diff options
| author | Justus Winter <justus@sequoia-pgp.org> | 2020-12-07 17:45:25 +0100 |
|---|---|---|
| committer | Justus Winter <justus@sequoia-pgp.org> | 2020-12-07 18:03:42 +0100 |
| commit | 4a971af5abe70d41485df141a3d9fa97eaab5f1c (patch) | |
| tree | ee5e9f04f5b44837836950e65afef3c6206aff16 /openpgp/src/packet/signature.rs | |
| parent | d05f6cecbaeda0be9eae6a80517c1839d581545e (diff) | |
openpgp: Include a random salt when creating signatures.
- This makes it harder for an attacker to convince a victim to sign
a predetermined text. See Leurent, G. and Peyrin, T., 2020. SHA-1
is a Shambles, Section 7.2:
> [...] if the serial number is unpredictable then the [chosen
> prefix] collision attack is thwarted as a crucial part of the
> hashed input is not controlled by the attacker.
- We use 32 bytes of randomness, which provides plenty of entropy,
yet is way smaller than the block size of the average hash function.
Adding random data that is included in the signature provides an
opportunity to mutate this data to attack the hash function.
Limiting the amount to less than the block size is should avoid
this concern.
- We use a notation to include the data, because this is the least
intrusive way to add it. It is also self-describing.
- Fixes #597.
Diffstat (limited to 'openpgp/src/packet/signature.rs')
| -rw-r--r-- | openpgp/src/packet/signature.rs | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/openpgp/src/packet/signature.rs b/openpgp/src/packet/signature.rs index 9128332d..7021f9a4 100644 --- a/openpgp/src/packet/signature.rs +++ b/openpgp/src/packet/signature.rs @@ -1588,6 +1588,12 @@ impl SignatureBuilder { .set_issuer_fingerprint(signer.public().fingerprint())?; } + // Add a salt to make the signature unpredictable. + let mut salt = [0; 32]; + crate::crypto::random(&mut salt); + self = self.set_notation("salt@notations.sequoia-pgp.org", + salt, None, false)?; + self.sort(); Ok(self) |