Security Basics mailing list archives
Re: Code Signing ???
From: Saqib Ali <docbook.xml () gmail com>
Date: Mon, 5 Sep 2005 07:14:38 -0700
On 9/5/05, Olaf Reitmaier Veracierta <olafrv () gmail com> wrote:
Attacking Hash Functions by Poisoned Messages - "The Story of Alice and her Boss" http://www.cits.rub.de/MD5Collisions/
you know you can use SHA1 in Code Signing, instead of md5. In any case, a "Collision Attack < http://en.wikipedia.org/wiki/Collision_attack >" will not suffice in tempering with arbitrary (given) piece of code from a legitimate vendor. A "Pre-image Attack < http://en.wikipedia.org/wiki/Pre-image_attack > attack" IS REQUIRED for that. A collision attack on code-signing will work only if the attacker is writing both the innocuous and the malicious programs. In that case why would you trust even a innocuous program from an attacker (known mal-ware developer) ???? Th distinction between a "pre-image attack" vs a "collision attack" is very critical when it comes to code signing. -- In Peace, Saqib Ali http://www.xml-dev.com/blog/ Consensus is good, but informed dictatorship is better.
Current thread:
- Re: Code Signing ??? Saqib Ali (Sep 06)
- Re: Code Signing ??? Olaf Reitmaier Veracierta (Sep 06)
- Re: Code Signing ??? Saqib Ali (Sep 06)
- Re: Code Signing ??? Olaf Reitmaier Veracierta (Sep 06)