Bernard Dautrevaux <[EMAIL PROTECTED]> writes:
> It's even worst than that: Alice can agree with Bob to the original
> contract, and have Bob sign it. THEN she have:
> - The contract itself (which can be used to generate the MD5 digest)
> - Bob's signed MD5 digest
>
> Then applying the birthday attack she can fiddle with the "better-for-her"
> contract till it generates the same MD5 digest. The mere fact the MD5 digest
> is the same makes that Bob's signature "match" this contract.
You misunderstand the birthday attack, which involves creating
two messages which have the same (previously unknown) digest.
The birthday attack requires you to create the message pair
upfront, before the signature occurs.
The attack you describe: creating a document with a SPECIFIC digest,
is 2^n hard (where n is the length of the hash). (Assuming, of course,
that no attack better than brute force is known for the digest
in question).
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
