Language Selection

English French German Italian Portuguese Spanish

Hashing exploit threatens digital security

Filed under
Security

Cryptographers have found a way to snip a digital signature from one document and attach it to a fraudulent document without invalidating the signature and giving the fraud away.

The development means that attackers could potentially forge legal documents, load certified software with bogus code, or turn a digitally-signed letter of recommendation into one that authorises access to private information.

Digital signatures are used to authenticate website connections, emails and legal documents in some countries. They work because they are unique to the file or software that is signed, as they are created from the contents of the signed file. Therefore, if someone tries to cut a digital signature from one document and stick it to another, the signature fails because it no longer matches the document.

But now Stefan Lucks of the University of Mannheim and Magnus Daum of the Ruhr-University, Bochum, both in Germany, have come up with a way to create two documents that both have the same digital signature.

The attack exploits recently discovered holes in a type of publicly available algorithm called a hash function. These algorithms convert a digital file into a fixed-length string of bits (made up of "0"s and "1"s) called a hash, which is considered unique. The hash is then bound up with the digital signatory's key to generate their signature. The signature is verified by a trusted third party that removes the key and compares the remaining number with a hash of the document.

Full Article.

More in Tux Machines

Applications 16.12.1 and Frameworks 5.30.0 by KDE available in Chakra

The latest updates for KDE's Applications and Frameworks series are now available to all Chakra users, together with some other package upgrades. Applications 16.12.1 include more than 40 recorded bugfixes and improvements, including a data loss bug in iCal resource for kdepim-runtime. kdelibs got updated to 4.14.28. Frameworks 5.30.0 ship with the usual bugfixes and improvements, mostly found in breeze icons, kio and plasma-framework. Read more

Linux 4.10-rc5

Things seem to be calming down a bit, and everything looks nominal. There's only been about 250 changes (not counting merges) in the last week, and the diffstat touches less than 300 files (with drivers and architecture updates being the bulk, but there's tooling, networking and filesystems in there too). Read more Also: Linus Torvalds Announces Fifth Linux 4.10 Kernel RC, Everything Looks Nominal Linux 4.10-rc5 Released, Now Codenamed "Anniversary Edition"

Fedora 26 Linux to Enable TRIM for Better Performance of Encrypted SSD Disks

According to the Fedora 26 release schedule, the upcoming operating system is approaching an important milestone, namely the proposal submission deadline for system-wide changes, which is currently set for January 31. Read more Also: Fedora 26 Planning To Enable TRIM/Discard On Encrypted Disks

New CloudLinux 7 and CloudLinux 6 Linux Kernel Security Updates Pushed Into Beta

CloudLinux's Mykola Naugolnyi is informing users of the CloudLinux 7 and CloudLinux 6 enterprise-ready operating systems to upgrade their kernel packages immediately if they are using the Beta channel. Read more