Re: [FDE] Digital Signatures for checking message integrity

From: Dave Howe <DaveHowe.Pentest@xxxxxxxxxxxxxx>
Date: Mon, 27 Oct 2008 21:03:33 +0000

John wrote:

Hi all,

I was hoping to get some clarification about "integrity checking" with
Digital Signatures.

Digital signatures are commonly described as having both the
properties of authenticating the message AND checking the integrity of
a message.

Background: I'm creating a digital signature by generating SHA256 of
the file which is then signed using RSA.

My question is this: is the level of "integrity checking" of Digital
Signatures as good as or equivalent to the plain old integrity
checking you would get if you manually compared the hashes?

Yes. Its the same.

For example, are there any flaws in the digital signature verification
process which mean that it's not as good for checking integrity as if
you had the hash of the file (through some trusted manner).

Maybe.

most DS require that you first solve the key distribution problem.
Normally, this is done by manual verification out of band, or by a
reputation game (web of trust and appeal to assumed authority
(Commercial CA's being the usual example - who wouldn't have needed to
introduce a "EV" certificate if their normal certificates could be trusted)

attacks usually revolve around being able to forge a digital signature;
obviously, in order to do that you must either compromise the secret key
of an authorized signer, or the verification chain of the person doing
the check; the most common way to do the latter is to push a new CA
certificate onto the recipient's machine using GPO or a simple registry
hack, then issue yourself a "valid" signing key in whatever name strikes
your fancy, using the CA you have just created.

when it comes down to it, DS are just a "trusted manner" to get a hash
for the file - no more, no less. how much trust they deserve depends on
how much trust you can place in the asymmetric key used to create them.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------

Prev by Date: Re: [FDE] Information leakage with publicly visible hash/signature
Next by Date: ICMP route test
Previous by thread: Re: [FDE] Information leakage with publicly visible hash/signature
Next by thread: ICMP route test
Index(es):
- Date
- Thread

Relevant Pages

Re: Benefits of Digital Signed email (are there really any?)
... email in order to include a legal footer or disclaimer. ... the integrity of the message. ... Only someone with the sender's private key ... digital signatures to avoid inaccurate attributions by less ...
(microsoft.public.windows.server.sbs)
Wake up, Witless! (not rhetorical)
... common with the actual human meaning of the word. ... any bearing on human-defined integrity. ... You have leveled the accusation that various RAOers "lack ... Atkinson has never claimed that mocking fools is ...
(rec.audio.opinion)
Wake up, Witless! (not rhetorical)
... common with the actual human meaning of the word. ... any bearing on human-defined integrity. ... You have leveled the accusation that various RAOers "lack ... Atkinson has never claimed that mocking fools is ...
(rec.audio.opinion)
Re: Question for Sacky
... Witless scratches at the door. ... latter's own integrity. ... common with the actual human meaning of the word. ... Atkinson has never claimed that mocking fools is ...
(rec.audio.opinion)
Re: Finding Date File Created
... Chuck Anderson • Boulder, CO ... Integrity is obvious. ... The lack of it is common. ...
(comp.lang.php)