> SHA and MD5 are weak algorithms [and we do not use it since now]. But
> what about old digitally signed documents? There is a protocol to
> re-sign our old digitally signed documents [hashed using SHA or MD5]?
Not really.
One solution if someone has a large store of digitally signed documents
where the original signer is not available is to rehash them with a better
algorithm and use that hash to create a digital timestamp (of document +
original signature) that the document existed before this was easily
exploitable. Then the original signature is still preserved and can be
verified, knowing that if there is a new timestamp of whatever date your
risk assessment decides is too late to be secure any longer, that then
the document was not compromised by these weaknesses.
That assumes of course that these are not trivial weaknesses to exploit.
I still advocate using multiple hashes and public key algorithms to sign
documents - for instance, 5 years ago I would have said to use RSA + MD5
and DSA + SHA1 to create two separate digital signatures for each
document. I would have said the security was mathematically as strong as
the strongest individual signature. I would not say that "Well, SHA1 is
168 bits and MD5 is 128 bits, so the security is 168+128 bits." I would
have said, "I don't want to bet everything on the fact that there isn't
someone that finds a novel way to crack one of these algorithms due to a
weakness no one previously knew about." None of the mathematical proofs
of strength can account for the "lucky break", but I can account for it
somewhat with risk management and multiple algorithms.
> SHA and MD5 are weak algorithms [and we do not use it since now]. But
> what about old digitally signed documents? There is a protocol to
> re-sign our old digitally signed documents [hashed using SHA or MD5]?
Not really.
One solution if someone has a large store of digitally signed documents
where the original signer is not available is to rehash them with a better
algorithm and use that hash to create a digital timestamp (of document +
original signature) that the document existed before this was easily
exploitable. Then the original signature is still preserved and can be
verified, knowing that if there is a new timestamp of whatever date your
risk assessment decides is too late to be secure any longer, that then
the document was not compromised by these weaknesses.
That assumes of course that these are not trivial weaknesses to exploit.
I still advocate using multiple hashes and public key algorithms to sign
documents - for instance, 5 years ago I would have said to use RSA + MD5
and DSA + SHA1 to create two separate digital signatures for each
document. I would have said the security was mathematically as strong as
the strongest individual signature. I would not say that "Well, SHA1 is
168 bits and MD5 is 128 bits, so the security is 168+128 bits." I would
have said, "I don't want to bet everything on the fact that there isn't
someone that finds a novel way to crack one of these algorithms due to a
weakness no one previously knew about." None of the mathematical proofs
of strength can account for the "lucky break", but I can account for it
somewhat with risk management and multiple algorithms.
--
Joel
[ reply ]