From 35119b755db270ab43a8e1ec13577bc0f9846546 Mon Sep 17 00:00:00 2001 From: "Neal H. Walfield" Date: Fri, 11 Dec 2020 14:41:17 +0100 Subject: openpgp: Pass the hash algo's security reqs to Policy::signature. - If the signer controls the data that is being signed, then the hash algorithm only needs second pre-image resistance. - This observation can be used to extend the life of hash algorithms that have been weakened, as is the case for SHA-1. - Introduces a new `enum HashAlgoSecurity`, which is now passed to `Policy::signature`. - See #595. --- openpgp/src/packet/unknown.rs | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) (limited to 'openpgp/src/packet/unknown.rs') diff --git a/openpgp/src/packet/unknown.rs b/openpgp/src/packet/unknown.rs index 086f1b32..86758601 100644 --- a/openpgp/src/packet/unknown.rs +++ b/openpgp/src/packet/unknown.rs @@ -4,6 +4,7 @@ use std::cmp::Ordering; use crate::packet::Tag; use crate::packet; use crate::Packet; +use crate::policy::HashAlgoSecurity; /// Holds an unknown packet. /// @@ -73,6 +74,35 @@ impl Unknown { } } + /// The security requirements of the hash algorithm for + /// self-signatures. + /// + /// A cryptographic hash algorithm usually has [three security + /// properties]: pre-image resistance, second pre-image + /// resistance, and collision resistance. If an attacker can + /// influence the signed data, then the hash algorithm needs to + /// have both second pre-image resistance, and collision + /// resistance. If not, second pre-image resistance is + /// sufficient. + /// + /// [three security properties]: https://en.wikipedia.org/wiki/Cryptographic_hash_function#Properties + /// + /// In general, an attacker may be able to influence third-party + /// signatures. But direct key signatures, and binding signatures + /// are only over data fully determined by signer. And, an + /// attacker's control over self signatures over User IDs is + /// limited due to their structure. + /// + /// These observations can be used to extend the life of a hash + /// algorithm after its collision resistance has been partially + /// compromised, but not completely broken. For more details, + /// please refer to the documentation for [HashAlgoSecurity]. + /// + /// [HashAlgoSecurity]: ../policy/enum.HashAlgoSecurity.html + pub fn hash_algo_security(&self) -> HashAlgoSecurity { + HashAlgoSecurity::CollisionResistance + } + /// Gets the unknown packet's tag. pub fn tag(&self) -> Tag { self.tag -- cgit v1.2.3