User: Password:
Subscribe / Log in / New account

Sign with salt

Sign with salt

Posted Jun 30, 2009 12:00 UTC (Tue) by forthy (guest, #1525)
Parent article: Dealing with weakness in SHA-1

One way to improve the strength of a signature is to sign with salt, i.e. sign random number + document instead of document alone (you can put the random number into the hash key accumulator as starting point). This basically removes the possibility to create a pair of documents that will result with the same hash in advance, because the random number of the signer is still unknown (unless of course, the hash has a vulnerability, where a known sequence of bytes removes the history in the accumulator). This is a remedy that can be implemented right now, even with SHA-1. Several of the SHA-3 proposals recommend something in that direction, though e.g. Bruce Schneier recommends to start with your public key as salt - this is less useful, since the public key is known to the attacker. Though a document with several signers makes it a lot more difficult for him.

(Log in to post comments)

Sign with salt

Posted Jul 1, 2009 6:28 UTC (Wed) by xoddam (subscriber, #2322) [Link]

To clarify -- I don't think I'm disagreeing with you -- a salt has to be shared if a third party is to check the signature.

Effectively, someone can provide you with a document to sign, and instead of signing the document you give you, you add some nonce to it and sign the result instead. The nonce (salt) can be from /dev/urandom or some ascii art or whatever. Then you and/or the originating party can forward the document you *did* sign, including the nonce, to whomever it concerns.

The reason for not salting with your own public key is not that other people *can* know your public key; but that an attacker doesn't know it in advance and therefore cannot prepare two documents with the same hash *and* the same salt before presenting one to you to sign.

Historically, salts were used for preventing dictionary attacks on /etc/passwd on the same principle: an attacker might know all the words in the dictionary in advance, but cannot possibly pre-compute each of them with every possible salt. But if /etc/passwd is world-readable, the attacker knows a much smaller range of possible salts in advance too, hence /etc/shadow and hence your recommendation for randomness.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds