citations
Abstract
The security of many signature schemes depends on the verifier’s assurance that the same hash function is applied during signature verification as during signature generation. Several schemes provide this assurance by appending a hash function identifier to the hash value. We show that such “hash function firewalls” do not necessarily prevent an opponent from forging signatures with a weak hash function and we give “weak hash function” attacks on several signature schemes that employ such firewalls. We also describe a new signature forgery attack on PKCS #1 v1.5 signatures, possible even with a strong hash function, based on choosing a new (and suspicious-looking) hash function identifier as part of the attack.
This is a preview of subscription content,log in via an institution to check access.
Access this chapter
Subscribe and save
- Starting from 10 chapters or articles per month
- Access and download chapters and articles from more than 300k books and 2,500 journals
- Cancel anytime
Buy Now
- Chapter
- JPY 3498
- Price includes VAT (Japan)
- eBook
- JPY 5719
- Price includes VAT (Japan)
- Softcover Book
- JPY 7149
- Price includes VAT (Japan)
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
Explore related subjects
Discover the latest articles, books and news in related subjects, suggested using machine learning.References
ANSI.ANSI X9.31: Digital Signatures Using Reversible Public-Key Cryptography for the Financial Services Industry (rDSA), 1998.
ANSI.ANSI X9.62: Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm, 1998.
D. R. L. Brown and D. B. Johnson. Formal security proofs for a signature scheme with partial message recovery. Technical Report CORR 2000-39, Department of C&O, University of Waterloo, 2000. Available athttp://www.cacr.math.uwaterloo.ca/.
J.-S. Coron, D. Naccache, and J.P. Stern. On the security of RSA padding. In M. J. Wiener, editor,Advances in Cryptology — CRYPTO’ 99 Proceedings, volume 1666 ofLecture Notes in Computer Science, pages 1–18. Springer, 1999.
Taher ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms.IEEE Transactions on Information Theory, 31:469–472, 1985.
L. C. Guillou and J.-J. Quisquater. A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory. In C. Günther, editor,Advances in Cryptology — EUROCRYPT’ 88 Proceedings, volume 330 ofLecture Notes in Computer Science, pages 123–128. Springer, 1988.
IEEE.IEEE Std 1363-2000: Standard Specifications for Public-Key Cryptography, 2000.
IEEE P1363 Working Group.IEEE P1363a: Standard Specifications for Public-Key Cryptography: Additional Techniques (draft), June 2001. Draft D9. Available fromhttp://grouper.ieee.org/groups/1363.
ISO/IEC.ISO/IEC FCD 9796-2: Security techniques-Digital signature schemes giving message recovery-Part 2: Mechanisms using a hash-function, 1997.
ISO/IEC.ISO/IEC 10118-3: Security techniques-Hash-functions-Part 3: Dedicated hash-functions, 1998.
ISO/IEC.ISO/IEC 14888-2: Security techniques-Digital signatures with appendix-Part 2: Identity-based mechanisms, 1999.
ISO/IEC.ISO/IEC 9796-3: Security techniques-Digital signature schemes giving message recovery-Part 3: Discrete logarithm based mechanisms, 2000.
ISO/IEC.ISO/IEC FCD 9796-2: Security techniques-Digital signature schemes giving message recovery-Part 2: Integer factorization based mechanisms, draft, April 28, 2001.
J. Linn. RE: re: Interoperability. pem-dev@tis.com message, 15 November 1990. Message-ID 〈9011151315.AA22619@decpa.pa.dec.com〉.
S. M. Matyas, D. B. Johnson, A. V. Le, R. Prymak, W. C. Martin, W. S. Rohland, and J. D. Wilkins. Public key cryptosystem key management based on control vectors. U.S. Patent No. 5,200,999, 6 April 1993. Filed 27 September 1991.
NIST.FIPS PUB 180-1: Secure Hash Standard, 1994.
NIST.FIPS PUB 186-2: Digital Signature Standard, 2000.
NIST.FIPS PUB 180-2 (Draft): Secure Hash Standard, May 2001.
K. Nyberg and R. Rueppel. A new signature scheme based on the DSA giving message recovery. InFirst ACM Conference on Computer and Communcations Security, pages 58–61. ACM Press, 1993.
L. Pintsov and S. Vanstone. Postal revenue collection in the digital age. Presented at Fourth International Financial Cryptography Conference, FC’ 00, February 2000.
M. O. Rabin. Digitalized signatures and public-key functions as intractable as factorization. Technical Report MIT/LCS/TR-212, MIT Laboratory for Computer Science, 1979.
Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. A method for obtaining digital signatures and public-key cryptosystems.Communications of the ACM, 21:120–126, 1978.
RSA Laboratories.PKCS #1 v1.5: RSA Encryption Standard, 1993. Available athttp://www.rsasecurity.com/rsalabs/pkcs.
H. C. Williams. A modification on the RSA public-key encryption procedure.IEEE Transactions on Information Theory, 26:726–729, 1980.
Author information
Authors and Affiliations
RSA Laboratories, 20 Crosby Drive, 01730, Bedford, MA, USA
Burton S. Kaliski Jr.
- Burton S. Kaliski Jr.
Search author on:PubMed Google Scholar
Editor information
Editors and Affiliations
Department of Electrical Engineering, Katholieke Universiteit Leuven, Kasteelpark Arenberg 10, 3001, Leuven-Heverlee, Belgium
Bart Preneel
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kaliski, B.S. (2002). On Hash Function Firewalls in Signature Schemes. In: Preneel, B. (eds) Topics in Cryptology — CT-RSA 2002. CT-RSA 2002. Lecture Notes in Computer Science, vol 2271. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45760-7_1
Download citation
Published:
Publisher Name:Springer, Berlin, Heidelberg
Print ISBN:978-3-540-43224-1
Online ISBN:978-3-540-45760-2
eBook Packages:Springer Book Archive
Share this paper
Anyone you share the following link with will be able to read this content:
Sorry, a shareable link is not currently available for this article.
Provided by the Springer Nature SharedIt content-sharing initiative
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.