0

Lets's say I have a cipher-module / cryptography-service that signs a hash of some unknown payload.

What are the possible attacks that I would need to guard against in this context (primarily assuming RSA algorithm but it could also be EC-DSA algorithm)?

With regard to the RSA, to guard against chosen cipher-text attacks as noted here have come-up with the following scheme.

  1. Client calculates SHA-256 hash of payload.
  2. Client sends hash to server for timestamping.
  3. Server receives hash, generates a nonce.
  4. Server concatenates nonce (server-generated-random) and the hash (client-input) and calculates hash on the concatenated string.
  5. Server signs the hash that it calculated and returns the signature and the nonce back to client.

What I'd like to know is -

  1. Is the above a standard approach for this type of usecase?
  2. Is there a better scheme than plain concatenation? I
  3. Guess RSA OAEP / PSS schemes are intended to guard against such attacks for RSA but I am more inclined towards the above since its independent of the algorithm (RSA/DSA). Am I correct in this assumption?
Ravindra HV
  • 204
  • 6
  • 13
  • 1
    Your description has mixed up cipher suites (encryption schemes) and digital signatures in a confusing way.) . Rest, I hardly get what you are trying to achieve here. Better use tested and well scrutinized schemes like PSS (which is provably as secure as the RSA problem) – Manish Adhikari Mar 03 '21 at 08:24
  • 1
    OAEP is an encryption schemes which should be protected against people trying to decrypt or distinguish anything the legitimate system has not decrypted for you, using CPA/CCA type attacks. PSS is signature scheme designed to prevent others using chosen message attack from forging signatures on messages the system has not signed – Manish Adhikari Mar 03 '21 at 08:30
  • The idea is to reduce load on the cryptographic devices when the payload sizes are large (MB/GB's rather than in KB's). So one solution is to pre-calculate the hash on conventional systems and just ask the cryptographic-device to sign the hash provided as a direct input. However this scheme opens up possibility for chosen-plaintext attacks. So need to come up with a scheme to guard against it. – Ravindra HV Mar 04 '21 at 04:12
  • Your scheme does rely on collision resistant property of the hash function, lest an adversary forges signatures by creating collision. on large data. Another thing is while the server may be generally blind to the actual message: would it be problem in your application if the server detects a seen message from the hash though?, it may be a good thing because it allows server to deny any responsibility about actual message. – Manish Adhikari Mar 04 '21 at 04:36
  • 1
    And, you do not sign the hash. Hashing in whatever way it is done is part of the signature scheme and cannot be separated. For example in EdDSA, the way hashing is done, it does not rely on collision resistant property of hash function (even though I would not use MD5 or SHA1). But with your scheme, even if you use EdDSA, your hash function CANNOT be ANYTHING BUT COLLISION RESISTANT, in other words, it gives less security guarantee than the signature scheme (EdDSA) used. – Manish Adhikari Mar 04 '21 at 04:43
  • When I said 'sign-the-hash' I meant to imply that we simply apply the private key on the hash of the payload. That is how it works for RSA. But it looks like the threat is valid only for RSA. In any case will take it as a 'yes' in that the above mentioned scheme is better than just blind signing given the above problem-statement. – Ravindra HV Mar 05 '21 at 16:59
  • Simply applying private key is textbook RSA which is a function used to build cryptographic primitives and not a signature scheme by itself. Hashing a message and then applying private key is a signature scheme but PSS (which has more sophisticated way of calculating the extract from the message probabilistically) is provably as secure as RSA primitive. And like I said you would be calculating signature on $nonce || H(m)$ and not on message $m$. And if it s used to validate a message, your hash MUST be collision resistant. Applying EdDSA on message,however would not require it. – Manish Adhikari Mar 05 '21 at 17:09
  • And I am not saying it is a threat. SHA256 is collision resistant so far so it works. In RSA-PSS the message representative (which requires hashing and adding some nonce padding and hashing together and stuff which you can look up yourself, I cannot remember it in top of my head) is calculated by the signer, the owner of the private key and not by the one providing the message which your scheme suggests. Thus, more than likely it won't be as secure as RSA-PSS for instance – Manish Adhikari Mar 05 '21 at 17:13
  • On the contrary, given that the nonce is being generated in the above approach the message-generator / client will have no control over the nonce (since nonce is being generated at server end). Can always have the signer go with RSA-PSS with the hash of the original message as input and the concatenation of the nonce and the original-hash as the new message and sign that. – Ravindra HV Mar 07 '21 at 16:08
  • Here is one link on RSA-PSS. Thanks for your thoughts! – Ravindra HV Mar 07 '21 at 16:09

0 Answers0