| rfc9955v2.txt | rfc9955.txt | |||
|---|---|---|---|---|
| skipping to change at line 1038 ¶ | skipping to change at line 1038 ¶ | |||
| a hybrid construct. | a hybrid construct. | |||
| Consider, for example, a simplistic hybrid approach using | Consider, for example, a simplistic hybrid approach using | |||
| concatenated component algorithms. If the hybrid signature is | concatenated component algorithms. If the hybrid signature is | |||
| stripped, such that a single component signature is submitted to a | stripped, such that a single component signature is submitted to a | |||
| verification algorithm for that component along with the message that | verification algorithm for that component along with the message that | |||
| was signed by the hybrid signature scheme, the result would be an | was signed by the hybrid signature scheme, the result would be an | |||
| EUF-CMA forgery for the component signature. This is because as the | EUF-CMA forgery for the component signature. This is because as the | |||
| component signing algorithm was not previously called for the | component signing algorithm was not previously called for the | |||
| message, the hybrid signing algorithm was used to generate the | message, the hybrid signing algorithm was used to generate the | |||
| signature. This is an example of a component algorithm forgery, an | signature. This is an example of a component algorithm forgery, | |||
| example of a cross-algorithm attack or cross-protocol attack. | which is a type of cross-algorithm attack or cross-protocol attack. | |||
| The component algorithm forgery verifier target does not need to be | The component algorithm forgery verifier target does not need to be | |||
| the intended recipient of the hybrid-signed message and may even be | the intended recipient of the hybrid-signed message and may even be | |||
| in an entirely different system. This vulnerability is particularly | in an entirely different system. This vulnerability is particularly | |||
| an issue among concatenated or nested hybrid signature schemes where | an issue among concatenated or nested hybrid signature schemes where | |||
| individual component verification could be possible. It should be | individual component verification could be possible. It should be | |||
| noted that policy enforcement of a hybrid verification does not | noted that policy enforcement of a hybrid verification does not | |||
| mitigate the issue on the intended message recipient: The component | mitigate the issue on the intended message recipient: The component | |||
| forgery could occur on any system that accepts the component keys. | forgery could occur on any system that accepts the component keys. | |||
| End of changes. 1 change blocks. | ||||
| 2 lines changed or deleted | 2 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||