Re: Re: What the verifier can do

Paul Hoffman <phoffman@xxxxxxxxxx> writes:

> At 8:49 AM -0400 4/30/06, Tony Hansen wrote:
>>Paul Hoffman wrote:
>>  > It is up to the verifier to decide how much effort after the first
>>>  attempt it wants to do. The cost to the verifier is a doing multiple
>>>  hashes, not doing multiple signature validations.
>>
>>Ummm, we don't currently run a hash of the headers, just the body.
>
> Umm, yes we do. See section 3.7:
>     In hash step 2, the signer or verifier MUST pass the following to the
>     hash algorithm in the indicated order.
>
> Digital signature algorithms almost always encrypt a hash of the data,
> not the data itself, because the encryption and decryption steps are
> so expensive.

I know it's pedantic, but it's important: digital signature algorithms
*sign* the hash. They do not, in general, encrypt it. It's true that
signature and encryption are similar in RSA, but they're not the same
in (e.g., DSA). Also, while the performance reason is important,
it's not the only reason. Because signature algorithms can only
process small chunks of data, a digest lets you sign large blocks
without having to worry about gluing together the signatures somehow.


>>We
>>currently do the signature validation based on the actual headers, the
>>body hash, and the dkim-signature. So doing such a verification *would*
>>require multiple signature validations.
>
> A verifier using heuristics (not specified in the spec) would do the 
> following:
>
> 1) Look at the hash in the signature.
>
> 2) Marshall the hash as specified in dkim-base.
>
> 3) Perform the hash function. See if the result is the same as the one
> from step 1.
> 3a) If yes, go to step 5.
> 3b) If no, go to step 4.
>
> 4) Modify the verifier's internal view of the message in some
> heuristic way and marshall the hash. Go to step 3.

This procedure only works if either:

(1) You place a copy of the message digest in the DKIM headers.
    Based on my reading of draft-allman-*, this is not the case
    in DKIM. It's not the case in S/MIME either, AFAIK.
(2) You have a signature algorithm with message recovery
    (meaning that you can extract the hash from the signature).
    Again, this is only true of RSA.

Otherwise you need to do a full signature verification for each
trial manipulation.

-Ekr