[Mac_crypto] Apple should use SHA! (or stronger) to authenticate software releases

[Nicko van Someren]

On 13 Apr 2004, at 4:04, R. A. Hettinga wrote:
> From: "Joseph Ashwood" <ashwood@msn.com>
>> It's not clear to me that you need all this complexity.  All you need
>> if to arrange that the attacker does not know exactly what will be
>> signed until it has been signed.  So you append some randomness from a
>> good random number source to the end of the file just before you sign
>> it, and you're safe.
>
> I'm not quite sure that's a good solution, that random tail provides 
> exactly
> what the attacker needs to make this as easy as possible. Since the 
> random
> tail cannot be know beforehand it cannot be known by the user of the 
> patch.
> If anything this would actually make an attack easier. It is only if 
> the
> random data is from a _bad_ random source that you might actually gain 
> some
> security (a bad source would at the very least have redundancy, 
> internal or
> external, that could be verified by the end user, making it more 
> complex to
> compute valid numbers). Instead it would probably be more useful to 
> include
> the same random number between each file, this should short circuit 
> all but
> the most fatal of hash flaws, but might open up other possibilities (I 
> don't
> have the time right now to prove things about it).

It's true that the putting randomness on the tail is a bad idea if the 
attacker stands any chance of controlling the supposedly random data.  
That's why you need to buy a good solid hardware security module with 
the ability to limit the use of the signing keys to only be used by 
your custom code that adds hardware generated random padding!

(Of course I would say that, wouldn't I :-)

	Nicko