Language Selection

English French German Italian Portuguese Spanish

Hashing exploit threatens digital security

Filed under
Security

Cryptographers have found a way to snip a digital signature from one document and attach it to a fraudulent document without invalidating the signature and giving the fraud away.

The development means that attackers could potentially forge legal documents, load certified software with bogus code, or turn a digitally-signed letter of recommendation into one that authorises access to private information.

Digital signatures are used to authenticate website connections, emails and legal documents in some countries. They work because they are unique to the file or software that is signed, as they are created from the contents of the signed file. Therefore, if someone tries to cut a digital signature from one document and stick it to another, the signature fails because it no longer matches the document.

But now Stefan Lucks of the University of Mannheim and Magnus Daum of the Ruhr-University, Bochum, both in Germany, have come up with a way to create two documents that both have the same digital signature.

The attack exploits recently discovered holes in a type of publicly available algorithm called a hash function. These algorithms convert a digital file into a fixed-length string of bits (made up of "0"s and "1"s) called a hash, which is considered unique. The hash is then bound up with the digital signatory's key to generate their signature. The signature is verified by a trusted third party that removes the key and compares the remaining number with a hash of the document.

Full Article.

More in Tux Machines

Android Leftovers

The Licensing and Compliance Lab interviews AJ Jordon of gplenforced.org

So basically Bradley Kuhn gave a talk at FOSDEM '17 about GPL enforcement and I was like, wow, it sucks how many companies and people think that enforcing the GPL is a bad idea. I mean, if you disagree with copyleft that's fine (though I personally would argue with that position), but then you should use a suitable license. Like MIT. The very idea that we shouldn't enforce the GPL just doesn't make sense to me because it suggests that the text of the license is watery and unimportant. I don't know about you, but when I say I want my programs to respect users' freedom, I mean it. So GPL enforcement is important. It seemed to me that there are probably a lot of developers out there who want to support GPL enforcement but don't have a good way to voice that support. gplenforced.org is essentially a quick and dirty hack I wrote to make that dead-simple. Read more

Red Hat General and Financial News

today's howtos