LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Sign with salt

Sign with salt

Posted Jun 30, 2009 12:00 UTC (Tue) by forthy (guest, #1525)
Parent article: Dealing with weakness in SHA-1

One way to improve the strength of a signature is to sign with salt, i.e. sign random number + document instead of document alone (you can put the random number into the hash key accumulator as starting point). This basically removes the possibility to create a pair of documents that will result with the same hash in advance, because the random number of the signer is still unknown (unless of course, the hash has a vulnerability, where a known sequence of bytes removes the history in the accumulator). This is a remedy that can be implemented right now, even with SHA-1. Several of the SHA-3 proposals recommend something in that direction, though e.g. Bruce Schneier recommends to start with your public key as salt - this is less useful, since the public key is known to the attacker. Though a document with several signers makes it a lot more difficult for him.

(Log in to post comments)

Sign with salt

Posted Jul 1, 2009 6:28 UTC (Wed) by xoddam (subscriber, #2322) [Link]

To clarify -- I don't think I'm disagreeing with you -- a salt has to be shared if a third party is to check the signature.

Effectively, someone can provide you with a document to sign, and instead of signing the document you give you, you add some nonce to it and sign the result instead. The nonce (salt) can be from /dev/urandom or some ascii art or whatever. Then you and/or the originating party can forward the document you *did* sign, including the nonce, to whomever it concerns.

The reason for not salting with your own public key is not that other people *can* know your public key; but that an attacker doesn't know it in advance and therefore cannot prepare two documents with the same hash *and* the same salt before presenting one to you to sign.

Historically, salts were used for preventing dictionary attacks on /etc/passwd on the same principle: an attacker might know all the words in the dictionary in advance, but cannot possibly pre-compute each of them with every possible salt. But if /etc/passwd is world-readable, the attacker knows a much smaller range of possible salts in advance too, hence /etc/shadow and hence your recommendation for randomness.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds