[Mac_crypto] Apple should use SHA! (or stronger) to authenticate software releases

R. A. Hettinga mac_crypto@vmeng.com
Mon, 12 Apr 2004 23:04:19 -0400 

--- begin forwarded text


Delivered-To: cryptography@metzdowd.com
From: "Joseph Ashwood" <ashwood@msn.com>
To: <cryptography@metzdowd.com>
Subject: Re: [Mac_crypto] Apple should use SHA! (or stronger) to
authenticate software releases
Date: Mon, 12 Apr 2004 18:00:26 -0700
Sender: owner-cryptography@metzdowd.com

Sorry about being late to the party, I've been a bit busy lately.

> From: Nicko van Someren <nicko@ncipher.com>
> Subject: Re: [Mac_crypto] Apple should use SHA! (or stronger) to
> authenticate software releases
> To: mac_crypto@vmeng.com
> Sender: mac_crypto-admin@vmeng.com
> Reply-To: mac_crypto@vmeng.com
> List-Id: Macintosh Cryptography <mac_crypto.vmeng.com>
> List-Post: <mailto:mac_crypto@vmeng.com>
> List-Help: <mailto:mac_crypto-request@vmeng.com?subject=help>
> List-Subscribe: <http://www.vmeng.com/mailman/listinfo/mac_crypto>,
> <mailto:mac_crypto-request@vmeng.com?subject=subscribe>
> List-Archive: <http://www.vmeng.com/pipermail/mac_crypto/>
> Date: Wed, 7 Apr 2004 12:53:56 +0100
>
> It's not clear to me that you need all this complexity.  All you need
> if to arrange that the attacker does not know exactly what will be
> signed until it has been signed.  So you append some randomness from a
> good random number source to the end of the file just before you sign
> it, and you're safe.

I'm not quite sure that's a good solution, that random tail provides exactly
what the attacker needs to make this as easy as possible. Since the random
tail cannot be know beforehand it cannot be known by the user of the patch.
If anything this would actually make an attack easier. It is only if the
random data is from a _bad_ random source that you might actually gain some
security (a bad source would at the very least have redundancy, internal or
external, that could be verified by the end user, making it more complex to
compute valid numbers). Instead it would probably be more useful to include
the same random number between each file, this should short circuit all but
the most fatal of hash flaws, but might open up other possibilities (I don't
have the time right now to prove things about it).

On a related note does anyone happen to know of any useful papers on
patching, specifically patch integrity/source verification?
                Joe

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

--- end forwarded text


-- 
-----------------
R. A. Hettinga <mailto: rah@ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'