[ << ] | [ < ] | [ Up ] | [ > ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |

## 4.3 Digital signatures

In this section we will provide some information about digital signatures, how they work, and give the rationale for disabling some of the algorithms used.

Digital signatures work by using somebody’s secret key to sign some arbitrary data. Then anybody else could use the public key of that person to verify the signature. Since the data may be arbitrary it is not suitable input to a cryptographic digital signature algorithm. For this reason and also for performance cryptographic hash algorithms are used to preprocess the input to the signature algorithm. This works as long as it is difficult enough to generate two different messages with the same hash algorithm output. In that case the same signature could be used as a proof for both messages. Nobody wants to sign an innocent message of donating 1 € to Greenpeace and find out that he donated 1.000.000 € to Bad Inc.

For a hash algorithm to be called cryptographic the following three requirements must hold:

- Preimage resistance.
That means the algorithm must be one way and given the output of the
hash function
*H(x)*, it is impossible to calculate*x*. - 2nd preimage resistance.
That means that given a pair
*x,y*with*y=H(x)*it is impossible to calculate an*x'*such that*y=H(x')*. - Collision resistance.
That means that it is impossible to calculate random
*x*and*x'*such*H(x')=H(x)*.

The last two requirements in the list are the most important in
digital signatures. These protect against somebody who would like to
generate two messages with the same hash output. When an algorithm is
considered broken usually it means that the Collision resistance of
the algorithm is less than brute force. Using the birthday paradox the
brute force attack takes
*2^{((hash size) / 2)}*
operations. Today colliding certificates using the MD5 hash algorithm
have been generated as shown in [*WEGER*].

There has been cryptographic results for the SHA-1 hash algorithms as
well, although they are not yet critical. Before 2004, MD5 had a
presumed collision strength of *2^{64}*, but it has been showed
to have a collision strength well under *2^{50}*. As of November
2005, it is believed that SHA-1’s collision strength is around
*2^{63}*. We consider this sufficiently hard so that we still
support SHA-1. We anticipate that SHA-256/386/512 will be used in
publicly-distributed certificates in the future. When *2^{63}*
can be considered too weak compared to the computer power available
sometime in the future, SHA-1 will be disabled as well. The collision
attacks on SHA-1 may also get better, given the new interest in tools
for creating them.

[ << ] | [ < ] | [ Up ] | [ > ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |

This document was generated on *January 21, 2012* using *texi2html 5.0*.